Bug report - ER8411 - One vlan loses lan>wan communication
Bug report - ER8411 - One vlan loses lan>wan communication
I have noticed a very strange bug with one particular vlan on my network. This issue has persisted from ER8411 firmware 1.2.2 at least, and 1.2.3. And OC200v1 firmware from January and the very latest march 10th beta.
This issue has persisted across factory resets of both gateway and controller, and complete rebuilds from scratch of the entire network. It does not matter if the ER8411 is doing internal routing on this particular VLAN or i have it switch routed through an SVI on the lan side switches for internal routing. And it only effects one particular vlan with the same IP range each and every time!
Issue-
VLAN with tag 8, with IP range 192.168.8.0/23 will lose internet connectivity at random and will never come back by itself. Internal routing still works. It can ping the gateway. It can ping and recieve response from an IP address on the internet. However, it cannot traverse the NAT and use the internet at all for normal browsing. DHCP for clients set to either cloudflare DNS servers directly, or to internal DNS proxy service of the gateway makes no difference. Problem effects both LAN and WiFi clients on this vlan, rehgardless of which switch path they are on from the gateway and core switch. Traceroutes fail at the gateway, but it can still ping an internet IP such as 8,8,8,8 ? weird
How i resolve it-
To fix it, all i need to do is assign it to another WAN on policy routing, then reassign it back to the WAN i actually want it to use. This resolves its internet connectivity every time without needing any reboots of anything. Very Strange!
What is weird, is it only effects this one single IP range vlan. none of the others at all, ever. All the other VLANs policy routed to the same WAN are not effected, at all, ever. I cannot reliably replicate the problem as it seeming happens at random, and is hard to monitor as this particular vlan has very infrequent use.
I would welcome some ideas to test!
Things i have tried:
IDS/IPS disabled
Different DNS servers on that vlans DHCP
client with static IP and statically set DNS
Deleted and recreated that one vlan
Deleted and recreated all vlans
Factory reset everything, readopted from existing configuration
Factory reset everything, including OC200, rebuild everything from scratch
Disabled all gateway and switch ACLs
Thrown candies at the ER8411 when testing due to frustration with this
Shouting and Swearing at it
Threatening to replace it with a Cisco unit
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Hi @GRL
Thanks for posting in our business forum.
GRL wrote
I dont quite understand what you are asking apart for the last part
.9.254 and .9.253 are Switch SVIs routing the .8.0/23 network on its way to the gateway
My network has a LOT of inter vlan traffic so i switch route rather than gateway route. Gateway only routes 0.0.0.0/0 and back . Switches do the rest.
edit:
When the issue was happening, the entire internet - everything, was not able to be loaded in the browser. No websites at all. As soon as the policy route was changed (and then back again), problem resolved for the next random amount of time.
This issue has not hapenned again since changing the vlan to .20.0 /23 - and thats all i changed. I didnt even delete and recreate it, just changed its IP range.
Is that possible to set up a HTTPS file server on your other network and port forward it? Input the WAN IP and port number when 192.168.8.0/23 does not work in this complex network, will you be able to access it?
Try this test?
- Copy Link
- Report Inappropriate Content
Do you mean...
change the vlan back to .8.0 /23
set up some kind of HTTPS server on an IP on it
Port forward on the 8411 tcp 443 to that IP
Wait for the network to die, then test to see if i can access it from outside ?
- Copy Link
- Report Inappropriate Content
Hi @GRL
GRL wrote
Do you mean...
change the vlan back to .8.0 /23
set up some kind of HTTPS server on an IP on it
Port forward on the 8411 tcp 443 to that IP
Wait for the network to die, then test to see if i can access it from outside ?
Not from outside, from this 8.0/23, which is the one you described, it can make a connection to DNS and other types of connections but not load any pages.
Get a HTTPS server port forwarded somewhere else in your network. Another IP address.
Google IP is not accessible, so if you try a HTTPS service and try the IP:port, from this 8.0/23 network to another HTTPS server you created, will you make a connection?
That verifies if the routing and the access to the Internet are okay or not.
Is it the event tech VLAN interface that you changed to another ID and subnet?
When it was 8.0/23, you used VLAN 10, which shares the same PBR(WAN5). Does VLAN 10 work? I know you tried VLAN 6, but it's not using the WAN5. I suspect that VLAN 6 can load any pages?
- Copy Link
- Report Inappropriate Content
Event tech was changed from ID 8, .8.0 /23 to ID 20, .20.0/23
Always Policy routed to WAN 5
Everything else that i ever policy route to WAN 5 has zero issues, ever. I can even move all the rest of the vlans to wan 5, and they all work fine permenantly (i have actually tested this!)
Im curretly working on updating my documentation for you, ill email that to you directly, as it will help with the static routing issue as well.
- Copy Link
- Report Inappropriate Content
Vincent
I have sent you all the necessary documentation to assist you, to the same email you requested i give you cloud access
- Copy Link
- Report Inappropriate Content
Information
Helpful: 1
Views: 388
Replies: 15
Voters 1