Equipment Support > Hardware By Brand > ZyXEL > Zywall USG 100 - Blocks WAPs and Switches from NTP servers

Zywall USG 100 - Blocks WAPs and Switches from NTP servers

2012-11-19 11:03:24
info
IP-MAC Binding
Drop packet lan1-192.168.1.15-50:67:F0:46:38:00
192.168.1.15
8.8.8.8
DROP PACKET
2
2012-11-19 11:03:23
info
IP-MAC Binding
Drop packet lan1-192.168.1.15-50:67:F0:46:38:00 [count=8]
192.168.1.15
239.255.255.250
DROP PACKET
 

Are you using VLAN?
are your switches IPs static or DHCP?

reply to ZW_Joe
Looks like you're being blocked by "IP-MAC Binding" rule, not by firewall rule.

reply to dnoyeB
They have static IPs. I do have DHCP enable but for computers, etc. and that starts at a different range.

reply to Brano
OK. I'll take your word Brano. But how do I correct this?

Is this because I'm mixing DHCP with Static IPs and have IP/MAC Binding enabled?

I thought I was smart so I could have all the DHCP devices bound to their MAC address...

What is the switch IP? Is the switch IP delivered by DHCP as well? (I know that I would assign switch a static IP)
Who has 192.168.1.15?

EDIT: Try disabling IP-MAC binding and see if the switch can get NTP.

192.168.1.15 is a WAP3205, and I have the switches starting at 192.168.1.5.

I put all the switches, waps, Obi, printers, etc. basically anything that will never move on static IPs. All computers, laptops, phones, etc. are served DHCP and I have IP/MAC binding enabled and have most of them checked.

And this range starts at 192.168.1.100.

Try disabling IP-MAC binding enforcement and see if the switch can get NTP and take it from there.
Create LAN-to-WAN firewall rule with logging on and watch for Deny messages.

reply to Brano
Yup, that worked.

It's weird though. I guess it doesn't like mixing the two (static/DHCP)?

You have to enter manual IP-MAC bindings for your static IPs or exclude the static IPs from IP-MAC enforcement checks.

reply to ZW_Joe
IP-MAC binding is not the same thing as assigning an IP to a specific interface based on MAC address. IP-MAC binding is a security check that will only allow an IP address to come from a certain MAC address.

There is no need to have IP-MAC binding active unless you give some special privilege to a computer based on its IP address and want to make sure nobody else can just take that IP address and get the privileges too.

Again, IP-MAC does not assign the IP address, it is a check on that address.

--
dnoyeB

"Then said I, Wisdom [is] better than strength: nevertheless the poor
man's wisdom [is] despised, and his words are not heard. " Ecclesiastes
9:16

OK. I get it. I misunderstood. I basically thought it was just a way to keep the doled out DHCP addresses static.

I have in the past had only allowed known devices on the WAPs, but that's a pain in the B U TT to manage. I do check the DHCP table every other day. If I see a device I don't recognize I investigate, then I'll check the Reserve box. But now I realize these are ToTaLLLLY different.

reply to ZW_Joe
I have a set address range for DHCP. Almost, all of my devices use DHCP but I always send the same device the the same IP address (based on its MAC address). That address is outside of the address pool I set for unknown devices.

My network devices like switches and routers I give static addresses. (I still put them in the DHCP list just in case). The problem I have is some of these network devices boot faster than my router. When they send out for their IP address using DHCP and don't get it, they self-assign an address. That totally screws my network. So I tell them their address statically.
--
dnoyeB
"Then said I, Wisdom [is] better than strength: nevertheless the poor man's wisdom [is] despised, and his words are not heard. " Ecclesiastes 9:16