VLAN help with netgear smart switch

gibbzy2k1

Hi guys I am after some help here, I have been racking my brains and it is probably something simple I have missed. Sorry this is going to be a long post but I will try and put as much detail in as possible.

I have just bought a Netgear GS105Ev3 smart switch to try and get my home network vlanned to secure and separate things like media, office etc.

I have configured the switch as follows through the VLAN 802.1Q settings:
vlan 02 has port 2 untagged and port 1 tagged
vlan 03 has port 3 untagged and port 1 tagged
vlan 04 has port 4 untagged and port 1 tagged
etc

Port 1 connects to the PfSense LAN port. I will add screenshots of my config pages as attachments.

I think the switch is configured correctly because when I set the VLANs up on PfSense I get the correct IP address for each port on the switch.

My LAN is on 192.168.1.1/24, VLAN02 is on 192.168.20.1/24, VLAN03 is on 192.168.30.1/24 etc with PfSense handeling all the DHCP. If I plug my laptop into port 2 on the switch i get a 192.168.20.2 IP address, I am able to reach the switch which is on 192.168.1.253 and my PfSense box on 192.168.1.1 but I cannot get internet access.

I created a firewall rule under VLAN02:
allow : IPV4 protocol, source is VLAN02 net destination any any

I am only guessing but as I can reach the switch and PfSense box when plugged into VLAN02 and get the correct .20 address it is likely to be a rule issue, which is why i created the above rule. Still no internet access.

Any help is greatly appreciated. I have attached a few screenshots of my config pages if it helps.





![PVID.PNG
![PVID.PNG_thumb





Derelict

Why the leading zeroes on the VLAN tags?

That rule on VLAN02 looks fine. About the only thing preventing internet access would be lack of outbound NAT. Did you set manual/advanced mode there?

gibbzy2k1

I can't remember the reason for the leading zeros. There must have been a reason.

I have manual NAT outbound rules in place as attached which I thought would be right?


Derelict

No. All of your outbound NAT rules should be on WAN. Is OPT1 a WAN? Is there a gateway set on the OPT1 interface configuration? If so there probably should not be. If you have multi-wan then everything is fine except the source networks.

You need Outbound NAT rules on WAN for all of your source networks 192.168.1.1/24, 192.168.20.1/24, 192.168.30.1/24. You might just want to re-enable auto NAT mode (the default which you decided to change for some reason) and all of this will probably just start working.

gibbzy2k1

OPT1 is my VPN which originally had my LAN going through. Eventually, only specific VLANS will use the VPN and the rest will go straight through the WAN.

Derelict

OK. A client connection to a VPN provider should be considered a WAN and treated like a WAN.

gibbzy2k1

Cheers. I knew it would be something simple I missed. Had to put the outbound rule for the VLAN for OPT1.

Now it's all working. As soon as I type the last reply I realised my error. Sometimes it just needs a fresh pair of eyes.

Thanks