I have an HP 2650PWR switch with VLANs 1 & 2 setup.
VLAN1: 10.1.0.x network
VLAN2: 10.1.2.x network
When connecting to the network via VPN (using Watchguard firewall for VPN connection), remote client is assigned IP: 192.168.5.x
From within the firewall, I can ping devices on both VLANS. However, from the remote VPN client I can ping devices on VLAN1. But I cannot ping VLAN2 devices. Note: VLAN2 is using tagged ports.
Any advice on what needs to be changed to allow remote VPN client access to VLAN2?
On your Watchguard firewall, there’s probably a setting for this VPN connection that says which networks to allow over IPSec. Chances are, only VLAN1’s IPs are listed there
Do you have a policy in place for VPN->vlan2 traffic? And possibly the reverse. That’s what it sounds like to me. Not sure on watch guard but Fortigates everything has to have a policy.
Traffic between networks needs a traffic director, a router.
Think of your VPN connection as a 3rd VLAN. We need to ensure that all 3 VLANs are aware of each other and the routers responsible for them.
What is the IP of the default gateway for devices on VLAN 1? I’m going to assume it’s the Watchguard.
What is the default gateway for devices on VLAN 2?
It’s possible that the devices on VLAN 2 are getting your VPN traffic, but don’t know how to send replies back to the VPN.
If the default gateway for devices on VLAN 2 is the Watchguard, then a firewall rule may be needed to explicitly allow that traffic.
If the default gateway is another device (such as a Layer 3 switch or phone router), then that gateway will need a route entry added so it knows where to send traffic being sent to the VPN.
I’ve also seen this behavior on devices where the installer left the default gateway blank.
I don’t believe so. In the Watchguard firewall, the VPN is configured using their Mobile VPN with IKEv2. The configuration is very basic. It consists of the address pool for connection clients and authentication settings to connect. Then in the firewall’s policies, there is a rule for IKEv2-Users to “ANY” port. In addition, the firewall has VLANs configured. It has both the VLAN1 as untagged and VLAN2 as tagged. There is no reference other than the VLAN to any IPs.
I am new to this network, but I am assuming it is in the switch. However, the HP web UI doesn’t have anything related to routing. It could possibly be in the CLI. I am not familiar with the HP CLI command set to know where to look for the information.
If you have some insight into the CLI that may help me figure this out.
I spoke to Watchguard. For whatever it is worth they claim that since the ping “test” from within the firewall can access both networks then it is some configuration that is required in the network switch. However, not sure what exactly would be required to facilitate that.
The default gateway of the VLAN1 (untagged) is the the switch.
However the gateway for VLAN2 is not the switch.
Note: VLAN2 is for Mitel phone network. Along with the phone system there are a few Mitel Linux machines. It appears that the gateway address of the phone system (IP PBX) is assigned to the IP address of one of the Mitel Linux machines.
There is a rule somewhere in the Watchguard that you need to set so it allows traffic from the VPN to VLAN2. It can get to VLAN1 because they are both untagged networks and thus they can traverse everything as far as switching is concerned. Since the router knows that both network exist, due to both being in the route table, it allows them to talk.
The other thing to check is what the default gateway is on internal machines (on both VLAN 1 and 2). If it’s then it’s the switch doing it. If it’s then the firewall is probably doing it
I’m guessing that VLAN 2 machines can access the internet through the firewall OK?
Ah ha! This gives us the answer. You’ll need to add a route on that Mitel Linux box so it knows to forward traffic bound for 192.168.5.x to the Watchguard IP on VLAN2.
It turned out that the VLAN2 network was be routed through a Mitel Linux box. I added the VPN network 192.168.5.x to its routing table and now the VPN clients are able to access the VLAN2.
