Hello,

I am trying to add a public access point to a network. The access point will be open and I need it to be on a separate vlan than the rest of the network. Before this the network had no need for vlans. So there was no vlan configuration.

So I set ports fa0/2-23 on the switch to VLAN 10. The public access point is on port fa0/24 and I have set that port to vlan 20. This works as expected, every device (on this switch) on vlan 10 can ping eachother, but vlan 10 can't ping devices on the access point (vlan 20) and vice versa which is good. Thats what I want.

But here is where I am confused. The switch is connected to a router with port fa0/1. So I set the fa0/1 as a trunk port and configured it to accept all vlans. I set the native vlan as vlan 10 for the trunk port.

So now vlan 10 can ping the router but vlan 20 can't (both vlans are in the same subnet). I need both vlans to be able to ping the router and reach the internet.
Whichever vlan I set as the native on the trunk can ping just fine, and any other vlan can't.
 

Of course I can set up inter-vlan routing on the router with subinterfaces and both vlans can ping the router just fine, but this allows the vlans to also ping eachother. Im trying to keep "public" vlan 20 from being able to ping any devices on the "internal" vlan 10. So "inter" vlan routing is not really what I want.

The LAN is on subnet 172.16.7.x /26, im trying to keep both vlans on the same subnet.

Is there not a way to route both vlans without inter-vlan connectivity? 

Thanks in advance