09-14-2019 04:33 PM
Hello there.
I am attempting to setup multiple VLAN's at my church using two SG300-10-10PP managed switches. However, after several attempts and searching the web for examples and instructions, only the default VLAN can access the Internet. The other VLAN's can ping each other, ping both switches, but can't ping the Comcast Gateway address 10.1.10.1. I've tried to check and setup everything I read about, but this one thing eludes me. I'm certain it's something crazy simple. If you can, please help.
My setup is as follows:
Comcast Business Gateway (Office WiFi and primary DHCP router)
|
SG300 Switch-A (L3 Mode, in detached office building) > 2 Office computers, printer, private server and TP-Link
| OC200 AP Controller
|
SG300 Switch-B (L2 Mode, in main building) > 2 Computers and 5 TP-Link EAP245 AP's
VLAN's: 1 (default), 20 (DATA), 30 (Guest WiFi), 40 (private server), 101 (Management)
Both Switches running firmware 1.4.10.6
On Switch-A, both computers and the printer are on VLAN 20, ports set to Untagged Access. AP controller is on VLAN 1, port set to Untagged Access. The private server is a simple web tool and database we don't want accessible from anything except it's own VLAN 40 and just one of the two office computers, port set to Untagged Access. The Comcast Gateway's port is set as Trunk. Switch-B port is set as Trunk.
IPv4 Interface
Interface | IP Address Tyoe | IP Address | Mask | Status |
VLAN 20 | Static | 5.1.20.1 | 255.255.255.0 | Valid |
VLAN 30 | Static | 5.1.30.1 | 255.255.255.0 | Valid |
VLAN 40 | Static | 5.1.40.1 | 255.255.255.0 | Valid |
VLAN 101 | Static | 5.1.101.1 | 255.255.255.0 | Valid |
VLAN 1 | Static | 10.1.10.46 | 255.255.255.0 | Valid |
IPv4 Routes
Destination IP Prefix | Prefix Length | Route Type | Next Hop Router IP Address | Route Owner | Metric | Administrative Distance | Outgoing Interface |
0.0.0.0 | 0 | Default | 10.1.10.1 | Default | 1 | 1 | VLAN 1 |
5.1.20.0 | 24 | Local | Directly Connected | VLAN 20 | |||
5.1.30.0 | 24 | Local | Directly Connected | VLAN 30 | |||
5.1.40.0 | 24 | Local | Directly Connected | VLAN 40 | |||
5.1.101.0 | 24 | Local | Directly Connected | VLAN 101 | |||
10.1.10.0 | 24 | Local | Directly Connected | VLAN 1 |
On Switch-B, Computer 1 is on VLAN 20, port set to Untagged Access. Computer 2 is on VLAN 30, port set as Untagged Access. All five WiFi Access Points ports are set to Trunk. Port to Switch-A set as Trunk. I have 3 SSID's which are set to different VLAN's. SSID Private on VLAN 20, SSID Guest on VLAN 30 and SSID Server on VLAN 40 (only a few tablets use this SSID to access a database on the private server).
I also setup Static Routes on the Comcast Gateway
Name | Destination IP | Subnet Mask | Gateway IP | Active |
VLAN 20 | 5.1.20.0 | 255.255.255.0 | 10.1.10.46 | Y |
VLAN 30 | 5.1.30.0 | 255.255.255.0 | 10.1.10.46 | Y |
VLAN 40 | 5.1.40.0 | 255.255.255.0 | 10.1.10.46 | Y |
VLAN 101 | 5.1.101.0 | 255.255.255.0 | 10.1.10.46 | Y |
I've also been trying to setup ACL's to block the VLAN's from talking to each other, but no success yet. The only exception to that is one Office Computer (VLAN 20) needs access to the Private Server (VLAN 40).
Thanks for your help.
Solved! Go to Solution.
09-15-2019 01:40 PM - edited 09-15-2019 01:46 PM
Hello,
the thing is: the Comcast will by default assign a 10.1.10.0/24 address to all LAN devices (that is probably what the Vlan 1 on the SG300 got as well), and NAT only this range.
Can you add additional local networks at all on the Comcast ?
If you have another router that you can put in between the SG300 and the Comcast, and then put the Comcast in bridge mode, that would work as well.
PS: Or you can leave the Comcast as is, and use the router to do double NAT (which means you essentially NAT all your internal networks to the 10.1.10.0/24 address the Comcast assigns to the router).
09-15-2019 01:03 AM
Hello,
the problem is most likely that the Comcast only translates (NAT) the default Vlan 1. The SG300 does not do NAT, so you will have to add all the other networks to be translated on the Comcast. What is the exact model you have ? Try and access the WebGUI for the Comcast and see if you can find anything related to Network Address Translation, and if you can add additional networks...
09-15-2019 10:30 AM
Thanks for the reply Georg.
The Gateway is a Technicolor DPC3941B. If I'm not mistaken, Technicolor is a Cisco brand?
There is indeed a NAT configuration menu.
I'm not sure how I would setup the address, but would the Gateway's IP, 10.1.10.1 be the Public Address and the VLAN IP be the Private Address?
If this fixes my problem, would I still need the Static Routes?
09-15-2019 11:46 AM
Hello,
10.1.10.1 is the local (not the public) IP address to be used to access the device. I checked the manual, and for this particular model, with the 'Disable All' checkbox unchecked, you should reboot the router and all devices attached.
I think the connection between the Comcast and the SG300 should be an access port, since you are not doing any inter-Vlan routing on the Comcast. So, make it an access port in Vlan 1 on both sides.
So, to sum it up, try the following steps:
1. Make the ports connecting the SG300 and the Comcast an access port in Vlan 1
2. Assign a default route on the SG300 pointing to the Comcast (if you don't have already done that)
3. Reboot the Comcast and check if any networks have been added to the Comcast under the Advanced --> Nat tab
4. If not, add the networks manually by using the 'Add New' button (you might also want to try this step first)...
09-15-2019 12:53 PM
I changed the SG300 to Comcast port from Trunk to Access, rebooted both switches and the gateway and checked the NAT screen. NAT was still empty so I tried adding an entry. I tried using the gateway’s WAN IP and a VLAN IP but an error message appeared saying “Public IP is in range of neither True Static IP subnet nor Additional Public Subnets. Private IP is not in range of local network.”
I’m wondering if I need a router between the gateway and switch and set the gateway to bridge mode. By the way, we don’t have Static IP service if that matters.
09-15-2019 01:40 PM - edited 09-15-2019 01:46 PM
Hello,
the thing is: the Comcast will by default assign a 10.1.10.0/24 address to all LAN devices (that is probably what the Vlan 1 on the SG300 got as well), and NAT only this range.
Can you add additional local networks at all on the Comcast ?
If you have another router that you can put in between the SG300 and the Comcast, and then put the Comcast in bridge mode, that would work as well.
PS: Or you can leave the Comcast as is, and use the router to do double NAT (which means you essentially NAT all your internal networks to the 10.1.10.0/24 address the Comcast assigns to the router).
09-15-2019 02:19 PM - edited 09-15-2019 05:28 PM
I forgot to mention in my original post that I’m a novice at best concerning professional networking. Please forgive me for my rookie questions.
I don’t know if I can add any additional local networks to the NAT because I’m not sure what information it’s looking for.
How would I setup a Double NAT?
EDIT: I looked over your last post again and I see now what you meant by doing a double NAT. You mean the gateway and the router would have their own NAT setup.
What I think would be the best solution now would be to purchase a router to place between Comcast and the switch. Hopefully I'll be able to figure out setting up the router for VLAN's. Thank you for your help and advice.
P.S. I also figured out the ASL setup.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide