Hello,
I dont think this setup will cause any issue. There are 2 routing devices but only one of them is functioning as default gateway at the moment -the firewall. So the inter VLAN routing and internet routing of client will only be done by the firewall, not by the E3800. Of course assuming that the DHCP scopes of the client VLANs on the firewall are defining the IPs of the firewall as default gateway for every VLAN.
The E3800 cannot route client traffic even if ip routing is enabled if it doesnt have IP addresses in the client VLANs or if IP addresses are configured but they not defined as default-gateway in the client DHCP scopes. E3800 will simply switch all the traffic that has to be routed to the MAC address of the firewall.
Both options are possible:
You can keep the current setup where the firewall is default gateway for all client VLANs. In this case the E3800 doesnt need IP addresses and IP helper addresses in the client VLANs. But the client VLANs have to be extended at L2 to the firewall which requires tagging on the uplink port 48.
Of course you can also use the E3800 as default gateway for client VLANs. In this case the E3800 needs IP addresses and IP helper addresses in all client VLANs. The VLAN IP addresses have to be defined as default gateway in the DHCP scopes of every VLAN. VLAN tagging of the client VLANs on the uplink port 48 is not necessary for this setup. Of course ip routing has to be enabled in the CLI.
The E3800 will do inter VLAN routing and will use the default route via VLAN 10 ( next hop 10.10.10.1) for internet traffic. The firewall doesnt have the have the client VLANs defined with IP addresses. But it should have static routers pointing to the E3800.
Which one is better (simpler) is hard to estimate without detailed knowledge of the network and requirements. Maybe in the router on a stick case, you should check the volume of the traffic that has to be routed. If it can exceed 1Gbps at times maybe port 48 will become a bottle neck if both inter VLAN and internet traffic has to be routed by the firewall (assuming port 48 is 1Gbps as far as I remember). If this is the case maybe it would be better to do the inter VLAN routing on the E3800 and forward only the internet traffic to the firewall. But you could also keep the L2 design and simply configure the uplink as link aggregation (this is called trunk on E3800) and add additional physical ports.
The router on a stick configuration means also suboptimal traffic flow for the inter VLAN routed traffic. It has to traverse the uplink from switch to the firewall in both direction before it is routed. This can add some latency but it is not so high with modern switches.
An advantage of the design with all routing on the firewall is that a firewall has typically more advanced security related features than a switch. It can do better packet inspection, recognize and prevent various types of attacks in the network.
There may be other consideration pro and cons which I cannot think of at the moment. If anyone has other ideas, please comment.
Original Message:
Sent: Oct 04, 2022 02:34 PM
From: IT IT
Subject: DHCP helper / relay help with E3800 VLANs
Hi Emil,
Thank you for the detailed reply.
Yes, the fw is currently default gw and DHCP server for all VLANs and the VLANs are defined on the fw.
fw port is configured as trunk with VLAN 10 native and all other VLANs defined as logical.
E3800 port 48 already has VLAN 10 untagged, but not tagged with other VLANs.
To do: tag all other VLANs on port 48
Now does this setup mean that there are two routers connected to each other (E3800 and firewall)? Would that cause any problems?
Is it better (simpler?) to use the E3800 as a layer 2 switch only (no ip routing) and have the fw do inter-VLAN routing in addition to the other functions?
Original Message:
Sent: Oct 01, 2022 01:59 AM
From: Emil Gogushev
Subject: DHCP helper / relay help with E3800 VLANs
Hello,
Do I understand correctly that the firewall is default gateway and DHCP server for all VLANs, so the VLANs are also defined there?
If this is true you don't need ip helper-address on the E3800. But you need to make sure that all the VLANs are extended from the switch to the firewall. This is known as router on a stick configuration.
On the firewall make sure that the port is configured to support VLAN tagging. It is typically done either by configuring the port as trunk port with native VLAN 10 and allowed VLANs all the other VLANs. Or on router ports it can be done by configuring subinterfaces with 802.1Q encapsulation. VLAN 10 should be defined as native and the other VLANs with their VLAN ID.
On the E3800 you need to change the VLAN configuration of port 48. Keep the untagged VLAN 10 and make all other VLANs tagged on that port.
That way you establish L2 VLAN transport between switch and firewall which makes ip helper-address (DHCP relay) unnecessary. This will also make sure that the clients have L2 connection to the their default gateway after they receive the IP address.
If the firewall is only default geteway for VLAN 10 and doesnt have the other VLANs, and the E3800 is default gateway for all other VLANs, then you need the ip helper-address. In this case the issue is most probably caused by lack of a static route on the firewall. The firewall needs to have a static route which states that VLAN 30 can be reached by going to E3800, so its IP in VLAN 10 is the next hop.
Something like this
ip route 10.10.30.0 0.0.0.255 10.10.10.10
Original Message:
Sent: Sep 30, 2022 03:13 PM
From: IT IT
Subject: DHCP helper / relay help with E3800 VLANs
Hello,
My setup is as follows:
DHCP server running on Firewalla Gold firewall/router with VLANs defined
connected to E3800, same VLANs setup here as well
default_vlan 1 is disabled on E3800
VLAN 10 is primary aka admin network - 10.10.10.1 firewalla; 10.10.10.10 E3800
other VLANs 20,30,40, etc. - 10.10.20.x, .30.x, etc.
on the firewalla, VLAN 10 is the 'native' vlan, and it has a .1 IP for every VLAN, as well as corresponding DHCP server scope (eg 10.10.30.50-100)
E3800 port 48 is untagged on vlan 10 and connected to firewalla
E3800 port 47 is also untagged vlan 10 and connected to my workstation for admin functions
VLAN 10 has ip helper-address 10.10.10.1
this works and my workstation is assigned an IP from the firewalla DHCP server
other VLANs also have ip helper-address 10.10.10.1 but no DHCP IP is assigned when a client is connected to a switch port on that VLAN (eg VLAN 30 untagged on port 19; connect my workstation on this port and fails to get an IP)
I've tried ip helper-address 10.10.30.1 for VLAN 30 but that didn't work either.
Default routes on E3800 as as such:
-
ip default-gateway 10.10.10.1
|
-
|
|
ip route 0.0.0.0 0.0.0.0 10.10.10.1
|
I'm not sure what is causing this or how to fix it. Looking for help please.
Thank you kindly!