Solved: multiple VLAN to WAN

wilan · ‎12-23-2021

Hi all ,

First time here because "Google is your friend" didn't quite cut it for me

My LAN is built up from 3 SG300-10 L3 switches. One of those does inter VLAN routing and is connected to a Netgear BR200 router (and to the internet through an ISP modem).

After reading dozens of posts I almost got it working, but without internet access...

That is, from

a PC connected to a management VLAN (1) port I can connect to internet
a PC connected to a user VLAN port I can ping the WAN ISP assigned address, but I don't get internet...

problem : can't connect to internet from user VLAN

devices
- Netgear BR200 router
  - internet access (via ISP modem)
  - has all VLANs
  - ports
    - tagged (port 1) : management VLAN, internet VLAN, user VLANs
    - untagged (port 2-4) : management port, user VLANs ports
- Cisco SG300-10 L3 switch
  - 3 switches, only 1 (main switch) used as layer 3
  - main switch
    - connects to router
    - routing between (user) VLANs
    - VLANs
      - DHCP pools for the user VLANs
      - static IP address for the user VLANs
    - default gateway to router 192.168.127.1
    - DNS server to router 192.168.127.1
    - ports
      - tagged (port : management VLAN, internet VLAN, user VLANs
      - tagged (SFP port 9 - 10, connects switches) : management VLAN, internet VLAN, user VLANs
      - untagged (port 1 - 7) : management port, user VLAN ports
setup
- VLAN 1
  - default, management
  - isolated (no access to other VLANs)
  - routed between all switches and router
- VLAN 127
  - internet access
  - isolated (no access to other VLANs)
  - main switch
    - LAN setup : VLAN 127, 192.168.127.0/24
    - IP address : 192.168.127.2
  - router
    - LAN setup : VLAN 127, 192.168.127.0/24
    - IP address : 192.168.127.1
- user VLANs
  - different LAN segments
  - main switch
    - (for the moment) interconnected VLANs
  - router
    - all user VLANs route back to 192.168.127.2
what works
- test PC connected to main switch from user VLAN port
  - ping (other) user VLANs (on router/other switches)
  - ping 192.168.1.1 (router management)
  - ping 192.168.127.1 (router internet VLAN)
  - ping 192.168.0.118 (router WAN ISP assigned IP address)
- test PC connected to main switch management VLAN port (= router default VLAN 1)
  - ping google.com
  - ping user VLAN doesn't work => ok
test : I tried routing user VLANs from the router
- switches only use L2 mode
- on the router added extra LAN per user VLAN
- DHCP on all LANs
- all users on switches get internet access
- but : BR200 can only accomodate 3 user VLANs this way...

I hope someone can shed some light in the darkness...

Wim

paul driver · ‎12-23-2021

Hello

@wilan wrote:

"Google is your friend" didn't quite cut it for me

Unfortunately nowadays your will find google and plagiarisation come hand in hand, If you begin to visit here on a regular basis sadly you will see it a lot.

@wilan wrote:

a PC connected to a management VLAN (1) port I can connect to internet

a PC connected to a user VLAN port I can ping the WAN ISP assigned address, but I don't get internet...

problem : can't connect to internet from user VLAN

devices

Netgear BR200 router

internet access (via ISP modem)

has all VLANs

ports

Regards the above you need your netgear router to perform Network Translation (NAT) for your private vlans to be able to reach the internet, due to the fact those vlans have non routable public addressing.

Do you have access to your netgear rtr? as its possibly performing NAT already and you may be able to append your private vlan addressing to it so the rtr can nat on those aswell.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

paul driver · ‎12-23-2021

Hello

@wilan wrote:

"Google is your friend" didn't quite cut it for me

Unfortunately nowadays your will find google and plagiarisation come hand in hand, If you begin to visit here on a regular basis sadly you will see it a lot.

@wilan wrote:

a PC connected to a management VLAN (1) port I can connect to internet

a PC connected to a user VLAN port I can ping the WAN ISP assigned address, but I don't get internet...

problem : can't connect to internet from user VLAN

devices

Netgear BR200 router

internet access (via ISP modem)

has all VLANs

ports

Regards the above you need your netgear router to perform Network Translation (NAT) for your private vlans to be able to reach the internet, due to the fact those vlans have non routable public addressing.

Do you have access to your netgear rtr? as its possibly performing NAT already and you may be able to append your private vlan addressing to it so the rtr can nat on those aswell.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

wilan · ‎12-23-2021

Hi Paul ,

I have access to the Netgear router. I'm a bit confused about the
NAT-thingy
- I suppose it works because I can access internet through the Netgears
default VLAN (1)
- I thought the entire gateway and DNS server settings on the Cisco switch
with the corresponding return routes per VLAN would solve the problem
- appending my private VLAN addressing to the (existing) NAT ? No idea how
to go about that....

Wim

wilan · ‎12-23-2021

I remembered something from the Netgear BR200 5.10.0.4 firmware announcement. Does this mean I need another router/can't do what I intended to ?

NAT loopback does not work in this release. NAT loopback is useful for accessing internal resources by public domain name.
Workarounds: Use one of these workarounds:
- Change device hosts file to map public domain name to local IP when working on the same subnet as a public server.
- Use a separate DNS server that can handle accessing public resources from an internal network.

Wim

paul driver · ‎12-23-2021

Hello

Would you be able to post a topology diagram of your current setup, You have L3 switches so we just need to understand the netgears capabilities, if as @Georg Pauwen states the rtr cannot be amended to accommodate dynamic PAT then we may need to look at other alternatives,.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Georg Pauwen · ‎12-23-2021

Hello,

I don't think the BR200 has a setting to specify which (additonal) networks should be NATted when these networks are not directly connected. So your only option is to have the BR200 do the "inter-Vlan" routing (see attached PDF on how to add Vlans):

wilan · ‎12-24-2021

Thank you all ,

Thanks to your comments the pieces finally started falling into place... Problem was a mismatch between networking knowledge (me), only basic routing functionality (Netgear BR200) and incomplete information (Google generated answers to my queries).

Basically I'm going to leave it at this, but thought to write up my experiences (and possibly help others with the same issues). I'll include some "theory" (to the best of my knowledge), if I'm completely off track feel free to comment/correct me...

So you want to do multiple switches LAN/VLAN, inter VLAN routing and connect to the internet...

needed
- internet connection : ISP modem with auto assigned IP address
- router (if not part of ISP modem) : WAN port to ISP modem, LAN port to LAN switches
- switches : LAN/VLAN infrastructure
VLAN
- obviously VLANs need to be configured on all devices which propagate them (router(s), switch(es))
- advisable to leave the default (or management) VLAN alone and do all traffic in other VLANs
- router(s) and switch(es) would be connected through trunk ports (carrying VLAN ID information)
- remark
  - in case the router doesn't support VLAN, it's connection to the L3 switch may be untagged (access port)
  - all references to VLANs in the router setup may then be discarded
  - also on the side of the L3 switch the port needs to be untagged (access port)
VLAN theory (here goes
- as long as connections stay in their respective VLANs, everything works "automagically" on L2
- if not, then one could state that when a (VLAN tagged) packet "enters" in a router or L3 switch it "kind of loses" it's VLAN ID and "other rules" kick in. That is : the packet will be analysed and matched with "rules" in the router/L3 switch
inter VLAN routing setup (L3 switch)
- the L3 (routing) switch needs IP address reservations (e.g.: VLAN 15, subnet 192.168.15.0/24) and corresponding default gateway (e.g.: 192.168.15.1) for all inter VLAN routing it manages
- thus when a host (e.g.: 192.168.15.5, VLAN 15) tries to communicate with a host in another VLAN (e.g.: 192.168.33.9, VLAN 33), the L3 switch will "catch it" through it's 192.168.15.1 gateway, find the requested address in VLAN 33 subnet and send it out with the VLAN 33 ID
- when the receiving host replies, the process is repeated (but VLAN 33 to VLAN 15 routing)
internet access
- actually the same happens when trying to access the internet : the L3 (routing) switch won't find the requested address so sends it to it's gateway (e.g.: VLAN 127, 192.168.127.0/24, IP : 192.168.127.2, GW : 192.168.127.1) with VLAN 127 ID
- the router receives the VLAN 127 packet, won't find the requested address and in turn sends it to it's gateway (the ISP modem)
inter VLAN routing setup (router)
- setup router internet access
- (at least) the "internet VLAN" (e.g.: VLAN 127) needs to be setup (optionally other VLANs if router ports need to be used as a network extension)
- the VLANs (at least those with internet access) need static routes back to the L3 switch (e.g.: 192.168.15.0/24, GW:192.168.127.2; 192.168.33.0/24, GW:192.168.127.2;...)
- this way the packets received from the modem and destined for the parametrised VLANs will get routed to the L3 switch where they will be further analysed and tagged with the corresponding VLAN ID and send to the initiating host
NAT...
- in the different "recipes" found through Google it is often not mentioned and was thus deemed unimportant/digital noise by me. Big mistake, BIG MISTAKE
- (especially in SOHO modems/routers/... ?) this works "automagically"
- in case of the Netgear BR200 router, it's functionality is limited and "hidden". As per the recipes : specifying static routes back to the L3 switch doesn't generate any errors, but doesn't mean the router (NAT) actually processes these addresses
- or : NAT works directly on the incoming packets (from the modem) and will only process "what it knows"
- in case of the Netgear BR200 the "trick" is defining LAN's (for the corresponding VLANs). The router will then also NAT these
- the problem, in case of the Netgear BR200, is it only accepts 3 extra LANs, which limits the entire setup to 3 VLANs
DNS
- it's not clear if this is handled "automagically" in all cases or it has to be entered manually (in the L3 switch ?). In the L3 switch it would need to point to the gateway (e.g.: 192.168.127.1)

Conclusion : in my case possible solutions would be :

dump the VLAN idea
limit the number of VLANs with internet access (3)
dump the Netgear BR200 router
do the NATing external (*)
???

(*) I have some "spare" computer boards and wanted to play with dnsmasq, PXE, HTTP server, multi room audio, IP camera's,... under Alpine Linux (not all related to this problem of course)

Wim