Problem SG300 switch: VLANs with common internet access

pabpab1979 · ‎01-09-2014

Hi all,

I have a Cisco SG300-20 L3 switch and want to realize two separate VLans with one common Internet access (something like a guest access to the internet).

The internet modem is a Cisco EPC3208G.

My problem is that despite that I can ping everyone on the different VLANs I have only access to the internet when the modem is in the same subnet/VLan.

I have the following setup:

-VLAN1: Common Internet, 192.168.1.X/24, untagged, SG-300-Adress: 192.168.1.254

-VLAN2: Network1, 192.168.2.X/24, untagged, SG-300-Adress: 192.168.2.254

-VLAN3: Network2, 192.168.3.X/24, untagged, SG-300-Adress: 192.168.3.254

-L3-Mode activated

-DHCP-Server on SG300 activated for every VLAN

-DHCP-Server on modem deactivated

-staic IP on the internet modem: 192.168.1.1/24

-gateway on the different VLANs is the respective adress of the SG-300 (192.168.X.254)

-added route: dest:0.0.0.0/0, next hop: 192.168.1.1, type: remote, metric: 1

From every VLAN I can ping the modem (192.168.1.1) and other clients but I can only access the internet from VLAN1 (or whicheever VLAN the modem is hooked up to).

I have the following assumption what could be the problem:

Example: I want to access the internet from VLAN2 with a computer having the IP-adress 192.168.2.10. The computer knows that the package-destination is not of its own subnet and sends it to the gateway-adress 192.168.2.254 (SG300 Switch). The SG300 then forwards the package to the modem according to the routing entry. The modem sends it to the internet using NAT.

So far so good.

When the answer comes back from the internet the modem uses NAT again an puts in the destination address 192.168.2.10 (from which the request origianlly came from). Now my assumtion is that since the address is not of the subnet of the modem it does not know what to do with it an discards the package instead of fowarding it to the SG300 on 192.168.1.254.

I didn't find any menu entry to set up routes on the EPC3208G modem, only portfowarding is possible

Is my assumption right?

Any ideas if there is a possibility to realize my plans with the given hardware?

Interesting question: why does the ping work?

Thanks a lot!

Greets

dave23189 · ‎01-10-2014

Judging by what you have said i believe you are right.

We have a similar setup but with a 3750 as the routing switch and a fortigate as the firewall and we have to add a route on the foritgate to every vlan.

Unfortunately i don't know anything about the EPC3208G so wouldn't know if you can add static routes or not.

Dave

Tom Watts · ‎01-10-2014

Hi, this is correct, the router is unaware of where to send the traffic and require static routes to point back to the SVI of the switch.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

pabpab1979 · ‎01-12-2014

Hi,

thanks a lot for your anwsers.

That's too bad, because I didn't find a possibility to set up routes on the modem

Does anyone see any other possibility?

Paul Cz · ‎01-16-2017

I'm having an identical problem, however I already put in the static routes on the "router" (Netgear R7000).

My setup is [SG300-10] -> [Netgear R700] -> [ISP Modem]->

Otherwise identical to yours.

When i'm on VLAN 2 for example, i can ping the gateway 192.168.1.1 however I can't bring up its web interface. I cannot reach the internet from these other VLANs. Is it a problem with NAT?

I already have a static route for the VLAN entered in the "router", this allows me to IN to my VLANs from other networks and the home network for example (192.168.1.0).