Can't access outside world from any VLAN

Joshua Schaeffer · ‎03-05-2013

Hey Guys, very new to networking and looking for some help. I've been trying to learn more about networking and am a hands on learner, so I bought an SG300 managed switch to setup my home lab. I've setup several VLANs successfully (at least as far as I can tell), assigned all the ports on the switch to their respective VLANs, and have at least one server and/or workstation attached to each VLAN. Below is the general layout of each VLAN and a diagram:

VLAN / Device	IP Address / IP Range
Gateway Router	10.1.8.1
SG-300 Managed Switch	10.1.8.2
VLAN 100 (Default)	10.1.8.0/24
VLAN 10 (Public)	10.1.12.0/25
VLAN 11 (Public Data)	10.1.12.64/26
VLAN 20 (Secure)	10.1.11.0/24
VLAN 30 (Internal)	10.1.10.0/25
VLAN 31 (Internal Server)	10.1.10.32/27
VLAN 32 (Internal Client)	10.1.10.64/26
VLAN 90 (WiFi and Print)	10.1.15.0/24

The gateway router and switch fall under VLAN 100, the default VLAN. The problem i'm experiencing is I can't get to the internet from any of my VLANs except the default. However, all interVLAN routing seems to be working successfully. I've performed the following tests:

1. I can ping the gateway of any VLAN from that VLAN

2. I can ping the gateway of any VLAN from a different VLAN

3. I can ping any server or workstation on the same VLAN (a.k.a. two servers under the same VLAN)

4. I can ping any server or workstation on a different VLAN (a.k.a. two server each under a different VLAN)

5. I can ping the switch (10.1.8.2) from any VLAN

6. I can ping any gateway and any active server/workstation on any VLAN from the switch (10.1.8.2)

7. I can not ping the gateway router (10.1.8.1) from any VLAN except 100

8. I can not ping any gateway or active server/workstation from the gateway router (10.1.8.1) - however I just realized I didn't try pinging a server on the default VLAN from the gateway router. I'm assuming this will work.

I also have not tried pinging the gateway router (10.1.8.1) from the switch (10.1.8.2). I guess I could try these when I get home.

Where should I start looking to correct this problem? And detailed steps/explanations would be appreciated, as, again, I am very new to all of this. I also do not mind constructive criticism about my network layout.

Thanks,

Joshua

Gregory Snipes · ‎03-05-2013

I would speculate that you have not set a default route in the multi-layer switch. You would do this by:

STEP 1 Click IP Configuration > IPv4 Routes.

The IPv4 Static Routes page appears.

STEP 2 Click Add. The Add IP Static Route page appears.

STEP 3 Enter values for the following fields:

• Destination IP Prefix—0.0.0.0

• Mask—0.0.0.0

• Next Hop Router IP Address—10.1.8.1

Abzal · ‎03-05-2013

Hi Joshua,

I think you need to add static routes to each of the subnets on the router.

Like:

ip route 10.1.12.0 255.255.255.128 10.1.8.2

and static routes for all other subnets you have.

Hope it will help.

Best regards,
Abzal

Best regards,
Abzal

Gregory Snipes · ‎03-05-2013

Yes, also this.

You could simplify by summarizing "ip route 10.1.0.0 255.255.0.0 10.1.8.2" since the directly connected route on the router will take precedence over the static.

Joshua Schaeffer · ‎03-05-2013

I do have a static route setup to the gateway router (0.0.0.0/0 10.1.8.1), but I do not have static routes setup for each VLAN. I will definitely try this.

Thanks,

Joshua

Joshua Schaeffer · ‎03-05-2013

So I tried adding the following routes and am getting error messages. I've tried this from both the web portal and through the console cable

switch(config)#ip route 10.1.12.0 255.255.255.0 10.1.8.2

Gateway cannot be one of the addresses configured on this device

switch(config)#ip route 10.1.12.1 255.255.255.0 10.1.8.2

IP mask does not cover the destination address

switch(config)#ip route 10.1.8.0 255.255.248.0 10.1.8.2

Gateway cannot be one of the addresses configured on this device

switch(config)#ip route 10.1.8.1 255.255.248.0 10.1.8.2

IP mask does not cover the destination address

switch(config)#ip route 10.1.0.0 255.255.0.0 10.1.8.2

Gateway cannot be one of the addresses configured on this device

switch(config)#ip route 10.1.0.1 255.255.0.0 10.1.8.2

IP mask does not cover the destination address

Abzal · ‎03-05-2013

Hi,

Those routes need to added on the router not on the switch. Router needs to know how to forward packets back to source of the packet.

Sent from Cisco Technical Support iPhone App

Best regards,
Abzal

Joshua Schaeffer · ‎03-05-2013

Thanks Abzal, didn't realize they needed to be added to the actual router. I should be able to get to this in a couple hours.

Joshua Schaeffer · ‎03-05-2013

So, I think i'm getting closer. I setup the following static route (and only this static route) on the router to start with. This is for VLAN 32 which has an IP of 10.1.10.64/26:

Destination IP: 10.1.10.64, Mask: 255.255.255.192, Gateway IP: 10.1.8.2

I can now ping the gateway router at 10.1.8.1 from a server on VLAN 32, but I still can't ping anything past that. I ran a traceroute to one of google's servers from the server on VLAN 32 and I get this:

traceroute to 74.125.225.209 (74.125.225.209), 30 hops max, 60 byte packets

1 10.1.10.65 (10.1.10.65) 0.957ms 1.528ms 2.111ms

2 10.1.8.1 (10.1.8.1) 0.487ms 1.344ms 1.701ms

3 * * *

4 * * *

5 * * *

....

If I run the same traceroute from a computer on VLAN 100 I get the following:

Tracing route to den03s06-in-f17.1e100.net [74.125.225.209]

over a maximum of 30 hops:

1 <1ms <1ms <1ms 10.1.8.1

2 78ms 23ms 16ms 96.80.128.1

3 11ms 25ms 10ms te-8-4-ur10.orem.ut.utah.comcast.net [68.85.39.9]

....

11 24ms 23ms 23ms den03s06-in-f17.1.e.100.net [74.125.225.209]

I can ping Google's IP address from both the gateway router (10.1.8.1) and the switch (10.1.8.2)

Thanks,

Joshua

Abzal · ‎03-05-2013

Hi,

Ok, I see. Can you provide information about model of the router?

Hope it will help.

Best regards,
Abzal

Best regards,
Abzal

Joshua Schaeffer · ‎03-05-2013

Sure no problem. It's just the router that my ISP provided for me (Comcast). It's model number is: SMCD3G-CCR

http://www.smc.com/index.cfm?event=viewProduct&localeCode=EN_USA&cid=2&scid=20&pid=1678

Here is the information I pulled off of its web portal:

Initilization Procedure
Vendor Name	SMC Networks
Hardware Version	1.01
Serial Number	H21030004AA1
Firmware Version	1.4.0.49.7-CCR
Operating Mode	RG
System Uptime	000 days 01h:11m:00s
Date	Mar-5-2013
Time	21:49:23

Local Settings
Gateway IP Address	10.1.8.1
Subnet Mask	255.255.255.0
DHCP Server	Disabled
IP Range (start)	10.1.8.10
IP Range (end)	10.1.8.199

Let me know if you need additional info.

Thanks,

Joshua

Abzal · ‎03-05-2013

You may check if there any access rule configured under "Firewall-->Access Control" on the router that may restrict access for another subnets. If yes, you can either add subnets that need access to the Internet or just remove the rule. If it still do not work then try to disable a firewall on the router.

Then it should be working. Are you getting public IP from ISP by DHCP? PPPoE?

http://www.smc.com/files/AV/SMCD3G_Cable_Modem_Gateway_UserManual.pdf

Hope it will help.

Best regards,
Abzal

Best regards,
Abzal

Joshua Schaeffer · ‎03-05-2013

Hmm, I actually don't have that option under "Firewall". Their screen shots of the web portal are quite different then what I have, I'm wondering if my firmware version isn't the latest. I'll look into this.

Either way, I've deleted/disabled any and all firewall rules I could find and that didn't change anything.

I have a set of static public IP's provided by my ISP.

Abzal · ‎03-05-2013

Joshua, I think the best way is to involve Comcast technical support. As they provided you that router.

Hope it will help.

Best regards,
Abzal

Best regards,
Abzal

jhovik157 · ‎09-09-2014

I have a very similar problem with that exact router and switch. Did you find a solution that works for you?