cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1287
Views
0
Helpful
5
Replies

SG300-20 behind firewall with two vlans

r.meissner
Beginner
Beginner

Hello,

i have the following network running: see attachment. The switch has two VLANs, one for the 10. network, the other should be for the 192. network. Now i want to access 10.0.1.11 from 192.168.178.1 but i get blocked by the firewall. The switch is now in the 192.network, but i want to connect the 10.* ports directly to the router. I am grateful for every hint.

 

Best regards,

Rome

5 Replies 5

Martin Carr
Enthusiast
Enthusiast

For the two to communicate, you will need to configure routing.

What you have won't work, as the 192 network is not on a common network with the router, thus the packets will be unable to be forwarded to it.

It's better to implement 'ROAS' instead.

I would also question as to why you have placed a firewall in between your network and your router?

Martin

Dan Miley
Participant
Participant

I would recommend adding a 2nd vlan interface to your firewall, and enable inter vlan routing on the firewall.

It would be good to set a different network segment between the router and firewall,

It would look something like this.

router --> firewall vlan1 -->switch vlan1 -->192.168.178.x clients

                firewall vlan10 -->switch vlan 10 --> 10.0.1.x clients

 

You don't say what the router or firewall models are, or the subnet masks...

The default gateways for the clients would point to the firewall, and it would do intervlan routing.

 

Or:

 

You can do intervlan routing on the switch.

set the switch in layer3 mode (this will factory reset the switch).  Set up the 2 client vlans, including dhcp with default gateways for the clients pointing to the switch.

select a different network segment for the firewall to switch connection (say 192.168.180.x)

add a route, rules, and nat statements in the firewall for both networks 192.168.178 and 10.0.1.x.

add a default route in the switch pointing to the firewall.

 

that would look something like

router - firewall -(192.168.180.x) - switch  - vlan 10.0.1.x

                                                             \- vlan 192.168.178

This would put the inter vlan routing load on the switch instead of the firewall.

 

you can also call in to the small business TAC and request assistance 866-606-1866 in US and Canada.  These devices come with 1 year free tech support.

 

Hope this helps,

Dan

r.meissner
Beginner
Beginner

Hello guys,

thanks for your replies! I have updated the topology graphic (see attachment).

VLAN 1 is for the pcs and VLAN 2 is for telephony. Ports 1-8 of the sg300-20 are in VLAN 1, and so are Ports 1-4 of each SG300-10P. Ports 9-16 of the SG300-20 are in VLAN 2, and so are Ports 5-8 of each SG300-10P. All switches are in L2 mode.

Now i can access the Gigaset T300P (10.0.1.5) from my computer (192.168.178.69), but i cannot access the ip telephones that are not on my switch, except 10.0.1.12. I get the message "No route to host" by my firewall.

I want the fritz.box to handle all 10.0.1.* traffic, but the firewall to handle all 192.168.178.* traffic. When i put my computer into the 10.0.1.* net and attach it to my switch, i cannot even acces the fritz.box.

You should configure trunks between the switches, opposed to physically connecting each VLAN end to end.

Don't remove the other physical connections though, as they can be used for aggregation/redundancy, but that's another discussion.

Have you configured the phones NIC's correctly with the appropriate GW addresses?

You need to change the IP address of your computer when you plug it into the switch, so that is on a common subnet with the Fritz.

Martin

I have configured all ports as trunk ports. There are no access ports defined. Communication in the 192.* net is working as it should, but within the 10.* network it is not working, yet

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers