Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Unable to route between VLANs

    Routing and Multi WAN
    4
    19
    272
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      linuxgae last edited by

      I have a netgate SG-2440. The Wan interface is DHCP client to my ISP. The LAN interface has been assigned to the default VLAN 1. OPT6 to VLAN 6 The cable is connected to a CISCO SG-200 managed switch. The port on the switch is a trunking port and is part of all VLANS. (same physical interface as LAN). I have set up the firewall rules to allow all traffic. Everything works as I expect. I am able to connect to the internet from all VLANs etc. I am able to connect to a host on VLAN 6 from a Host on VLAN 1. I cannot go the other way. Connect from a host on VLAN 6 to a host on VLAN 1 At first I thought I had a firewall issue. In trouble shooting I did a traceroute from the VLAN 6 host to the VLAN 1 host. The traceroute showed the packet going out through the WAN interface. Apparently, I've messed something up with the routing although I can't image what.

      1 Reply Last reply Reply Quote 0
      • kiokoman
        kiokoman LAYER 8 last edited by

        i suppose you set the sg-200 as a layer 2 ?
        can you post screenshot of what you have for opt6 ?

        L 2 Replies Last reply Reply Quote 0
        • awebster
          awebster last edited by

          Double-check your subnet masks. The interface static IP configuration has a habit of selecting /32 if you aren't careful.

          1 Reply Last reply Reply Quote 0
          • L
            linuxgae @kiokoman last edited by

            @kiokoman
            Hope I'm posting the screen-shotScreen Shot 2019-08-28 at 10.11.56 AM.png correctly

            1 Reply Last reply Reply Quote 0
            • L
              linuxgae @kiokoman last edited by

              @kiokoman
              And from the SG200:

              Screen Shot 2019-08-28 at 10.17.02 AM.png

              1 Reply Last reply Reply Quote 0
              • awebster
                awebster last edited by

                So far it looks good, did you add any firewall rules on the OPT 6 Interface to allow access to VLAN 1 ?

                L 1 Reply Last reply Reply Quote 0
                • kiokoman
                  kiokoman LAYER 8 last edited by

                  this is how i've set mine as a layer 2 only
                  on pfsense a vlan interface with id 20 and one with id 30
                  vlan 20 iot on port ge1
                  vlan 30 access point on port ge5
                  all other port are vlan1
                  XG2 trunk to pfsense
                  cisco1.jpg
                  cisco2.jpg

                  L 1 Reply Last reply Reply Quote 0
                  • L
                    linuxgae @awebster last edited by

                    @awebster
                    BTW. Thanks for looking at this for me.

                    Screen Shot 2019-08-28 at 4.05.21 PM.png

                    Screen Shot 2019-08-28 at 4.05.52 PM.png

                    I realize that some rules are essentially unnecessary. I was just trying everything.

                    awebster 1 Reply Last reply Reply Quote 0
                    • L
                      linuxgae @kiokoman last edited by

                      @kiokoman
                      I follow you until XG2.

                      1 Reply Last reply Reply Quote 0
                      • awebster
                        awebster @linuxgae last edited by

                        @linuxgae Your rule order in OPT6 is wrong.
                        The clue is the first column showing States. You can see 2/ 90KB of traffic, but the other 2 rules have 0 states / 0 Bytes of traffic, so those rules are never used, this is because your first rule is FORCING all the traffic out WAN_DHCP which you have set as the gateway, regardless of the destination IP
                        This corresponds exactly to the problem you are describing.
                        To fix it:
                        Move the OPT6 -> LAN rule to the top.
                        FYI: You don't usually need to set the gateway in the rule, the firewall will figure that out on its own through the routing table. Forcing the gateway is only used if you want it to ignore the routing table and use that interface specifically.

                        L 1 Reply Last reply Reply Quote 0
                        • L
                          linuxgae @awebster last edited by

                          @awebster

                          Thanks so much.
                          I would never would have figured this out myself.
                          I used the out-of-box rules generated for LAN as a template. I never would have guessed that firewall rules would affect
                          routing.
                          Again, thanks for the help.

                          1 Reply Last reply Reply Quote 0
                          • johnpoz
                            johnpoz LAYER 8 Global Moderator last edited by

                            @kiokoman 350X - very jealous.. Only SG300 here..

                            1 Reply Last reply Reply Quote 0
                            • kiokoman
                              kiokoman LAYER 8 last edited by

                              😂
                              i was in need of a new switch at home, amazon eu was full of refurbished sg350x for the same price of a sg300-20 as it was for home i took the risk

                              1 Reply Last reply Reply Quote 0
                              • johnpoz
                                johnpoz LAYER 8 Global Moderator last edited by johnpoz

                                Nice! You have any plans of stacking it? Any play time with RSPAN? Prob not if you only have the 1..

                                1 Reply Last reply Reply Quote 0
                                • kiokoman
                                  kiokoman LAYER 8 last edited by

                                  no plan to stack for the moment, i'm using only 10 port and i have nothing so important to justify another 350 $
                                  I've only had it for 10 days. i'm still learning all it's functions

                                  1 Reply Last reply Reply Quote 0
                                  • kiokoman
                                    kiokoman LAYER 8 last edited by

                                    This post is deleted!
                                    1 Reply Last reply Reply Quote 0
                                    • kiokoman
                                      kiokoman LAYER 8 last edited by

                                      SPAN - switch port analyzer..
                                      @johnpoz what would you put as span, do you have it configured on your sg300 ?
                                      cisco-span-configuration.jpeg

                                      something like a machine with wireshark ? i have a spare raspi ...

                                      1 Reply Last reply Reply Quote 0
                                      • johnpoz
                                        johnpoz LAYER 8 Global Moderator last edited by johnpoz

                                        No span is local, talking about RSPAN - this was added in the 350 line.

                                        rspan.png

                                        I have done local span on my sg300-28 but would of been cool to be able to span a port that is in my av cabinet on a sg300-10 to a port on my -28 which is on my desk next to me ;)

                                        Would need 2nd switch that also supports rspan - but could be a very useful feature.

                                        1 Reply Last reply Reply Quote 0
                                        • kiokoman
                                          kiokoman LAYER 8 last edited by

                                          yup there is that option but obviusly i can't try it

                                          1 Reply Last reply Reply Quote 0
                                          • First post
                                            Last post

                                          Products

                                          • Platform Overview
                                          • TNSR
                                          • pfSense
                                          • Appliances

                                          Services

                                          • Training
                                          • Professional Services

                                          Support

                                          • Subscription Plans
                                          • Contact Support
                                          • Product Lifecycle
                                          • Documentation

                                          News

                                          • Media Coverage
                                          • Press
                                          • Events

                                          Resources

                                          • Blog
                                          • FAQ
                                          • Find a Partner
                                          • Resource Library
                                          • Security Information

                                          Company

                                          • About Us
                                          • Careers
                                          • Partners
                                          • Contact Us
                                          • Legal
                                          Our Mission

                                          We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                                          Subscribe to our Newsletter

                                          Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                                          © 2021 Rubicon Communications, LLC | Privacy Policy