Netgate SG-3100 LAN Address Changes To A VLAN Address

hpspar05

My brand new just got yesterday Netgate SG-3100 is doing something strange, UniFi controller 5.10.20 keeps changing my Netgate SG-3100 static IP address (192.168.50.1) to one of my VLAN addresses (172.16.50.1) though being connected to port 1 with profile set to ALL not a VLAN. The only way for me to change the firewall's address back to 192.168.50.1 is to use the IOS UniFi controller app, I can't change it in the UniFi windows. Is this a UniFi controller fault an/or something with the Netgate SG-3100 Lan? My setup is this, Xfinity internet using my own Netgear CM500 cable modem - Netgate SG-3100 - UniFi Switch 8 60W PoE - UniFi Switch 8 - UniFi-CloudKey. My LAN port from Netgate SG-3100 connects to port 1 on the switch and is set to all. Something is going on, help.

chrismacmahon

Unifi cannot change the IP of the SG-3100. This would be a display issue on the unifi controller, most likely there is a configuration issue in unifi that is causing this issue.

stephenw10

Mmm, those are different VLANs it shows it connected on right?
That looks like you might have something connected incorrectly to both maybe.

Steve

hpspar05

@chrismacmahon That is what I suspected, and for an update, I'm new to this whole enterprise firewall networking thing. When I got the Netgate SG-3100, I also got two other different firewalls from other companies. I tested the UniFi USG yesterday, I took my whole network down to do the test. And guess what, that strange issue with network changing IP switching in the UniFi controller went away with the complete UniFi setup-(UniFi USG - UniFi Switch 8 60W - UniFi Switch 8 - UniFi SHD). The issue seems to be only with other different firewall brands (Protectli and Netgate SG-3100 in my case) at the front end in my case, that I get the strange UniFi controller IP and network switching issues. I've already returned the Proectli, and now I have to make a decision on keeping the much more preferred and powerful and configurable Netgate SG-3100 or just settling with the lest powerful and hard to configure firewall settings and limited IDS/IPS. I like the USG and the UniFi setup but with the USG at the head it's not ready for prime time so to speak, low and slow memory and storage on both USG/USG Pro makes me want to keep the Netgate SG-3100 and hope there's just a configuration I'm just missing or messing up. Help still needed.;) I want to keep the Netgate at the head of my network.;)

hpspar05

@stephenw10 Those pics are from two separate time that I notice the issue, the switching can happen after laptop shut down or just closing the UniFi controller and opening it up again only to see it has switched to a different VLAN IP address.

stephenw10

Hmm, as Chris said above the actual IP addresses on the SG-3100 interfaces does not change. It seems that Unifi is chnaging the way it either detects it or how it displays it. As though Unifi, perhaps via the switch, can access both interfaces in the SG-3100.

Steve

hpspar05

@stephenw10 Ok so is my particular case something that's unique or a known issue for the UniFi controller? My Tinfoil Hat does like it when I open up UniFi and notice that it's showing my pfsense IP address and network as being in a VLAN.;)

hpspar05

@stephenw10 Seeing a 192.168.50 IP address that I know is such, showing up in UniFi as a VLAN 172.16.50 IP address isn't comforting, it makes me want to unplug everything because I'm thing of hacking or something else bad. Lol.

stephenw10

I'm not sure what those columns show in Unifi or how it determines what the IPs are but I would assume it's from the ARP table somewhere. I think there's a good chance it really is seeing that traffic on the other VLAN which means something is not configured correctly if that's not what you intended.

Steve

hpspar05

@stephenw10 I don't know what ARP table is or where to find them, ;) but, I have successfully built a complete UniFi network following the instruction of Tom Lawrence and Cross Talk on YouTube, and I have a perfectly running system VLAN's and all, though slow response and laggy. So, with pfsense as the head of my network, following the same two Youtubers direction, I get this strange UniFi controller dashboard anomaly. So, what is the configuration error I have or am making though I'm following good instruction off YouTube and Netgate's own hangouts?

stephenw10

Does the 3100 have interfaces in both those subnets? Are those IPs shown actually both on the firewall?

If so it could just be a display anomaly. Whichever IP is detected first is shown there.

Steve

hpspar05

@stephenw10 "Does the 3100 have interfaces in both those subnets?" Yes, 192.168. is my static LAN, 172.16. is my VLAN.
"Are those IPs shown actually both on the firewall?" Again Yes,
"If so it could just be a display anomaly." So, this anomaly is within the UniFi controller then, and nothing to do with the 3100, correct?
So, UniFi isn't so Unifying with other firewall at the head, correct or fare to say?

stephenw10

If the Unifi controller also has direct access to both those subnets then it would not surprise me to see the 3100 in that list twice. It will have an ARP record for both interfaces.
Since I don't have a Unifi switch I can only guess at what that should be showing though.

Steve

hpspar05

@stephenw10 I think you're mistaking the pics I have as being one in the same, they're not. The pics are of two separate times, your forum put them together like it's one picture. I uploaded two separate pics from two separate events of seeing the anomaly.

hpspar05

@stephenw10 I'm desperately trying to get a clear straight answer from Netgate here. Is the anomaly a UniFi controller issue alone, or is it a Netgate pfsense SG-3100 issue?

Grimson

@hpspar05 said in Netgate SG-3100 LAN Address Changes To A VLAN Address:

@stephenw10 I'm desperately trying to get a clear straight answer from Netgate here. Is the anomaly a UniFi controller issue alone, or is it a Netgate pfsense SG-3100 issue?

@chrismacmahon said in Netgate SG-3100 LAN Address Changes To A VLAN Address:

Unifi cannot change the IP of the SG-3100. This would be a display issue on the unifi controller, most likely there is a configuration issue in unifi that is causing this issue.

Isn't that clear enough for you?

hpspar05

@Grimson I don't know who you are dude but you getting ready to help me return the SG-3100 to Netgate. I'm use to yes and no for simple questions. I'm slow to this stuff but learning, so remarks like yours isn't helpful to or for me. You have a nice day. Thanks.

stephenw10

It's not an issue with the SG-3100.

It's either just how Unifi displays that or you actually have a layer 2 issue on your network so that both interfaces are visible to the controller and should not be.

I realise that is two photos. What I'm saying is that if you came back to me and said that now it's showing up twice that would not really surprise me. It exists on both subnets connected to both VLANs and it looks like two different switches so both those switch ports would see it connected.

Steve

hpspar05

@stephenw10 OK thanks for the clarity, now what’s layer 2? Where should I look for this?

stephenw10

That would be two network segments that should be separated connected together. So perhaps a switch port that is untagging a VLAN but shouldn't be. You might see traffic leaking in one direction only and hence see IPs from one VLAN appearing where they should not.

https://en.wikipedia.org/wiki/OSI_model#Layer_2:_Data_Link_Layer

Steve