GS724T - access profile from another VLAM / network

As the firewall show just syn sent .... any security on the switch prohibiting access from say a different subnet?

He already said he tried it with security profiles off.

5 VLANS is IMHO rediculous for a home network.  But whatever, maybe he's just using this as a learning tool about VLANS.

At least 1 of the Netgear switches has a bug in current firmware where it will not respond to packets that are smaller than 1500 bytes in size  (1500 is MTU for Ethernet)  Apparently the TCP stack in the switch cannot fragment packets.

Maybe this model has that same bug in it's firmware.

If he's coming in on a VPN if it's an OpenSSL or some such then the max MTU is very much lower than 1500.  If the switch cannot negotiate MTU path discovery then he's going to be unable to connect to it.

The other possibility is if he's using the switch as a router between vlans.  In this case he's trying to hairpin traffic.  While a router should be able to do this a switch isn't a "real router" as they say (even though switches are commonly used for high speed routing)  If that's the case then move the management interface into the subnet used for remote access (it sounds like the remote access device is using proxy-arp to a subnet the switch has)

Unfortunately not enough info is supplied here.  What is being used for the VPN and how is it configured?

---

tmittelstaedt wrote:

Unfortunately not enough info is supplied here.  What is being used for the VPN and how is it configured?

---

Yeah, and much more. Some tracroute forth and back, details on routings, probably routers involved acting as the default gateway, ... would be informative for example, too - also from the switch.

---

tmittelstaedt wrote:

He already said he tried it with security profiles off.

---

I had the switch in mind, not the security appliance 8-)

Off topic most likely:

tmittelstaedt wrote:

At least 1 of the Netgear switches has a bug in current firmware where it will not respond to packets that are smaller than 1500 bytes in size  (1500 is MTU for Ethernet)  Apparently the TCP stack in the switch cannot fragment packets. Maybe this model has that same bug in it's firmware.

---

This issue is isolated to a series of Plus switches, GSxxxE[wahtever], with some 2.7 firmware version.

good day,

i don't use any router, it replaces my PfSense firewall, 2.5.2-RELEASE (amd64) built on Fri Jul 02 15:33:00 EDT 2021 FreeBSD 12.2-STABLE.

Sending photos of firewall settings. In my opinion, I have nowhere blocked communication from VPN to VLAN20. On the firewall there is a policy that is not allowed it does not work and on the switch I think it works the other way around. I don't have a blocked VPN network in the ACL on the switch. I have one port set as a trunk on the switch, and the switch then feeds the individual VLANs to the specific ports. The ACL between individual VLAs is set on the switch. ACL rules do not include VLAN5, which is a network for PfSense firewall and VPN. As I wrote, I think the switch works in a way that is not forbidden in the switch, it works. The routing switch does not perform. It only isolates VLANs.

According to the previous post, I think that a packet from a PC connected via VPN reaches the switch and it no longer responds.