VLAN setup has broken my log server connection
I recently changed my flat network on interface1 (trusted) to a VLAN setup. Most everything seems to be working well except this firebox can't connect to the log server since I made the configuration change. The log server lives on at another site which is connected via BOVPN.
I changed interface1 from type "Trusted" with one subnet to type "VLAN" with the following vlan setup.
Untagged - VLAN 2 - Management (Trusted)
Tagged - VLAN 20 - Workstations (Trusted)
Tagged - VLAN 10 - Phones (Custom)
Tagged - VLAN 60 - IP Cameras (Custom)
Tagged - VLAN 70 - IoT (Custom)
The firebox is trying to connect to the remote log server using the gateway IP setup on the IP Cameras VLAN. The traffic is hitting the remote firebox and being dropped because the remote firebox is not configured to except traffic from this subnet nor do I want it to. How does the firebox decide which interface to use for outbound traffic? Can it be configured? I expected it to choose the untagged management interface. Any help would be appreciated.
Comments
The firewall should route packets based on the dest IP addr.
What is the subnet & subnet mask on VLAN 2 & VLAN 60
What is the IP addr of the log server?
Sorry, my questions were not helpful.
I'll see if I can find info related to the real problem - the source IP addr of the log packets from the firewall.
I log packets & I also have VLANs, but my log server is local, on a trusted VLAN, and I'm not seeing that issue.
In my case, I have 4 VLANs - all for AP connected devices.
My mgt VLAN (5) is untagged, and all of the rest are tagged.
VLAN 1 - trusted
VLAN 3 - equipment
VLAN 4 - guest
VLAN 5 - AP mgt
On the old Forum, I believe that there were post to help understand how XTM selected an interface IP addr as the source IP addr. I can't find anything now to help.
What type of things are on your mgt VLAN?
Also - the subnets involved:
VLAN 1 - trusted 10.0.1.0/24
VLAN 3 - equipment 10.0.3.0/24
VLAN 4 - guest 10.0.4.0/24
VLAN 5 - AP mgt 10.0.5.0/24
If your mgt VLAN is not the lowest subnet, perhaps changing it to the lowest subnet might resolve your issue.
Thanks for getting back to me Bruce
VLAN2 10.51.0.1/24
VLAN60 10.51.60.1/24
Log server is 192.168.41.55 (connected via BOVPN) with a route of 192.168.41.0/24 <-> 10.51.0.0/16
The management VLAN currently has a couple switches and an AP.
Currently the source IP for wg-logging is the IP of the external interface. I have no idea why the firebox changed from a source IP of 10.51.60.1, but that's not going to work either.
wg-logging with an external interface IP addr is quite common for remote logging over a BOVPN.
There used to be a FAQ on it, but I can't find it now.
As I recall, the resolution was to add the firewall external IP addr to the BOVPN setup.
I just discovered that the global setting, "Enable configuration of policies for traffic generated by the Firebox" has some influence to the source ip for wg-logging, at least on two of my T35s.
Enabled -> Use the IP from the external interface (Traffic not getting to log server at remote site)
Disabled -> Use a Private IP from trusted (Still choosing my gateway ip for the Camera VLAN.
I might have to just create a policy on the log server side to allow wg-logging traffic from the gateway on my Camera VLAN.
I'm aware of that option, and I have it enabled - for a long time.
I am not aware that this option affects the source IP addr of packets from the firewall.
Consider opening a support incident on this.
I suppose that this could be XTM version differences. As I do not have you setup - logging over a BOVPN to a remote site, I can't test what my XTM version does for your case. I have V12.6.2 U3