Hi all,
I have a fairly simple network setup.
2 watch guard fire boxes as a cluster doing our gateway routing, policies and DHCP.
3 3810ms as a mesh stack.
15 iap-315s just happily chattering away.
I have about 7 VLANs that are all pretty basic with most ports being access ports except for the uplinks to the fire boxes and the links to the IAPs. The gateway port carries all VLANs and the IAP ports carry the wireless VLANs
I have a policy on the firebox, for testing, to allow all trusted and optional VLANs to speak to anything. (Yes, that is bad but I'm just trying to solve a problem).
For the sake of simplicity I have an IP for the firebox, the switch stack and the iap virtual controller on the default vlan 1 using 10.0.1.0/24 (10.0.1.1, 10.0.1.2 and 10.0.1.3 respetively).
So the problem is that if I'm on a trusted VLAN, let's say employee wireless, VLAN 20, 10.0.20.0/24, I can reach the firebox web ui and iap web ui but not the switch stack web ui. I can access the switch stack webui from its subnet.
I dont have a management-vlan configured. Web management is enabled
This behavior persists if I move everything off the default VLAN and onto a dedicated VLAN for management (not management-vlan).
Any thoughts? This is the blocker for my dream of having centralized management via VPN through the firebox.
Dave