DHCP from M370 out for VoIP phones over VLan, not getting VLAN IP's
M370 w/ 12.4.1
Port 7, setup as VLAN 50 doing DHCP 172.16.50.100 to .199. Port 7 is IP 172.16.50.9
Send and Receive tagged traffic for selected VLAN 50.
For setup test purposes, connected a laptop to Port 7 and were getting our WG Management IP 172.16.10.x (which I use for our WiFi) for a handed out DHCP address not a VLAN 50 address of 172.16.50.1xx.
The phone are just talking to our new server at 172.16.50.10.
Just for test purposes shouldn't my M370 on port 7 be handing out a VLAN 50 IP address?
I'm new to setting up VLANs and VoIP phones, what am I doing wrong?
0
Sign In to comment.
Comments
Sounds like a switch config issue.
You can add an Any packet filter From: your interface 7 name To: Any
Set this policy to the top of the list.
Turn on Logging on it.
Then you can see what packets are coming to port 7.
If not DHCP packets are coming to it, then the switch settings must be incorrect someplace.
You can also turn on Diagnostic Logging for DHCP Server
In WSM Policy Manager: Setup -> Logging -> Diagnostic Log Level -> Network -> DHCP Server
In the Web UI: System -> Diagnostic Log
Set the slider to Information or higher
we have the laptop plugged directly into interface 7 and we're getting a Management VLAN(10) IP address not a VLAN 50 IP address.
Occasionally we'll get a VLAN 50 IP but if we do a refresh it goes back to VLAN 10
I have an Any Packet filter from my Interface 7 To: Any I turned on Logging and this is the only thing I get.
2020-11-03 13:03:48 Allow 172.16.50.9 172.16.50.255 2528/udp 2529 2528 Firebox 50-3CX-phones Allowed 36 64 (Any From Firebox-00) proc_id="firewall" rc="100" msg_id="3000-0148" Traffic
2020-11-03 13:03:48 Allow 172.16.50.9 172.16.50.255 2528/udp 2529 2528 Firebox 50-3CX-phones Allowed 36 64 (Any From Firebox-00) proc_id="firewall" rc="100" msg_id="3000-0148" Traffic
Randomly these two lines show up
Other than that it will randomly hand out a 172.16.50.100 but then goes back to 172.16.10.108.
It won't hand out a steady DHCP for VLAN 50.
By refresh - do you mean an ipconfig release followed by an ipconfig renew ?
Make sure that you do not have DHCP relay set on VLAN 50.
You can see the ARP entries in use.
FSM -> Status Report; Web UI -> System Status -> ARP Table
You can clear the ARP cache on your firewall, which might help.
If you have a current LiveSecurity license, you can open a support incident on this.
sorry, Yes, ipconfig release and ipconfig renew!
I do not have DHCP relay set either.
I may have to do a support case for this, I'll keep this updated.
@Bruce_Briggs
I took another look based on your advise; I changed some of my Cisco Switch settings. I turned on QoS.
I'm now getting VLAN 50 IP addresses to my phones.
Now my firebox M370 doesn't want to pass any traffic from my VLAN 50 IP's to the outside world. I also can't connect to my 3CX phone switch/server(172.16.50.10 Pc using 172.16.50.120) via it's IP address on the VLAN 50 subnet 172.16.50.1/24.
I setup two policies(individually); "Outgoing" Allowed from my 3CX-Phones VLAN to Any-External Any Port; I could not get out and I didn't "see" any* traffic trying to get out!
*This is the only attempt on passing traffic in my logs and I added the 172.16.50.10 to my DNS UDP policy also.
2020-11-05 11:16:01 Deny 172.16.50.10 172.16.50.1 dns/udp 45113 53 50-3CX-Phones Firebox Denied 74 64 (Unhandled Internal Packet-00) proc_id="firewall" rc="101" msg_id="3000-0148" Traffic
2020-11-05 11:16:01 Deny 172.16.50.10 172.16.50.1 icmp 50-3CX-Phones 50-3CX-Phones Denied 102 64 (Unhandled Internal Packet-00) proc_id="firewall" rc="101" msg_id="3000-0148" Traffic
I setup a "Custom" policy with the same basic settings Allowed from my 3CX-Phones VLAN, also two specific 172.16.50.xxx IP's to Any-External on Any Port. I still didn't see any (except the above DNS) traffic in my logs trying to go out.
I put both of these policies at the top of my list.
Is there a problem with some VLAN setups with either the M370 or FWare 12..4.1?
I have two other VLANs setup for my WiFi SSID's that are working just fine.
VLAN 20 - Guests - 172.16.20.1/24
VLAN 30 - Employees - 172.16.30.1/24
M370 Inf 2 'Trusted vlan1' set as a VLAN
Send and receive tagged traffic for;
VLAN 50 - Trusted - 3cx-phones - 172.16.50.1/24 (dhcp)
VLAN 30 - Trusted - Employees - 172.16.30.10./24 (dhcp)
Send and received Untagged traffic for;
Trusted network - 10.249.115.43/24
Once in awhile I get this in my logs;
2020-11-05 11:35:38 Allow 172.16.50.1 172.16.50.255 2528/udp 2529 2528 Firebox 50-3CX-Phones Allowed 36 64 (Any From Firebox-00) proc_id="firewall" rc="100" msg_id="3000-0148" Traffic
2020-11-05 11:35:38 Allow 172.16.50.1 172.16.50.255 2528/udp 2529 2528 Firebox 50-3CX-Phones Allowed 36 64 (Any From Firebox-00) proc_id="firewall" rc="100" msg_id="3000-0148" Traffic
IF I connect a Pc to a phone (which has received an IP from my VLAN 50) with a 'trusted network' IP I can get out to the internet, which makes me think my Cisco switch ports are setup OK along with my Watchguard.
This is the first for me on VoIP phone setup and am I over thinking this and missing something simple?
Do you have any thoughts or know of any issues with these?
Any documents you can point me to?
"Unhandled Internal Packet" means that you do not have a policy allowing this packet.
172.16.50.1 is the firewall interface IP addr. The alias for firewall interfaces is Firebox.
Notice that the deny is for a DNS packet going to the firewall interface.
1) the firewall is not a DNS server
2) the firewall can be a DNS forwarder, if that option is turned on
About DNS Forwarding
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/networksetup/dns_forwarding_about.html
@Bruce_Briggs
The DNS messages were from a misconfiguration in the Phone Switch(system).
They finally went in and made some changes!
The "getting the wrong IP" was a network (cisco) switch configuration issue.
I needed to turn on LLDP for each switch and config. the ports for Voice VLANs with my Voice VLANID.
Your help is always greatly appreciated.