VLANs can't access internet

bluetiger20 · ‎12-30-2021

Greetings all -

I have been attempting to find an existing discussion on here that would help me with this, or a YouTube video that could walk me through this - but unfortunately all I have found are the console commands and all Im familiar with is the Web GUI.

I have 5 Cisco SG350's and 1 SG300. I have created 5 new VLANs and assigned static IP's for each of the 6 switches (except the SG300 because the Web GUI lacks the IPV4 interface). I have enabled the DHCP server on the 1st SG350 switch so it delegates IP's based on VLAN. Switch 1 is also the one connected to the gateway. All other switches are connected from there on ports 27/28 - all of those are trunk, all of those are members of all VLANs.

No idea what Access Mode Membership vs General Mode Membership vs Customer Mode membership means. Im literally stumbling in the dark here.

My computer connected to the SG300 picked up the correct DHCP address based on the VLAN assigned to that port, so things are working as Im expecting them to thus far.

But I need these VLANs to have internet access, and Im not sure how to accomplish this through the web GUI.

Im assuming this has something to do with creating a static route so the VLANs know how to hit the gateway, but my attempts to create this route has proven unsuccessful in granting internet access.

For example. VLAN 1 has a gateway of 192.168.1.254 with a /22 subnet. VLAN 4 has a /24 subnet in the 192.168.40.X range. Each of the 5 switches that I could assign a static IP to have IP addresses of 192.168.40.1/2/3/4/5 and the computer picked up from the DHCP server an IP of 192.168.40.7. I can ping all of these switches from the computer.

I made sure the port connecting Switch 1 to the gateway is in trunk mode, its a member of all VLANs. I tried creating a static route of 192.168.40.0/24 and setting the next hop to 192.168.1.254. That didn't work.

Im tearing my hair out. Any suggestions of what Im missing and how to accomplish this in Web GUI? Thank you very much in advance.

Georg Pauwen · ‎12-30-2021

Hello,

first of all, which device is doing the NAT ? I assume you have added the subnets of the Vlans to the range of addresses to be translated ?

bluetiger20 · ‎12-30-2021

The NAT is handled by the gateway, which, in this case is the TPLINK. the TPLINK also serves as the DHCP server for the VLAN1, while the CISCO switch handles the DHCP server for the 5 created VLANS.

I have not touched the TPLINK yet. Is this where my error lies?

Georg Pauwen · ‎12-30-2021

Hello,

most likely. The TPLink needs to know about the subnets that want to access the Internet. Can the clients on the new Vlans ping the default gateway of Vlan 1 (which is the IP address of the TPLink) ? And what is the exact TPLink model you have ?

bluetiger20 · ‎12-30-2021

TL-ER6120.

So I wasn't able to ping the 192.168.1.254 gateway from the 192.168.40.X VLAN

So then, as you suggested, started digging into the Transmission on the gateway. Created a new static route of 192.168.40.0/24 with next hop as 0.0.0.0 on the LAN interface and boom - now I can ping the gateway.

Then I started thinking - OK great, it knows how to get to the gateway now, but what about traffic coming back in?

So i went to the Multi-nets NAT and setup a new Multi-Nets NAT below the existing ones and used interface WAN1, source IP range 192.168.40.0/24

But still no dice. No internet on the computer. Im still missing something here.

Georg Pauwen · ‎12-30-2021

Hello,

basically you need three things:

--> the Vlan 40 host needs to be able to ping the default gateway on the TPLink

--> the TPLink needs to be able to ping the Vlan 40 host

--> the TPLink needs a NAT entry for the Vlan 40 subnet

I guess you are on the right track. The Multi-Nats is definitely required, Check if the firewall on the TPLink might have access control enabled:

https://www.tp-link.com/us/configuration-guides/configuring_firewall/?configurationId=18571#configuring_access_control_2_4

bluetiger20 · ‎12-30-2021

Ah I see. Gateway can't ping 192.168.40.X - so there is my latest issue. Multi-Nets NAT only lets me choose a WAN interface, but not the LAN interface.

No Access Control enabled.

So what would the TPLINK or CISCO switch need to be able for the gateway to ping the 192.168.40.X VLAN?

Georg Pauwen · ‎12-30-2021

Hello,

on the TPLink, you need a static route towards 192.168.40.0/24 with the next hop being the interface that connects the TPLink to the SG300 (which I think should be a Vlan 1 IP address)...

https://www.tp-link.com/us/configuration-guides/configuring_transmission/?configurationId=18574#configuring_the_static_routing_6_1

bluetiger20 · ‎12-30-2021

Thank you for that link to the TP-LINK guide. Im almost there.

Computer can ping gateway

Switch can ping gateway

Gateway can ping switch at its VLAN 40 IP and its VLAN 1 IP.

But

Gateway still can't ping computer at its VLAN 40 IP.

Maybe there is something about the SG300 - which the computer is connected to, that is the issue. All the other SG350 switches have VLAN 40 static IP's but this SG300 does not (im not sure how to give it a static IP for the VLAN 40 IP range).

Maybe this is the last piece?

Georg Pauwen · ‎12-30-2021

Hello,

the SG300 is doing the inter-Vlan routing I assume ?

bluetiger20 · ‎01-03-2022

Good morning -

Not sure what Inter-VLAN routing is. Thought Id just copy paste the running config from my SG350 - which is directly connected to the TPLINK gateway, and the SG300 - which is directly connected to to SG350 (via port 9 of the SG350) - and the computer is connected to Port 10 of the SG300.

Gateway can ping VLAN IP of SG350 (192.168.40.1)

Computer 192.168.40.7 can ping gateway 192.168.1.254

Gateway cant ping computer 192.168.40.1

Computer can ping anything on any VLAN (which I dont want it to)

COmputer still cant get internet access

SG350:
unit-type-control-start
unit-type unit 1 network gi uplink none
unit-type-control-end
!
vlan database
vlan 200,300,400,500,601,700
exit

.......

gvrp enable
ip dhcp server
ip dhcp pool network STI
address low 192.168.50.1 high 192.168.50.254 255.255.255.0
dns-server 1.1.1.1
exit
ip dhcp pool network Ross
address low 192.168.61.1 high 192.168.61.14 255.255.255.240
exit
ip dhcp pool network Cameras
address low 192.168.20.1 high 192.168.20.254 255.255.255.0
exit
ip dhcp pool network Servers
address low 192.168.40.1 high 192.168.40.254 255.255.255.0
dns-server 1.1.1.1
exit
ip dhcp pool network "IDT Pool"
address low 192.168.1.100 high 192.168.1.200 255.255.252.0
default-router 192.168.1.254
dns-server 1.1.1.1
exit
ip dhcp pool network Biometrics
address low 192.168.30.1 high 192.168.30.254 255.255.255.0
exit
bonjour interface range vlan 1

........

nterface vlan 1
ip address 192.168.3.253 255.255.252.0
no ip address dhcp
!
interface vlan 200
name Cameras
ip address 192.168.20.1 255.255.255.0
no snmp trap link-status
!
interface vlan 300
name Biometrics
ip address 192.168.30.1 255.255.255.0
no snmp trap link-status
!
interface vlan 400
name Servers
ip address 192.168.40.1 255.255.255.0
no snmp trap link-status
!
interface vlan 500
name STI
ip address 192.168.50.1 255.255.255.0
no snmp trap link-status
!
interface vlan 601
name Ross
ip address 192.168.61.1 255.255.255.248
!
interface vlan 700
name Test

........

interface GigabitEthernet9
gvrp enable
spanning-tree link-type point-to-point
switchport mode trunk
switchport access vlan 400
switchport general pvid 400
macro description switch
!next command is internal.
macro auto smartport dynamic_type switch

.........

interface GigabitEthernet25 <- Link to Gateway
switchport mode trunk
switchport general ingress-filtering disable
!

nterface GigabitEthernet27
gvrp enable
spanning-tree link-type point-to-point
switchport mode trunk
macro description switch
!next command is internal.
macro auto smartport dynamic_type switch
!
interface GigabitEthernet28
gvrp enable
spanning-tree link-type point-to-point
switchport mode trunk
macro description switch
!next command is internal.
macro auto smartport dynamic_type switch

_________________

SG300:

config-file-header
switch441a92
v1.4.11.5 / R800_NIK_1_4_220_026
CLI v1.0
set system mode switch

file SSD indicator excluded
@
vlan database
vlan 400
exit

gvrp enable

nterface vlan 1
ip address 192.168.3.232 255.255.252.0
no ip address dhcp
!
interface vlan 400
name Servers
!
interface gigabitethernet1
gvrp enable
spanning-tree link-type point-to-point
macro description switch
!next command is internal.
macro auto smartport dynamic_type switch
!
interface gigabitethernet2
switchport mode access
!
interface gigabitethernet3
switchport mode access
!
interface gigabitethernet4
switchport mode access
!
interface gigabitethernet5
switchport mode access
!
interface gigabitethernet6
switchport mode access
!
interface gigabitethernet7
switchport mode access
!
interface gigabitethernet8
switchport mode access
!
interface gigabitethernet9
switchport mode access
!
interface gigabitethernet10
switchport mode access
switchport access vlan 400

.....

exit
ip default-gateway 192.168.1.254

bluetiger20 · ‎12-30-2021

Ah. While the computer can ping the gateway, the switch itself can't ping the gateway using its VLAN source IP. Maybe I still need to configure something on the CISCO switch?