Routing Question

Hi LaurentMa.  Thanks for your post.  And to all of the other respondents too.

I have the issue fixed.

To me it looks like return route issue on your firewall, or port configuration (PVID, as CarlZhu indicated)  issue on that port the firewall is connecting to.

This was the main problem I had.  The firewall's return route was improperly set.  Although its static route was correctly set to appropriate switch's VLAN address, its gateway was incorrect.  We have some weired subnetting going on and so we were too restrictive on the return route so no packets were coming back to the switch.  We had looked at Carl's idea regarding the PVID, but it was correctly set.

Port configuration: when the firewall connects to VLAN 1, we need to check the port configuration on the switch. Does it match firewall LAN configuration? I am assuming all packets are tagged by the firewall, so XS716T port should be in Tagged mode, with no PVID.

The firewall is not VLAN tagging any packets and neither is the switch (except via the PVID to match the port's expected VLAN participation - which is what Carl Zhu had suggested and we had set correctly).

Packets reaching the firewall were doing so either because they came from within the same VLAN but looking for the firewall as a gateway (and in that case I didn't have a problem) or because the switch was routing them from another VLAN (which was when the problem manifested itself), but at that level, Layer 2 (and thus the VLAN number) had no merit in the matter because the packets were already routed within the switch.

Return routes: we need to check if firewall is correctly returning traffic to XS716T VLAN 1 and VLAN 2 IP interfaces (return static routes). If not, we need to configure these static routes accordingly on the firewall. 

This was EXACTLY what my problem was.  Thanks LaurentMa!

In our case, we are using some weird subnetting and this was causing the firewall to think the packets did not belong anywhere so it wasn't sending them back to the switch.

I have a last question: are we sure we want to enable Routing on XS716T? With routing enabled, all VLAN 1 nodes and VLAN 2 nodes can see each other, and ACLs will have to be used for access control and inter-VLAN security. If this is a small separate LAN in the company, maybe that switch should remain Layer 2 only, with routing on the firewall?

This is an excellent question.  We pondered about this ourselves while the problem was manifesting itself.  Our objective was not to overwhelm the firewall with having to route packets if the switch itself could do it.  That way, we also were assured that the port carrying the traffic between the firewall and the switch was not going to be a bottleneck (most of the traffic between nodes across different VLAN's connected to the switch would never leave the switch.  Only traffic into our corporate network or internet bound traffic would go through the firewall and leave the switch).  If we couldn't solve the issue, we would have done what you suggested here.  Thanks for your insight!

Some final thoughts:

The XS716T has performed very well for us.

I still don't understand when the limitation of the "maximum number of hops" being '1' will manifest itself, if ever.

I think it only means that the TTL will be reduced by one for any packet traversing the switch.

I say this because were have configured several static routes in the switch now, and they all work well.

Thank you to all who contributed.