Solved: Re: VLAN net access without router config

ToTT · ‎04-08-2020

Hello, I am a newbie. Just today I learned to setup Vlans and DHCP on SG350, so please bear with me.

I have Cisco DPC3828S modem/router from ISP, very basic, no bridge mode, no routing protocols, and no static routes.

I want the routing and DHCP to be handled by SG350, to ease the old modem workload.

The problem is that the modem/router cannot NAT inside the switch VLAN, but someone told me that it is possible to use Proxy ARP. Any suggestion or other idea?

Thank you.

On the second thought, Is what I am trying to do faster than just let the old modem/router handle all? If what I am trying to do is slower, there would be no use for me to do this.

Richard Burts · ‎04-10-2020

To get equipment that would do address translation you would be looking to get a (small) router. If you add a router to the network then you could do routing for the vlans either on the SG or on the new router. The router would do address translation and forward traffic using the old modem as the next hop. All the old modem has to do is to forward traffic. Are you suggesting that this would impact performance to have the old modem just forwarding traffic?

HTH

Rick

View solution in original post

Richard Burts · ‎04-11-2020

You tell us that " I have tried many combinations of static routes in switch or router but nothing works". Fundamentally it does not work because your problem is not about routing but it is about address translation. You could have multiple vlans on your SG switch and you could route for those vlans on either the SG switch or on the small router that you need to add to the network. Then on that new router you need to configure address translation. the mechanics of how to configure address translation depend on which router you are using but the basic process would include:

- configure interface inside on the router interface connecting to the SG switch.

- configure interface outside on the router interface connecting to the ISP modem.

- configure an access list which would identify the subnets that you want to translate.

- configure translation using the access list and the outbound interface.

HTH

Rick

View solution in original post

pieterh · ‎04-08-2020

for outgoing traffic (standard internet access) I suggest to enable NAT on the SG350.
that is the SG350 has multiple VLAN's for separate subnets
and all is NATted to the single IP-address (PAT) connecting the ISP router
The ISP-router also does a second NAT to the public address, but his should be no problem.

seen from the ISP router it is as if only a single client is connected (the SG350).

But... because of this double NAT,

when you want to configuring port-forwarding FROM the internet to the local vlan's there are some mountains to climb

ToTT · ‎04-08-2020

@pieterh wrote:
The ISP-router also does a second NAT to the public address, but his should be no problem.
seen from the ISP router it is as if only a single client is connected (the SG350).

Yes, this is what I am trying to do, the ISP router won't do much work only routing to 1 client.

@pieterh wrote:
for outgoing traffic (standard internet access) I suggest to enable NAT on the SG350.
that is the SG350 has multiple VLAN's for separate subnets
and all is NATted to the single IP-address (PAT) connecting the ISP router

Well, as you know, I just made my first VLAN using GUI today. So, please be patient with my newbie questions.

How many VLANs that I have to make for separate subnets? And how to NAT to single IP-address (PAT)?

I only need one example to do it, please, as I am completely new to this.

@pieterh wrote:
But... because of this double NAT,
when you want to configuring port-forwarding FROM the internet to the local vlan's there are some mountains to climb

I think, I don't need port-forwarding, so that wouldn't be a problem..at least for now not a problem.

Richard Burts · ‎04-08-2020

Unless something has changed recently I do not believe that SG350 supports address translation.

HTH

Rick

ToTT · ‎04-08-2020

@Richard Burts wrote:
Unless something has changed recently I do not believe that SG350 supports address translation.

Yea, I thought there was a "work around" to do NAT in SG350.

Anyone know about ARP Proxy? Upon reading about ARP Proxy, it seems the method is not advisable...

"That being said, it does impose additional work load on the Router. We used the specific example of Host D’s single IP address, but due to Host B’s misconfigured subnet mask there are roughly 65,000 IP addresses that Host B now considers on its local network. When in reality only about 250 could possibly exist on its local network." https://www.practicalnetworking.net/series/arp/proxy-arp/

I guess, I am run out of way.

Richard Burts · ‎04-09-2020

I know a fair amount about proxy arp. And I do not see any way that proxy arp would come any where near being a solution to your issue. proxy arp may be useful in cases where a host has a misconfigured default gateway. But as far as we know your gateway is correct. Your issue is that you are using (we assume) private IP addressing in your subnets and you need something to translate those addresses as you go to the Internet. Your SG does not do it and if your modem/router does not do it then the only solution I can see is for you to purchase additional equipment that can do it.

HTH

Rick

ToTT · ‎04-09-2020

"Your SG does not do it and if your modem/router does not do it then the only solution I can see is for you to purchase additional equipment that can do it."

Yes, I was thinking to buy something that can do it. But I doubt that something can be done about routing of the old modem without effecting performance.

Richard Burts · ‎04-10-2020

To get equipment that would do address translation you would be looking to get a (small) router. If you add a router to the network then you could do routing for the vlans either on the SG or on the new router. The router would do address translation and forward traffic using the old modem as the next hop. All the old modem has to do is to forward traffic. Are you suggesting that this would impact performance to have the old modem just forwarding traffic?

HTH

Rick

ToTT · ‎04-10-2020

"Are you suggesting that this would impact performance to have the old modem just forwarding traffic?"

-- If that is the case, I guess, not.

"The router would do address translation and forward traffic using the old modem as the next hop. All the old modem has to do is to forward traffic."

-- I was under the impression that in order for the old modem to forward traffic, it needs static routing feature, which the old modem doesn't have. Now I know why multiple routers in daisy chain works.

Thank you for the info.

One more thing, I read your post from 2014, "...your problem is the lack of address translation for those vlans". I am having the same problem. This should be easy for you, so I will try to give only the important info:

ISP---old modem---router---SG350 (Vlan1 & Vlan2)

VLAN1 192.168.1.2, router 192.168.1.1 as gateway, VLAN1 in the same ip subnets as router, so no internet problem.

VLAN2 192.168.2.1 as gateway too. Cannot connect to internet

Both VLANs can communicate, VLAN2 can ping router.

I added 192.168.2.0/24 192.168.1.2 in the Router static routing and VLAN2 managed to ping router, but no internet.

I think i lack address translation on the VLAN2, right?

Please any advice what to do to enable internet on VLAN2? I have tried many combinations of static routes in switch or router but nothing works. I am running out of idea.

Richard Burts · ‎04-11-2020

You tell us that " I have tried many combinations of static routes in switch or router but nothing works". Fundamentally it does not work because your problem is not about routing but it is about address translation. You could have multiple vlans on your SG switch and you could route for those vlans on either the SG switch or on the small router that you need to add to the network. Then on that new router you need to configure address translation. the mechanics of how to configure address translation depend on which router you are using but the basic process would include:

- configure interface inside on the router interface connecting to the SG switch.

- configure interface outside on the router interface connecting to the ISP modem.

- configure an access list which would identify the subnets that you want to translate.

- configure translation using the access list and the outbound interface.

HTH

Rick

ToTT · ‎04-12-2020

You are right! It is about address translation. Luckily I am using router that has DD-WRT firmware and it has option to Masquerade Route (NAT) on the Static Routing through the VLAN subnet address. Thank you again, without your advice, I wouldn't even touch the Masquerade Route option. Now everything works as it should.

Richard Burts · ‎04-12-2020

I am glad that my suggestions were able to help you develop a solution that works. Thank you for marking this question as solved. This will help other participants in the community to identify discussions which have helpful information. This community is an excellent place to ask questions and to learn about networking. I hope to see you continue to be active in the community.

HTH

Rick