Unable to reach 3810m Web UI from different VLAN/Subnet
07-26-2019 10:21 PM
I have a fairly simple network setup.
2 watch guard fire boxes as a cluster doing our gateway routing, policies and DHCP.
3 3810ms as a mesh stack.
15 iap-315s just happily chattering away.
I have about 7 VLANs that are all pretty basic with most ports being access ports except for the uplinks to the fire boxes and the links to the IAPs. The gateway port carries all VLANs and the IAP ports carry the wireless VLANs
I have a policy on the firebox, for testing, to allow all trusted and optional VLANs to speak to anything. (Yes, that is bad but I'm just trying to solve a problem).
For the sake of simplicity I have an IP for the firebox, the switch stack and the iap virtual controller on the default vlan 1 using 10.0.1.0/24 (10.0.1.1, 10.0.1.2 and 10.0.1.3 respetively).
So the problem is that if I'm on a trusted VLAN, let's say employee wireless, VLAN 20, 10.0.20.0/24, I can reach the firebox web ui and iap web ui but not the switch stack web ui. I can access the switch stack webui from its subnet.
I dont have a management-vlan configured. Web management is enabled
This behavior persists if I move everything off the default VLAN and onto a dedicated VLAN for management (not management-vlan).
Any thoughts? This is the blocker for my dream of having centralized management via VPN through the firebox.
Re: Unable to reach 3810m Web UI from different VLAN/Subnet
07-28-2019 09:32 AM - edited 07-28-2019 09:36 AM
Hi, let us to understand...so your Aruba 3810M (three meshed in a stacked) isn't performing any IP routing between configured VLAN IDs since the router role belongs to your Cluster of Watchguard firewalls. Correct?
Having necessary ports set as untagged members of, respectively, each relevant VLAN ID is OK (example: clients, servers, printers, etc.)...just uplink (or downlink) ports need to transport more than one (untagged) VLAN ID...and so are required to be tagged with various VLAN IDs you need to be transported.
Would be nice to understand if you're tagging the uplink (to Watchguard Cluster) ports with all required VLAN IDs (including, I suppose, the one you're using for data, VLAN 1 if I understood you correctly)...an alternative would be enabling IP Routing on Aruba 3810m Stack and use a transport (dedicated) VLAN ID to speak with your Watchguard Firewall Cluster (so you will transport only that VLAN ID and use a /31 Subnet for that VLAN ID IP interface),,,clearly that approach will change the routing settings firewall side since you will just need one interface instead of many (sub-interfaces).