Am I missing something ?

Second time doing a Firebox T15. First one was a while back. Now, I connect a local workstation directly into eth1 and use the network cable that was coming into that local workstation and I can get out to the Internet.
Take the Firebox back to the comm closet, plug the cable modem / router into eth0 and from eth1 to the existing switch and can't get out.
Am I dumb or what?
Thanks
Kevin

Answers

  • In the "I connect a local workstation directly into eth1 and use the network cable that was coming into that local workstation" setup, what is connect to the Eth0 WAN port?

    The first thing I would check is to make sure you have entered the Feature Key so it is properly licensed. Then check your WAN IP settings and LAN IP settings to check that they match what works with your current firewall.

    Is your WAN using DHCP from the ISP, or do you have static IP addressing on the WAN?

    Gregg Hill

  • More details:
    ISP Modem Router IP = 10.1.10.1
    Watchguard Firebox IP = 10.0.1.1 (default)
    Firebox will be handling DHCP & DNS
    Internal network will be pulling IP from the Firebox / previously it was using the ISP Modem - Router
    Trusted IP = 10.0.1.1
    External IP = DHCP from the ISP

    When I was testing it, I took the patch cable out of the workstation and plugged that into ETH0 (which should get an IP from the ISP modem ?? )
    The ETH1 port, I plugged into the workstation so it would pull an IP from the Firebox. With this setup, I could get out to the Internet.

    Hope this helps understand things. I will check all setting tomorrow when I am back on-site.

    Thanks
    Kevin

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi Kevin,

    Thanks for contacting us.

    I'd suggest opening a support case so we can get logs via that case.

    If you can get a support file from the device when it's not connecting to the internet, try going to
    -In WebUI, go to system status -> diagnostics, and click to download a support log file.
    OR
    -In System Manager, go to Firebox System Manager, status report tab, click support, then retrieve.

    Please attach that file to your case (do not attach it here, as it will have sensitive data like your IP address, if that is detected.)

    -James Carson
    WatchGuard Customer Support

  • "Firebox will be handling DHCP & DNS"
    Verify that you enabled DNS Forwarding in your config.

    About DNS Forwarding
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/networksetup/dns_forwarding_about.html

  • Case has been opened.
    Not sure why I would need to forward DNS and would that be related to why only one pc (hardwired into the Firebox) can get on the Internet?

    When I uplink an ISP cable modem port to ETH0 and then uplink ETH1 to the internal switch, no pc's can get on the Internet.

    Thanks for the input.
    Kevin

  • Only 1 PC suggests that you have not imported your Feature Key into your firewall.

    Verify that you have a link light on your Eth1 port and on the connected switch port. If not, switch your Ethernet cable type - straight through <-> cross over cable.

  • "Not sure why I would need to forward DNS"

    The firewall is not a DNS server.
    It can be a DNS forwarder, if that option is enabled.
    And you said: "Firebox will be handling DHCP & DNS".
    For the firewall to handle DNS - meaning that your internal devices use a firewall interface IP addr for their DNS server entry, then DNS forwarding needs to be enabled.

  • Bruce,
    I misspoke ....the firewall is handling DHCP and am using Comcast DNS for DNS:

    This is the workstation ipconfig:

    IPv4 Address. . . . . . . . . . . : 10.0.1.20(Preferred)
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Lease Obtained. . . . . . . . . . : Sunday, December 12, 2021 11:23:24 AM
    Lease Expires . . . . . . . . . . : Monday, December 20, 2021 11:23:24 AM
    Default Gateway . . . . . . . . . : 10.0.1.1
    DHCP Server . . . . . . . . . . . : 10.0.1.1
    DNS Servers . . . . . . . . . . . : 75.75.75.75
    75.75.76.76

    Thanks
    Kevin

  • Bruce,

    I have a blinking amber light on the front on the firebox on ETH0 and ETH1 at
    the 1GB level / Mode = Solid Green / Status = No light / Attn: = No light

  • Under Dashboard - Subscription Services ...it only list File Exceptions.
    Should it be that way?
    Thanks
    Kevin

  • Have you imported your Feature Key into your firewall?

    Link lights:
    Yellow Link speed: 1000 Mbps
    Blinks - Data sent and received

    Blinking on Eth0 & Eth1 indicates data transfer, so no issue there with the cables.

    WatchGuard Firebox® T15 Hardware Guide
    https://www.watchguard.com/help/docs/hardware guides/Firebox_T15_Hardware_Guide.pdf

  • Under System - Feature Key I have a

    Serial Number
    Signature

    So that would indicate that I imported the Feature Key. Correct ?

    Thanks
    Kevin

  • You should have way more that just those 2 entries in System -> Feature Key

    Click the Lock icon, scroll down and click Get Feature Key

  • Did that again just now:
    "The changes were saved successfully"
    I didn't mean to indicate that the System - Feature Key only had those 2 items...below that is a list of 19 items...ie: Model Upgrade / Total Number of Authenticated Users / Branch Office VPN Tunnels / Fireware XTM / Firewall Policy Maximum ....etc.

    One other issue: I didn't see a "Lock Icon" on that screen.

    Thanks
    Kevin

  • james.carsonjames.carson Moderator, WatchGuard Representative

    The lock icon will only appear if you have multi-admin enabled -- if you don't see it, it's safe to ignore that step.

    -James Carson
    WatchGuard Customer Support

  • edited December 2021

    If things still don't work, wait for support help.
    They can look at your config, etc.

  • @Kevin1000 said:
    Case has been opened.
    Not sure why I would need to forward DNS and would that be related to why only one pc (hardwired into the Firebox) can get on the Internet?

    When I uplink an ISP cable modem port to ETH0 and then uplink ETH1 to the internal switch, no pc's can get on the Internet.

    Thanks for the input.
    Kevin

    Make sure your feature key is good, which I believe you have done.

    After you uplinked an ISP cable modem port to ETH0 and then uplinked ETH1 to the internal switch, and you have no other cables from the ISP modem to the switch, did you refresh all internal devices' IP addresses? They should be on the new subnet of the firewall now, so any addresses stuck on the ISP modem's old 10.1.10.x subnet won't work.

    Some cable providers require that the cable modem be rebooted before it will work with a different device on its LAN port. If you have not done so, power cycle the cable modem, then verify the the firewall has a WAN IP that is on the cable modem's LAN. Better yet, ask the ISP to put their cable modem into bridge mode.

    To find just where the problem lies, do a test from the 10.0.1.20 workstation. Ping 10.0.1.1 and see if it replies. If it does, then ping the WAN 10.0.10.x IP of the firewall. If that works, ping 8.8.8.8 and 75.75.75.75 and see what happens.

    If all pings work, you have Internet access, but you may not be able to browse. To check that, ping yahoo.com and see if it replies. If it does, then you have working DNS as well. If all workstations still cannot browse, double-check your feature key and double-check the workstations' IP settings to make sure everything is on the correct subnet.

    Gregg Hill

  • Thanks.

    With all your help I got it to work.

    Best forum I've ever been in. Seriously.

    Kevin

  • For others who may need similar help, what was the change which helped?

  • Sorry about the delay.

    I believe re-doing the Feature Key and checking the DNS Forwarding checkbox is what fixed the problem.

    Thank you
    Kevin

  • Hello Team,

    I'm quite new here.

    I've got an M270 Firebox which seems to be disconnecting the internal interface randomly.

    I was wondering if someone could tell what the excerpt of logs below could mean, regarding the incessant disconnection .

    tunnel 8701308 43447985 unix_time="1706201397.947898"

    wan 9253901549 53072892522 unix_time="1706201396.913464"

    link-mon [Link Monitor] No response received on Data from Ping target default gateway msg_id="4900-0002"

    kernel [13641.043444] vlan1: received packet on eth1 with own address as source address (addr:00:01:21:03:a9:3c, vlan:0)

  • james.carsonjames.carson Moderator, WatchGuard Representative

    @Sly007

    eth1 is getting traffic looped back to it from whatever it's plugged into -- the firebox should not be seeing its own MAC address sent back to it.

    link-mon is saying your external interface can't ping the default gateway.

    Tunnel and wan logs are diagnostic logging messages for logging interface metrics to our logging server, Dimension. They are just informational.

    -James Carson
    WatchGuard Customer Support

  • @james.carson said:
    @Sly007

    eth1 is getting traffic looped back to it from whatever it's plugged into -- the firebox should not be seeing its own MAC address sent back to it.

    link-mon is saying your external interface can't ping the default gateway.

    Tunnel and wan logs are diagnostic logging messages for logging interface metrics to our logging server, Dimension. They are just informational.

    Thank you so much, @james.carson

    Would you know of any tools that can help to identify where the loop is coming from?

  • Look at your VLAN switch settings.
    Looks to me from the log message that VLAN1 & VLAN0 are interconnected

Sign In to comment.