cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2601
Views
15
Helpful
6
Replies

VLAN to WAN problem SG300

jflack1143788
Level 1
Level 1

Hello there.

 

I am attempting to setup multiple VLAN's at my church using two SG300-10-10PP managed switches.  However, after several attempts and searching the web for examples and instructions, only the default VLAN can access the Internet.  The other VLAN's can ping each other, ping both switches, but can't ping the Comcast Gateway address 10.1.10.1.  I've tried to check and setup everything I read about, but this one thing eludes me.  I'm certain it's something crazy simple.  If you can, please help.

 

My setup is as follows:

Comcast Business Gateway (Office WiFi and primary DHCP router)

                   |

     SG300 Switch-A (L3 Mode, in detached office building) > 2 Office computers, printer, private server and TP-Link

                   |                                                                          OC200 AP Controller

                   |

     SG300 Switch-B (L2 Mode, in main building) > 2 Computers and 5 TP-Link EAP245 AP's

 

VLAN's: 1 (default), 20 (DATA), 30 (Guest WiFi), 40 (private server), 101 (Management)

 

Both Switches running firmware 1.4.10.6

 

On Switch-A, both computers and the printer are on VLAN 20, ports set to Untagged Access.  AP controller is on VLAN 1, port set to Untagged Access.  The private server is a simple web tool and database we don't want accessible from anything except it's own VLAN 40 and just one of the two office computers, port set to Untagged Access.  The Comcast Gateway's port is set as Trunk.  Switch-B port is set as Trunk.

IPv4 Interface

InterfaceIP Address TyoeIP AddressMaskStatus
VLAN 20Static5.1.20.1255.255.255.0Valid
VLAN 30Static5.1.30.1255.255.255.0Valid
VLAN 40Static5.1.40.1255.255.255.0Valid
VLAN 101Static5.1.101.1255.255.255.0Valid
VLAN 1Static10.1.10.46255.255.255.0Valid

 

IPv4 Routes

Destination IP PrefixPrefix LengthRoute TypeNext Hop Router IP AddressRoute OwnerMetricAdministrative DistanceOutgoing Interface
0.0.0.00Default10.1.10.1Default11VLAN 1
5.1.20.024Local Directly Connected  VLAN 20
5.1.30.024Local Directly Connected  VLAN 30
5.1.40.024Local Directly Connected  VLAN 40
5.1.101.024Local Directly Connected  VLAN 101
10.1.10.024Local Directly Connected  VLAN 1

 

On Switch-B, Computer 1 is on VLAN 20, port set to Untagged Access.  Computer 2 is on VLAN 30, port set as Untagged Access.  All five WiFi Access Points ports are set to Trunk.  Port to Switch-A set as Trunk.  I have 3 SSID's which are set to different VLAN's.  SSID Private on VLAN 20, SSID Guest on VLAN 30 and SSID Server on VLAN 40 (only a few tablets use this SSID to access a database on the private server).

 

I also setup Static Routes on the Comcast Gateway

NameDestination IPSubnet MaskGateway IPActive
VLAN 205.1.20.0255.255.255.010.1.10.46Y
VLAN 305.1.30.0255.255.255.010.1.10.46Y
VLAN 405.1.40.0255.255.255.010.1.10.46Y
VLAN 1015.1.101.0255.255.255.010.1.10.46Y

 

I've also been trying to setup ACL's to block the VLAN's from talking to each other, but no success yet.  The only exception to that is one Office Computer (VLAN 20) needs access to the Private Server (VLAN 40).

Thanks for your help.

1 Accepted Solution

Accepted Solutions

Hello,

 

the thing is: the Comcast will by default assign a 10.1.10.0/24  address to all LAN devices (that is probably what the Vlan 1 on the SG300 got as well), and NAT only this range.

 

Can you add additional local networks at all on the Comcast ?

 

If you have another router that you can put in between the SG300 and the Comcast, and then put the Comcast in bridge mode, that would work as well.

 

PS: Or you can leave the Comcast as is, and use the router to do double NAT (which means you essentially NAT all your internal networks to the 10.1.10.0/24 address the Comcast assigns to the router).

View solution in original post

6 Replies 6

Hello,

 

the problem is most likely that the Comcast only translates (NAT) the default Vlan 1. The SG300 does not do NAT, so you will have to add all the other networks to be translated on the Comcast. What is the exact model you have ? Try and access the WebGUI for the Comcast and see if you can find anything related to Network Address Translation, and if you can add additional networks...

Thanks for the reply Georg.

 

The Gateway is a Technicolor DPC3941B.  If I'm not mistaken, Technicolor is a Cisco brand?

There is indeed a NAT configuration menu.

NAT.png

 

I'm not sure how I would setup the address, but would the Gateway's IP, 10.1.10.1 be the Public Address and the VLAN IP be the Private Address?

If this fixes my problem, would I still need the Static Routes?

Hello,

 

10.1.10.1 is the local (not the public) IP address to be used to access the device. I checked the manual, and for this particular model, with the 'Disable All' checkbox unchecked, you should reboot the router and all devices attached.

 

I think the connection between the Comcast and the SG300 should be an access port, since you are not doing any inter-Vlan routing on the Comcast. So, make it an access port in Vlan 1 on both sides.

 

So, to sum it up, try the following steps:

 

1. Make the ports connecting the SG300 and the Comcast an access port in Vlan 1

2. Assign a default route on the SG300 pointing to the Comcast (if you don't have already done that)

3. Reboot the Comcast and check if any networks have been added to the Comcast under the Advanced --> Nat tab

4. If not, add the networks manually by using the 'Add New' button (you might also want to try this step first)...

I changed the SG300 to Comcast port from Trunk to Access, rebooted both switches and the gateway and checked the NAT screen.  NAT was still empty so I tried adding an entry.  I tried using the gateway’s WAN IP and a VLAN IP but an error message appeared saying “Public IP is in range of neither True Static IP subnet nor Additional Public Subnets.  Private IP is not in range of local network.”

I’m wondering if I need a router between the gateway and switch and set the gateway to bridge mode.  By the way, we don’t have Static IP service if that matters.

Hello,

 

the thing is: the Comcast will by default assign a 10.1.10.0/24  address to all LAN devices (that is probably what the Vlan 1 on the SG300 got as well), and NAT only this range.

 

Can you add additional local networks at all on the Comcast ?

 

If you have another router that you can put in between the SG300 and the Comcast, and then put the Comcast in bridge mode, that would work as well.

 

PS: Or you can leave the Comcast as is, and use the router to do double NAT (which means you essentially NAT all your internal networks to the 10.1.10.0/24 address the Comcast assigns to the router).

I forgot to mention in my original post that I’m a novice at best concerning professional networking.  Please forgive me for my rookie questions.

 

I don’t know if I can add any additional local networks to the NAT because I’m not sure what information it’s looking for.

 

How would I setup a Double NAT?

 

EDIT:  I looked over your last post again and I see now what you meant by doing a double NAT.  You mean the gateway and the router would have their own NAT setup.

What I think would be the best solution now would be to purchase a router to place between Comcast and the switch.  Hopefully I'll be able to figure out setting up the router for VLAN's.  Thank you for your help and advice.

 

P.S.  I also figured out the ASL setup.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: