Sorry, forgot a couple of things...

The switch is set to L3 mode.

All IP addresses are fixed IP's and all gateways are set to the VLAN IP, i.e., 10.0.30.1 for VLAN 30.

Routing protocol?

This is where my knowledge is lacking, but how can it be NAT if everything is working fine on VLAN 1?

Also, as mentioned, the routes back to the switch is set up for all VLAN's on the router and I can access ALL computers on ALL VLAN's from my laptop, hence I cannot see that there is a problem with communication between the switch and the router.

The router is doing NAT by default, and again, everything is working perfectly on VLAN 1.

I am focous on the communication between the hosts and the internet.  The fact of vlan 1 is working for NAT, does not tell what the problem is. IF the NAT was configured for the vlan1, it will work but what about the other vlans? NAT can be configured on per vlan/network basis.

Thanks Maher, really appriciate a thorough chec list.

Will have a look tomorrow...I managed to lock myself out from the switch when I tried some ACL rules...

Hi Lars,

You've already configured much of the network correctly, but there are a few areas that might need adjustments to allow internet access for devices on VLANs other than VLAN 1. Let's walk through a few possible solutions:

1. Routing and Default Gateway on the VLANs

• Ensure that each device on the different VLANs has its gateway set to the corresponding VLAN interface IP on the switch (SG300).
• For example, devices in VLAN 10 should use 10.0.10.254 as their gateway, devices in VLAN 20 should use 10.0.20.254, and so on. This ensures the devices are routing traffic through the switch.

2. Switch Routing and Default Route

• The switch's routing table needs to point back to the router (10.0.10.1) for internet traffic.
• You already mentioned that you have a default route (0.0.0.0/0) pointing to 10.0.10.1, which is correct.
• However, you might want to double-check if Inter-VLAN routing is fully enabled on your switch for all VLANs, especially for VLANs other than VLAN 1. This feature is necessary for routing between VLANs and to external networks.

3. NAT Configuration on the Router

• Ensure that NAT is configured properly on the router to allow internet access for traffic coming from different VLANs.
• Depending on your router, you may need to configure NAT rules for each VLAN subnet to allow internet-bound traffic. For example, a rule to allow traffic from the 10.0.20.0/24, 10.0.30.0/24, etc., subnets to be translated and sent to the internet.

4. VLAN Trunking on Port 49

• Port 49 is set up as a trunk port, but it’s crucial that it's configured correctly for VLAN tagging.
• The "Tagged" setting for VLANs other than VLAN 10 seems fine, but make sure that all VLANs that need to pass through this port are properly tagged. VLAN 10 being "Untagged" should be fine if it's the native VLAN, but confirm that other VLANs are tagged appropriately and that your trunk configuration matches the settings on both the access point and the router.

5. Firewall and ACLs

• Even though you've disabled the firewall on the router for testing, it may still have default rules blocking traffic from non-VLAN 1 subnets to the internet.
• Check if there are any Access Control Lists (ACLs) or firewall policies that might be blocking outbound traffic for these VLANs.

6. CLI Commands for Routing on the Switch

If the switch does not allow you to specify the "Next Hop" for each VLAN route (which is usually necessary when performing routing duties), you may not need to configure individual next hops if the switch is aware of the default route.

However, on some switches, you can set up routes for specific VLANs using commands like:

ip route 10.0.10.0 255.255.255.0 10.0.10.254
ip route 10.0.20.0 255.255.255.0 10.0.20.254

This tells the switch how to handle traffic for each VLAN. Ensure the switch has static routes for each VLAN pointing to their corresponding IP range.

7. Debugging

• Ping Tests: Try pinging 8.8.8.8 (Google DNS) from a device on a VLAN like VLAN 10 to see if you can reach an external IP.
• Traceroute: Run a traceroute from a VLAN device to an external IP and see where the traffic gets stuck.

Once you've checked and configured these aspects, your VLANs should be able to route internet-bound traffic properly.

Hello Maher

Sorry for the late reply, I have been away for work a few weeks now and haven't been able to look into this until now. Thanks for very specific and useful information, appreciate that.

I have been thru the config again and checked what I can check.

Routing and Default Gateway on the VLANs
Checked, doublechecked, and even tried different IP's just to be sure I didn't mess it up. It seems to be correct on all clients, but no luck on accessing internet.

Switch Routing and Default Route
My understanding is the L3 mode is what is needed on this switch for inter VLAN routing, and it is set to L3 mode. Also, I can access ALL clients from any other client on ALL VLAN's. No problem there at all.
This kind of tell me that inter VLAN routing is OK, but again, I'm not that familiar with switches and VLAN's, hence I'm trying to learn it 

NAT Configuration on the Router
I have a static route for each VLAN configured on the router. I'm able to ping all connected clients from the router, included those that are on the different VLAN's on the switch. Again, this tells me that the VLAN's config on the router is correct.
Ping from router to ALL clients are OK as well as from ALL clients to the router IP. I can ping both the internal IP (10.0.10.1) on the router and the WAN IP supplied from the ISP.

VLAN Trunking on Port 49
All VLAN's, except VLAN 10, is tagged for port 49. I even tried "tagged" on VLAN 10, but then I lost the connection with the switch 

Firewall and ACLs
I have checked every possible config on the router, and I cannot find anything blocking access to the VLAN's. Not saying that isn't the problem thought...
I might need to look into another router if I want to get this working.

CLI Commands for Routing on the Switch
I might be getting somewhere here. If I disconnect all clients, I can add a static route for the VLAN's, i.e., "configure" -> "interface vlan 40" -> "ip route 10.0.40.0. 255.255.255.0 10.0.10.1" without any error message. In the WEB GUI this route shows up as remote and static.
However, as soon as I connect a client to the port, it changes to local and directly connected. IS this where something is going wrong?

Debugging
I can ping external address from the switch (VLAN 10) and also from other clients on VLAN 10.
Clients on other VLAN's can ping their gateway, i.e., 10.0.30.254 as well as both internal and external address on the router, but nothing on the outside.

On your last comment, I can set next hop on the VLAN's as long as no clients are connected to the VLAN. As soon as I connect a client it changes to local and directly connected and the next hop disappear.

Hi Lars,

It would be better if you can share the configurations to be revised

Hi

Added the config. I have cleared most of the config and are currently only focusing on VLAN 30 to try and get that running before I start on the other ones.
As you can see, I have removed some information that is not relevant (some of the ports that are not configured and the SSH information.

Really appreciate your help on this.

Lars

Hi Lars,

From the configuration you've shared, everything seems mostly aligned for VLAN 30. Here are a few things to check or adjust to help resolve the issue of no internet access from VLAN 30:

1. VLAN IP Assignment:

You have assigned IP addresses to VLAN 10 (10.0.10.254/24) and VLAN 30 (10.0.30.254/24). This looks fine. Each VLAN should be using its respective gateway for routing within the subnet.

2. Default Gateway and Routing:

You have set the switch's default gateway as 10.0.10.1, which is correct as it’s your router. The ip route commands you added should point traffic from VLAN 30 to the router (10.0.10.1), so this looks good too.

The problem could be with the NAT on the router. Ensure the router is NATting traffic from VLAN 30 (10.0.30.0/24) to the internet. Typically, routers only NAT traffic from the default VLAN or main subnet (here, VLAN 10). You need to check the router’s NAT settings and ensure it includes the VLAN 30 subnet in the NAT rules.

3. Check Trunking for Port 49:

Port 49 is configured to allow VLAN 30 in the trunk, which is correct. However, double-check that:

• The trunk port (GE49) on your Wireless Access Point also has VLAN 30 allowed in its configuration.
• VLAN traffic for VLAN 30 is tagged correctly, and the AP understands and forwards the traffic as intended.

4. Firewall on Router:

Ensure that there are no firewall rules on the router that block traffic from VLAN 30 from accessing the WAN interface or performing NAT. You may want to temporarily disable firewall rules or inspect them closely to ensure VLAN 30 is allowed.

5. NAT for VLAN 30 on Router:

If VLAN 30 clients can reach internal networks (like VLAN 10), but not the internet, it's almost certainly related to how NAT is configured on your router. Make sure that your router is configured to NAT all outgoing traffic from VLAN 30 to the WAN interface.

6. Test the VLAN Route:

• Try manually pinging an external IP (e.g., 8.8.8.8) from a device on VLAN 30. This helps test whether DNS is the issue or if the traffic isn’t getting NATed properly.
• If pinging by IP works but not by name, the problem could be DNS-related (check DNS settings on VLAN 30 clients).

7. Access Control List (ACL):

Check whether you have any ACLs on the switch or router that might restrict internet access for VLAN 30.

8. DHCP (If Applicable):

If you’re using DHCP for VLAN 30, ensure that the router is providing the correct gateway and DNS information for clients on this VLAN.

Hi Maher

I currently have one NAT for VLAN 30 on the router, and that is "Destination: 10.0.30.0/24" and "Next hop: 10.0.10.254".
With this I have access to clients on VLAN30 from VLAN10, any other setting breaks the connection between VLAN10 and VLAN30.

Maybe I need to look for another router...