Solved: Re: Inter VLAN routing: Can ping default VLAN IP from other VLAN's but no further. Default VLAN IP ... - Page 2

Tom · ‎12-02-2019

Hi All,

Please bear with me as I'm new to this and relatively new to Networking at this level.

I'm trying to set up inter VLAN routing. Following this post:

https://www.cisco.com/c/en/us/support/docs/lan-switching/inter-vlan-routing/41860-howto-L3-intervlanrouting.html

I've configured everything I could (or perhaps almost everything except for 6) Configure the interface to the default router. part. ). This is an older Cisco 3750G switch:

VLAN1 192.168.0 (IP 192.168.0.3, Secondary 192.168.0.4)
VLAN2 10.0.0.0 ( IP 10.0.0.1 )
VLAN3 10.1.0.0 ( IP 10.1.0.1 )
VLAN4 10.2.0.0 ( IP 10.2.0.1 )

Now from the switch itself, I can ping all IP's without any issues. For example, I can ping 192.168.0.100 from the switch but not from within VLAN 2 devices. However, I can ping 192.168.0.3 and 192.168.0.4 (secondary), the switch VLAN 1 IP's from within devices on VLAN 2.

Devices on VLAN2 can ping each other, the VLAN IP and even the default VLAN (Switch IP) 192.168.0.3 and 192.168.0.4 above. But nothing beyond the two VLAN 1 IP's above. What am I missing? My first thought is missing trunking or a setting on VLAN1 but I'm not 100% on that nor what those commands would be.

Thx,

mdscisco01#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 192.168.0.1 to network 0.0.0.0

     10.0.0.0/24 is subnetted, 1 subnets
C       10.0.0.0 is directly connected, Vlan2
C    192.168.0.0/24 is directly connected, Vlan1
S*   0.0.0.0/0 [1/0] via 192.168.0.1
mdscisco01#

Tom · ‎12-03-2019

So I've managed to solve this issue. Based on my config, to summarize, I had the following:

Asus Router: 192.168.0.1
Cisco 3750: 192.168.0.3, 192.158.0.4 (secondary)

Server 1: 192.168.0.101
Server 2: 10.1.0.73
Server 3: 10.0.0.72
.
.

Apparently why I couldn't reach VLAN 1 (192.168.0.X ) from any other VLAN (2, 3, 4 etc) is because each of my devices on VLAN 1 had a Gateway of 192.168.0.1. And that was the Asus router. As my tcpdump confirmed, the pings were making it out and the clients on 192.168.0.X network did reply correctly, but the ICMP reply went nowhere. Apparently the replies terminated on the Asus router. I couldn't get proper monitoring configured on the Cisco 3750G yet to confirm if any made it to the Cisco switch.

The Asus router at 192.168.0.1, knew nothing about inter-VLAN routing or SVI's etc. So what I did is to change the IP's of my router and the one assigned to the Cisco switch. Now things looked like this:

Asus Router: 192.168.0.6
Cisco 3750: 192.168.0.1, 192.158.0.2 (secondary)

Server 1: 192.168.0.101
Server 2: 10.1.0.73
Server 3: 10.0.0.72
.
.

So now my gateway was the Cisco switch. As soon as that happened, everything worked perfect. Was able to ping devices across the VLAN's without any issue. But the internet access wouldn't work. To fix that, I simply changed the Gateway of last resort like this:

mdscisco01(config)#ip route 0.0.0.0 0.0.0.0 192.168.0.6

mdscisco01#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 192.168.0.6 to network 0.0.0.0

     10.0.0.0/24 is subnetted, 2 subnets
C       10.0.0.0 is directly connected, Vlan2
C       10.1.0.0 is directly connected, Vlan3
C    192.168.0.0/24 is directly connected, Vlan1
S*   0.0.0.0/0 [1/0] via 192.168.0.6
               [1/0] via 192.168.0.1
mdscisco01#

Wrote up the experience here: Cisco 3750G Intervlan Routing .

Thank you all for helping out with this. Your suggestions left me with valuable clues that helped out here.

Thx,

Jaderson Pessoa · ‎12-04-2019

@tom Hello,

Please, check it:

!
no ip default-gateway 192.168.0.3

I think that your Asus is not enabled OSPF then it will not work.

I suggest to your first, create a three static route in your ASUS and test again, like below;

ip route 10.0.0.1 255.255.255.0 192.168.0.1

ip route 10.1.0.0 255.255.255.0 192.168.0.1

ip route 10.2.0.0 255.255.255.0 192.168.0.1

ip route 10.3.0.0 255.255.255.0 192.168.0.1

if it work, try enable OSPF in your ASUS ROUTER and remove this static routes and test again..

Regards,

Jaderson Pessoa
*** Rate All Helpful Responses ***

Tom · ‎12-04-2019

Per an earlier ask, moving content from Echo reply not received on gateway of last resort from specific VLAN's here instead. My reply on the above thread is included below.

-------------------------------

Hey All,

My question here follows on my earlier post about Inter VLAN Routing . Using the same diagram, I now have an issue where VLAN 2, 3 and 4 can't reach the web/internet. This occurred after I enabled OSPF for learning purposes. I've also adjusted F/W configuration on my Asus router that initially blocked the pings to any outside address. This didn't fix the main issue though it did fix pinging from 1) The Cisco 3750G and 2) from the Asus router.

However, I still can't ping outside addresses from the above said VLAN's. Below is my diagram again.

VLAN 1: 192.168.0.X / 24

VLAN 2: 10.0.0.X / 24

VLAN 3: 10.1.0.X / 24
VLAN 4: 10.2.0.X / 24

Asus Router: 192.168.0.6
Cisco 3750G: 192.168.0.1 w/ 192.168.0.2 as secondary.

Server 1: 192.168.0.123 ( VLAN 1 )
Server 2: 10.0.0.72 ( VLAN 2 )
Server 3: 10.0.0.73 ( VLAN 2 )

All three servers above are connected to the Cisco switch. Basic network diagram attached.

The issue is as follows.

Pinging 8.8.8.8 works fine from Server1 ( VLAN 1 ):

[root@server1 ~]# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=55 time=30.3 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=55 time=22.6 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=55 time=17.5 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=55 time=21.9 ms
From 192.168.0.1 icmp_seq=5 Redirect Network(New nexthop: 192.168.0.6)
From 192.168.0.1: icmp_seq=5 Redirect Network(New nexthop: 192.168.0.6)
64 bytes from 8.8.8.8: icmp_seq=5 ttl=55 time=33.8 ms
From 192.168.0.1 icmp_seq=6 Redirect Network(New nexthop: 192.168.0.6)
From 192.168.0.1: icmp_seq=6 Redirect Network(New nexthop: 192.168.0.6)
64 bytes from 8.8.8.8: icmp_seq=6 ttl=55 time=19.8 ms
64 bytes from 8.8.8.8: icmp_seq=7 ttl=55 time=20.5 ms

The New nexthop doesn't appear to be an issue. But the same ping from VLAN 2 fails.

[root@server3 network-scripts]# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
^C
--- 8.8.8.8 ping statistics ---
289 packets transmitted, 0 received, 100% packet loss, time 287999ms

I moved devices from VLAN 3 to VLAN 2 to test this issue so only have devices on VLAN 2 right now. Same issue happened on VLAN 3. Running tcpdump from Server3 shows that the echo request makes it out fine:

Server 3 ( VLAN 2 )

[root@server3 ~]# tcpdump -i onebr01 -n port not 22 and port not 53
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on onebr01, link-type EN10MB (Ethernet), capture size 262144 bytes
16:32:55.132379 STP 802.1d, Config, Flags [none], bridge-id 8002.00:1c:57:ae:f8:00.8005, length 43
16:32:57.139757 STP 802.1d, Config, Flags [none], bridge-id 8002.00:1c:57:ae:f8:00.8005, length 43
16:32:58.051427 IP 10.0.0.1 > 224.0.0.5: OSPFv2, Hello, length 56
16:32:59.142163 STP 802.1d, Config, Flags [none], bridge-id 8002.00:1c:57:ae:f8:00.8005, length 43
16:32:59.209506 Loopback, skipCount 0, Reply, receipt number 0, data (40 octets)
16:33:00.322028 IP 10.0.0.73 > 8.8.8.8: ICMP echo request, id 27956, seq 1, length 64
16:33:01.146881 STP 802.1d, Config, Flags [none], bridge-id 8002.00:1c:57:ae:f8:00.8005, length 43
16:33:01.321436 IP 10.0.0.73 > 8.8.8.8: ICMP echo request, id 27956, seq 2, length 64
16:33:02.321437 IP 10.0.0.73 > 8.8.8.8: ICMP echo request, id 27956, seq 3, length 64
16:33:03.151786 STP 802.1d, Config, Flags [none], bridge-id 8002.00:1c:57:ae:f8:00.8005, length 43
16:33:03.321426 IP 10.0.0.73 > 8.8.8.8: ICMP echo request, id 27956, seq 4, length 64
16:33:05.156910 STP 802.1d, Config, Flags [none], bridge-id 8002.00:1c:57:ae:f8:00.8005, length 43
16:33:07.164314 STP 802.1d, Config, Flags [none], bridge-id 8002.00:1c:57:ae:f8:00.8005, length 43
16:33:08.059185 IP 10.0.0.1 > 224.0.0.5: OSPFv2, Hello, length 56
16:33:09.166551 STP 802.1d, Config, Flags [none], bridge-id 8002.00:1c:57:ae:f8:00.8005, length 43
16:33:09.209790 Loopback, skipCount 0, Reply, receipt number 0, data (40 octets)
16:33:11.171629 STP 802.1d, Config, Flags [none], bridge-id 8002.00:1c:57:ae:f8:00.8005, length 43

And even makes it out the Asus router:

root@AsusRouter:~# tcpdump -i vlan2 -n port not 22 and port not 53 | grep -Ei "8.8.8.8|10.0.0.73"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vlan2, link-type EN10MB (Ethernet), capture size 262144 bytes
17:27:48.630938 IP 10.0.0.73 > 8.8.8.8: ICMP echo request, id 28149, seq 1, length 64
17:27:49.624087 IP 10.0.0.73 > 8.8.8.8: ICMP echo request, id 28149, seq 2, length 64
17:27:50.625051 IP 10.0.0.73 > 8.8.8.8: ICMP echo request, id 28149, seq 3, length 64
17:27:51.623614 IP 10.0.0.73 > 8.8.8.8: ICMP echo request, id 28149, seq 4, length 64

But nothing comes back. Asus Router F/W logs show nothing blocked in regards to this. Tried disabling F/W on the AsusRouter. Same thing. This used to work before I had OSPF enabled. So I tried to disable OSPF. It didn't work either. (Perhaps I needed to reload the config?)

Of course, pinging from the Cisco switch itself works just fine:

Cisco 3750G

cisco01#ping 8.8.8.8

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/18/25 ms
cisco01#

Interestingly, on same said Server3, name resolution works, but I'm using an internal DNS server that doesn't have this external ping problem, so not too surprised by this:

[root@server3 ~]# ping mirrorlist.centos.org
PING mirrorlist.centos.org (67.219.148.138) 56(84) bytes of data.
^C
--- mirrorlist.centos.org ping statistics ---
31 packets transmitted, 0 received, 100% packet loss, time 29999ms

[root@server3 ~]#

What could be the issue here? I've included my Cisco 3750G configuration below. Perhaps the packets are dropped on the remote host due to being invalid? I was thinking the Asus router might be missing a route but then I would expect to see an echo reply appearing on the Asus router. But it's not.

My knowledge of OSPF is also very basic.

Thx,

Cisco 3750G Config

cisco01#show running-config
Building configuration...

Current configuration : 2385 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname cisco01
!
enable secret 5 <SECRET>
enable password <SECRET>
!
username cisco password 0 <SECRET>
aaa new-model
aaa authentication login default local
aaa authentication enable default enable
!
aaa session-id common
switch 1 provision ws-c3750g-24ps
system mtu routing 1500
ip subnet-zero
ip routing
!
!
!
!
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
interface GigabitEthernet1/0/1
!
interface GigabitEthernet1/0/2
!
interface GigabitEthernet1/0/3
 switchport mode access
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
 switchport access vlan 2
 switchport mode access
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
 switchport access vlan 2
 switchport mode access
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet1/0/13
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
!
interface GigabitEthernet1/0/24
 switchport access vlan 3
!
interface GigabitEthernet1/0/25
!
interface GigabitEthernet1/0/26
!
interface GigabitEthernet1/0/27
!
interface GigabitEthernet1/0/28
!
interface Vlan1
 ip address 192.168.0.2 255.255.255.0 secondary
 ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
 ip address 10.0.0.1 255.255.255.0
!
interface Vlan3
 ip address 10.1.0.1 255.255.255.0
!
interface Vlan4
 ip address 10.2.0.1 255.255.255.0
!
interface Vlan5
 ip address 10.3.0.1 255.255.255.0
!
router ospf 1
 log-adjacency-changes
 network 10.0.0.0 0.0.0.255 area 0
 network 10.1.0.0 0.0.0.255 area 0
 network 10.2.0.0 0.0.0.255 area 0
 network 192.168.0.0 0.0.0.255 area 0
!
ip default-gateway 192.168.0.3
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.0.6
ip http server
ip http secure-server
!
!
radius-server source-ports 1645-1646
!
control-plane
!
!
line con 0
line vty 5 15
!
end

cisco01#

cisco01#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 192.168.0.6 to network 0.0.0.0

     10.0.0.0/24 is subnetted, 2 subnets
C       10.0.0.0 is directly connected, Vlan2
C       10.1.0.0 is directly connected, Vlan3
C    192.168.0.0/24 is directly connected, Vlan1
S*   0.0.0.0/0 [1/0] via 192.168.0.6
cisco01#

cisco01#show ip ospf database

            OSPF Router with ID (192.168.0.1) (Process ID 1)

                Router Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum Link count
192.168.0.1     192.168.0.1     1599        0x80000006 0x0069D3 4
cisco01#show vlan

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Gi1/0/1, Gi1/0/2, Gi1/0/3, Gi1/0/4
                                                Gi1/0/6, Gi1/0/7, Gi1/0/8, Gi1/0/9
                                                Gi1/0/11, Gi1/0/12, Gi1/0/13, Gi1/0/14
                                                Gi1/0/15, Gi1/0/16, Gi1/0/17, Gi1/0/18
                                                Gi1/0/19, Gi1/0/20, Gi1/0/21, Gi1/0/22
                                                Gi1/0/23, Gi1/0/25, Gi1/0/26, Gi1/0/27
                                                Gi1/0/28
2    VLAN0002                         active    Gi1/0/5, Gi1/0/10
3    VLAN0003                         active    Gi1/0/24
4    VLAN0004                         active
5    VLAN0005                         active
1002 fddi-default                     act/unsup
1003 trcrf-default                    act/unsup
1004 fddinet-default                  act/unsup
1005 trbrf-default                    act/unsup

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1    enet  100001     1500  -      -      -        -    -        0      0
2    enet  100002     1500  -      -      -        -    -        0      0
3    enet  100003     1500  -      -      -        -    -        0      0
4    enet  100004     1500  -      -      -        -    -        0      0
5    enet  100005     1500  -      -      -        -    -        0      0
1002 fddi  101002     1500  -      -      -        -    -        0      0
1003 trcrf 101003     4472  1005   3276   -        -    srb      0      0
1004 fdnet 101004     1500  -      -      -        ieee -        0      0
1005 trbrf 101005     4472  -      -      15       ibm  -        0      0


VLAN AREHops STEHops Backup CRF
---- ------- ------- ----------
1003 7       7       off

Remote SPAN VLANs
------------------------------------------------------------------------------


Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------

cisco01#

-------------------------------

So I tried adding the routes on the Asus Router (w/ DD-WRT).

root@AsusRouter:~# ip route
default via 123.123.123.1 dev vlan2
10.0.0.0/24 via 192.168.0.1 dev br0
10.0.1.0/24 via 192.168.0.1 dev br0
10.0.2.0/24 via 192.168.0.1 dev br0
10.0.3.0/24 via 192.168.0.1 dev br0
123.123.123.0/27 dev vlan2 scope link src 108.168.115.11
127.0.0.0/8 dev lo scope link
169.254.0.0/16 dev br0 scope link src 169.254.255.1
192.168.0.0/24 dev br0 scope link src 192.168.0.6
192.168.45.0/24 dev wl0.1 scope link src 192.168.45.1
192.168.75.0/24 dev wl1.1 scope link src 192.168.75.1
root@DD-WRT-INTERNET-ASUS:~#

but it had no effect. I'm not entirely surprised. 8.8.8.8 returns no reply. Can't route something back that isn't there to begin with.

Now, if I ping 8.8.8.8 from the 1) Asus Router or 2) from any host on VLAN 1 ( 192.168.0.X ), ping works. Issue only occurs if I initiate the ping against 8.8.8.8 from VLAN 2, 3, 4.

So it appears to me that when the ICMP travels through VLAN 2, 3, 4 it's changed in some way that causes 8.8.8.8 to drop the packet or simply not reply. That's the only plausible explanation that fits the analysis so far and makes the most sense.

In other words, the echo reply doesn't appear to be sent from 8.8.8.8 if the ping originates from VLAN 2, 3, 4. Please see the Asus router tcpdump above.

@paul driver

By the the way in your OP you have the
Asus as 192.168.0.1
ciscoas 192.168.0.3

on here
Asus as 192.168.0.6
ciscoas 192.168.0.1

That's right. If you notice further up in the post here, to solve the original issue on that post, I changed the Asus router IP from 192.168.0.1 to 192.168.0.6 and then changed the Cisco 3750G IP from 192.168.0.3 and 192.168.0.4 (secondary) to 192.168.0.1 and 192.168.0.2 (secondary) to resolve that issue. This post (now a reply) is a new issue in continuation of the first one. ( Hence why I initially thought to start it as a separate topic. )

@paul driver My answers to the other questions you've had are below. Going by email as I can't find these in the flurry of replies (apologies).

interface GigabitEthernet1/0/24  <----WHY a trunk, why not a access port in vlan 1?
 switchport trunk allowed vlan 1-4

In my attempts to resolve the original issue, one theory I had is that trunking wasn't enabled. My Asus router used to be, but is no longer, connected to port G1/0/24. I thought at the time that perhaps traffic from VLAN 2, 3, 4 wasn't being sent through because trunking wasn't enabled on the Cisco to Asus router link. I was wrong and that stayed from that debugging attempt.

interface Vlan1
 ip address 192.168.0.4 255.255.255.0 secondary  Why do you have this?

It was an option. Since Cisco provided it, I saw no harm filling it in a few years back.

interface Vlan4
 ip address 10.2.0.1 255.255.255.0
!
ip default-gateway 192.168.0.1
ip route 0.0.0.0 0.0.0.0 192.168.0.1

vlan 2-4
exit

All access ports
int x/x
switchport mode access
spanning-tree portfast
switchport access vlan xx

Saw no harm leaving the default gateway. It worked fine before with that gateway. Read it wont' be used anyway so felt there's no harm leaving it.

As for the second item, by default, any interfaces not specifically assigned to a VLAN will by default be on VLAN 1. So I only left the defaults on those.

Thx,

Jaderson Pessoa · ‎12-05-2019

Just one question: Do your ASUS router have properly NAT to all networks created? or just to vlan 1?

Jaderson Pessoa
*** Rate All Helpful Responses ***

Tom · ‎12-05-2019

NAT rules that I currently have (Note again, I'm running DD-WRT):

root@AsusRouter:~# iptables -t nat -nL
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       tcp  --  0.0.0.0/0            123.123.123.321     tcp dpt:17855 to:192.168.0.6:443
DNAT       tcp  --  0.0.0.0/0            123.123.123.321     tcp dpt:17856 to:192.168.0.6:50505
DNAT       icmp --  0.0.0.0/0            123.123.123.321     to:192.168.0.6
DNAT       tcp  --  0.0.0.0/0            123.123.123.321     tcp dpt:40404 to:192.168.0.40:22
DNAT       udp  --  0.0.0.0/0            123.123.123.321     udp dpt:40404 to:192.168.0.40:22
DNAT       tcp  --  0.0.0.0/0            123.123.123.321     tcp dpt:30000 to:192.168.0.150:443
DNAT       udp  --  0.0.0.0/0            123.123.123.321     udp dpt:30000 to:192.168.0.150:443
DNAT       tcp  --  0.0.0.0/0            123.123.123.321     tcp dpt:13389 to:192.168.0.18:3389
DNAT       udp  --  0.0.0.0/0            123.123.123.321     udp dpt:13389 to:192.168.0.18:3389
DNAT       tcp  --  0.0.0.0/0            123.123.123.321     tcp dpt:19132 to:192.168.0.166:19132
DNAT       udp  --  0.0.0.0/0            123.123.123.321     udp dpt:19132 to:192.168.0.166:19132
DNAT       tcp  --  0.0.0.0/0            123.123.123.321     tcp dpt:443 to:192.168.0.115:443
DNAT       udp  --  0.0.0.0/0            123.123.123.321     udp dpt:443 to:192.168.0.115:443
DNAT       tcp  --  0.0.0.0/0            123.123.123.321     tcp dpt:80 to:192.168.0.212:80
DNAT       udp  --  0.0.0.0/0            123.123.123.321     udp dpt:80 to:192.168.0.212:80
DNAT       tcp  --  0.0.0.0/0            123.123.123.321     tcp dpt:7777 to:192.168.0.212:7777
DNAT       udp  --  0.0.0.0/0            123.123.123.321     udp dpt:7777 to:192.168.0.212:7777
DNAT       tcp  --  0.0.0.0/0            123.123.123.321     tcp dpt:2106 to:192.168.0.212:2106
DNAT       udp  --  0.0.0.0/0            123.123.123.321     udp dpt:2106 to:192.168.0.212:2106
DNAT       tcp  --  0.0.0.0/0            123.123.123.321     tcp dpt:10241 to:192.168.0.212:10241
DNAT       udp  --  0.0.0.0/0            123.123.123.321     udp dpt:10241 to:192.168.0.212:10241
DNAT       tcp  --  0.0.0.0/0            123.123.123.321     tcp dpt:17857 to:192.168.0.104:22
DNAT       udp  --  0.0.0.0/0            123.123.123.321     udp dpt:17857 to:192.168.0.104:22
TRIGGER    0    --  0.0.0.0/0            123.123.123.321     TRIGGER type:dnat match:0 relate:0

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
SNAT       0    --  0.0.0.0/0            0.0.0.0/0           to:192.168.0.6
SNAT       0    --  192.168.0.0/24       0.0.0.0/0           to:123.123.123.321
SNAT       0    --  192.168.45.0/24      0.0.0.0/0           to:123.123.123.321
SNAT       0    --  192.168.75.0/24      0.0.0.0/0           to:123.123.123.321
MASQUERADE  0    --  0.0.0.0/0            0.0.0.0/0           mark match 0x80000000/0x80000000
MASQUERADE  0    --  10.1.1.0/24          0.0.0.0/0
root@AsusRouter:~#

paul driver · ‎12-05-2019

Hello
Just to summerize , you now have reachability using static addressing between asus and cisco switch for ALL vlans but when you use dynamic routing(OSPF) it fails for all vlans or just specific ones?

FYI- secondary addressing can cause unwarranted issues and for routing purposes only the primary ip address is used so it if isnt required remove it
Also..
interface Vlan1
ip address 192.168.0.2 255.255.255.0 secondary ,---remove this please
ip address 192.168.0.1 255.255.255.0 <-- thought this was .3 now ?

Cisco
no router ospf 1
router ospf 1
passive interface default
no passive interface vlan 1
network 192.168.0.3 0.0.0.0 area 0
network 10.0.0.1 0.0.0.0 area 0
network 10.1.0.1 0.0.0.0 area 0
network 10.2.0.1 0.0.0.0 area 0
network 10.3.0.1 0.0.0.0 area 0
exit

no ip route 0.0.0.0 0.0.0.0 192.168.0.6
ip route 0.0.0.0 0.0.0.0 vlan 1 192.168.0.6

sh ip ospf neighbors
sh ip ospf route

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Tom · ‎12-05-2019

ip address 192.168.0.1 255.255.255.0  <-- thought this was .3 now ?

No, my current config is:
Asus Router: 192.168.0.6
Cisco 3750G: 192.168.0.1, Secondary: 192.168.0.2

192.168.0.3 and 192.168.0.4 are no longer being used. So I'll use the steps below but I'll assume that everywhere you have 192.168.0.3, I'll replace it with 192.168.0.1.

EDIT:

Just saw this question:


Just to summerize , you now have reachability using static addressing between asus and cisco switch for ALL vlans but when you use dynamic routing(OSPF) it fails for all vlans or just specific ones?

Ping to 8.8.8.8 from clients on VLAN 2, 3, 4 returns no response. Pinging 8.8.8.8 from devices on VLAN 1 works fine despite ( An echo reply is received from 8.8.8.8. ) despite the next-hop message:

[root@mdskvm-p02 network-scripts]# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=55 time=13.5 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=55 time=11.4 ms
From 192.168.0.1 icmp_seq=3 Redirect Network(New nexthop: 192.168.0.6)
From 192.168.0.1: icmp_seq=3 Redirect Network(New nexthop: 192.168.0.6)
64 bytes from 8.8.8.8: icmp_seq=3 ttl=55 time=12.6 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=55 time=11.8 ms

Tom · ‎12-05-2019

I've tried to redo the OSPF configuration as suggested. Some commands didn't work (older version of the software I suppose).

These did not work.

no passive interface vlan 1

sh ip ospf neighbors
sh ip ospf route

Current config:

cisco01#show running-config
Building configuration...

Current configuration : 2390 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname cisco01
!
enable secret 5 <SECRET>
enable password <SECRET>
!
username cisco password 0 <SECRET>
aaa new-model
aaa authentication login default local
aaa authentication enable default enable
!
aaa session-id common
switch 1 provision ws-c3750g-24ps
system mtu routing 1500
ip subnet-zero
ip routing
!
!
!
!
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
interface GigabitEthernet1/0/1
!
interface GigabitEthernet1/0/2
!
interface GigabitEthernet1/0/3
 switchport mode access
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
 switchport access vlan 2
 switchport mode access
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
 switchport access vlan 2
 switchport mode access
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet1/0/13
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
!
interface GigabitEthernet1/0/24
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet1/0/25
!
interface GigabitEthernet1/0/26
!
interface GigabitEthernet1/0/27
!
interface GigabitEthernet1/0/28
!
interface Vlan1
 ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
 ip address 10.0.0.1 255.255.255.0
!
interface Vlan3
 ip address 10.1.0.1 255.255.255.0
!
interface Vlan4
 ip address 10.2.0.1 255.255.255.0
!
interface Vlan5
 ip address 10.3.0.1 255.255.255.0
!
router ospf 1
 log-adjacency-changes
 network 10.0.0.1 0.0.0.0 area 0
 network 10.1.0.1 0.0.0.0 area 0
 network 10.2.0.1 0.0.0.0 area 0
 network 10.3.0.1 0.0.0.0 area 0
 network 192.168.0.1 0.0.0.0 area 0
!
ip default-gateway 192.168.0.1
ip classless
ip route 0.0.0.0 0.0.0.0 Vlan1 192.168.0.6
ip http server
ip http secure-server
!
!
radius-server source-ports 1645-1646
!
control-plane
!
!
line con 0
line vty 5 15
!
end

cisco01#

Current diagram is attached. I've adjusted it to match the latest issue config.

Looking at the NAT options @Jaderson Pessoa suggested.

paul driver · ‎12-05-2019

Hello

So I guess you are saying static or ospf routing internet access is applicable for only vlan 1?

I assume the Asus is aware of your Lans subnets - be it via static routes pointing back towards your cisco switch or them being learnt via opsf from the cisco switch?

If so that leaves Network Translation ( NAT) on the Asus.

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
SNAT       0    --  0.0.0.0/0            0.0.0.0/0           to:192.168.0.6
SNAT       0    --  192.168.0.0/24       0.0.0.0/0           to:123.123.123.321
SNAT       0    --  192.168.45.0/24      0.0.0.0/0           to:123.123.123.321
SNAT       0    --  192.168.75.0/24      0.0.0.0/0           to:123.123.123.321
MASQUERADE  0    --  0.0.0.0/0            0.0.0.0/0           mark match 0x80000000/0x80000000
MASQUERADE  0    --  10.1.1.0/24          0.0.0.0/0

I dont see any translation for those other subnets in this output so does your Asus nat configuration need to be updated to accomodate these other vlans - Have you done this?

cisco
Sh ip route

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Tom · ‎12-05-2019

No, was just looking at NAT right now. The DD-WRT config will take a bit more time so focused on the Cisco commands you're posted since that's a quicker win. While looking at the NAT setup, I decided to capture some more packet output. While trying to transfer the packet output to a host on VLAN 2, I couldn't:

root@AsusRouter:~# scp trace-vlan-asusrouter.dat 10.0.0.73:
^Croot@DD-WRT-INTERNET-ASUS:~# ping 10.0.0.73
PING 10.0.0.73 (10.0.0.73): 56 data bytes
^C
--- 10.0.0.73 ping statistics ---
18 packets transmitted, 0 packets received, 100% packet loss
root@AsusRouter:~# ping 10.0.0.73
PING 10.0.0.73 (10.0.0.73): 56 data bytes
^C
--- 10.0.0.73 ping statistics ---
14 packets transmitted, 0 packets received, 100% packet loss
root@AsusRouter:~#

I traced this:

root@AsusRouter:~# tcpdump -i vlan2 -s 0 -e icmp -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vlan2, link-type EN10MB (Ethernet), capture size 262144 bytes
11:47:38.781063 40:16:7e:a2:62:11 > 00:17:10:90:d1:94, ethertype IPv4 (0x0800), length 98: 123.123.123.321 > 10.0.0.73: ICMP echo request, id 54385, seq 0, length 64
11:47:39.786269 40:16:7e:a2:62:11 > 00:17:10:90:d1:94, ethertype IPv4 (0x0800), length 98: 123.123.123.321 > 10.0.0.73: ICMP echo request, id 54385, seq 1, length 64

but no reply. 123.123.123.321 is the WAN IP on the AsusRouter.

Going to finish implementing the NAT rules and will post back.

Jaderson Pessoa · ‎12-05-2019

My feelings about this still focus on nat missconfigured. Try checking it rightnow, if you have configured static routes as i said, now you will just check two things.

1. Nat configuration
2. Route back.

Jaderson Pessoa
*** Rate All Helpful Responses ***

Tom · ‎12-05-2019

@Jaderson Pessoa , @paul driver

Once again thank you very much gentlemen! Appreciated as always!

And NAT'ing was the issue gentlemen.

root@AsusRouter:~# ping 10.0.0.73
PING 10.0.0.73 (10.0.0.73): 56 data bytes
^C
--- 10.0.0.73 ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss
root@AsusRouter:~#
root@AsusRouter:~# route add -net 10.0.0.0 netmask 255.255.255.0 gateway 192.168.0.1
root@AsusRouter:~#
root@AsusRouter:~# ping 10.0.0.73
PING 10.0.0.73 (10.0.0.73): 56 data bytes
64 bytes from 10.0.0.73: seq=0 ttl=63 time=0.533 ms
64 bytes from 10.0.0.73: seq=1 ttl=63 time=0.335 ms
64 bytes from 10.0.0.73: seq=2 ttl=63 time=0.376 ms
^C
--- 10.0.0.73 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 0.335/0.414/0.533 ms
root@AsusRouter:~#

Once I did the above, pinging from one of the hosts on VLAN 2 works as it should:

[root@server3 network-scripts]# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
^C
--- 8.8.8.8 ping statistics ---
38 packets transmitted, 0 received, 100% packet loss, time 36999ms

[root@server3 network-scripts]# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=54 time=13.3 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=54 time=13.5 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=54 time=18.5 ms
^C
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 13.337/15.144/18.525/2.396 ms
[root@server3 network-scripts]#

And my new routing table:

root@AsusRouter:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         123.123.123.101  0.0.0.0         UG    0      0        0 vlan2
10.0.0.0        192.168.0.1     255.255.255.0   UG    0      0        0 br0
10.1.0.0        192.168.0.1     255.255.255.0   UG    0      0        0 br0
10.2.0.0        192.168.0.1     255.255.255.0   UG    0      0        0 br0
123.123.123.100  0.0.0.0         255.255.255.224 U     0      0        0 vlan2
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 br0
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 br0
192.168.45.0    0.0.0.0         255.255.255.0   U     0      0        0 wl0.1
192.168.75.0    0.0.0.0         255.255.255.0   U     0      0        0 wl1.1
root@AsusRouter:~#

I'm not sure however how to reconcile this with the tcpdump command above, however. I guess what I saw with tcpdump on the Asus Router was an attempt to send and nothing else:

root@AsusRouter:~# tcpdump -i vlan2 -n port not 22 and port not 53 | grep -Ei "8.8.8.8|10.0.0.73"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vlan2, link-type EN10MB (Ethernet), capture size 262144 bytes
17:27:48.630938 IP 10.0.0.73 > 8.8.8.8: ICMP echo request, id 28149, seq 1, length 64

Next is to try and set Dynamic Routing to OSPF on the Asus Router. I'll do that and report back then spread the points around.

Thx,
TK

Jaderson Pessoa · ‎12-05-2019

Great news.... Please mark as solved and helpful all post that were helped you.

Regards,

Jaderson Pessoa
*** Rate All Helpful Responses ***

Tom · ‎12-06-2019

Hey Guy's, would you happen to know or have come across any reason why a router enabled as a Gateway shouldn't run OSPF?

Trying to confirm what I'm reading on a Gateway configuration page as part of DD-WRT but my understanding of that part of networking is still shady in that area.

Thx,

Jaderson Pessoa · ‎12-06-2019

Hello, it is not related with OSPF whether you want run OSPF in your router there is no issue or problem. did you chek if your router support OSPF?

Jaderson Pessoa
*** Rate All Helpful Responses ***

Inter VLAN routing: Can ping default VLAN IP from other VLAN's but no further. Default VLAN IP not forwarding the request?