Routing between VLAN's

[tescophil]

Hi,

Just been setting up some VLAN's today to segregate IoT devices and Guest network access from the main network.

So I have one physical internal interface (the untagged VLAN), and two child VLAN's tags 20 and 30. This single interface is attached to a small netgear GS105Ev2 switch with one untagged port going to my main ethernet switch, one to my IOoT WiFi AP and one to my Guest WiFi AP.

internal 192.168.10.x
IoT VLAN 192.168.20.x
Guest VLAN 192.168.30.x

So, everything looks like is working OK apart from devices on the main Internal network (192.168.10.x) cannot access any of the devices on the other VLANs, whereas all devices attached to both VLANs can access any device on the Internal (192.168.10.x) network.

The behaviour I wanted was all three networks to be segregated, apart from being able to access both VLAN WiFi AP's from the internal network. I set up some filter rules to do this, but when they didn't work I turned then all off to try an workj out what was happening.

I can turn on the filter rules to segregate the VLANS and this works, i.e. I can no longer access devices on the Internal network from the VLAN's. I also have another rule that explicitly allows access to the VLAN WiFi AP's from the internal network, but this does nothing.

Turning off all the filter rules turns back on access from VLAN to Internal, but I still can get the access to work from the Internal network to the VLANS eg. I want to browse to the Guest WiFi AP config page at 192.168.30.10, but I just get no response...

Any ideas ?

Thanks.
Phil.

[sky-knight]

Every interface is a separate thing that needs tested and configured separately.

By default, Untangle prevents NOTHING, so if you have any blocking happening at all, I'd figure that out first, because it probably means a fundamental issue you need to resolve to make everything else make sense.

After that, you're free to make rules to prevent access or to allow it. I suggest the firewall module to do this, beware however, the firewall like all rack applications only processes TCP and UDP traffic, therefore you cannot use PING to test, because PING WILL PASS. The firewall will give you nice logs as to what's blocked when so you can troubleshoot. The filter can control more stuff, but if you over match you have issues and no logs to read.

[tescophil]

So, I'm not using the firewall rules for this reason, instead I'm using the filter rules under network config which will prevent PING messages etc.

My issues is that I know Untangle should prevent NOTHING by default, but it is..., its preventing traffic going from my internal network to the VLAN's. I cant see how I could have misconfigured my external VLAN switch to create this behaviour, so it must be untangle blocking the traffic...

Any suggestions as to where to look ?

If I do a traceroute on the IP of each WiFi AP under the diagnostics tab in network config I get this


Sun Feb 24 2019 22:48:31 GMT+0000 (Greenwich Mean Time) - Test Started
traceroute to 192.168.20.10 (192.168.20.10), 30 hops max, 60 byte packets
1 fourseasons_iot (192.168.20.10) 0.571 ms 0.717 ms 0.828 ms
Test Successful
Sun Feb 24 2019 22:48:33 GMT+0000 (Greenwich Mean Time) - Test Completed

--------------------------------------------------------

Sun Feb 24 2019 22:48:53 GMT+0000 (Greenwich Mean Time) - Test Started
traceroute to 192.168.30.10 (192.168.30.10), 30 hops max, 60 byte packets
1 fourseasons_guest (192.168.30.10) 1.414 ms 1.496 ms 1.673 ms
Test Successful
Sun Feb 24 2019 22:48:54 GMT+0000 (Greenwich Mean Time) - Test Completed

--------------------------------------------------------


So it appears to have a route, but I still only get one way traffic

Thanks.

[abailey]

So on your Netgear GS105Ev2 the port you connect to Untangle is Untagged in VLAN1 and Tagged in VLAN 20 and 30 right?

[tescophil]

Yes, exactly

So, the switch is cofigured like this..

Port 1 Trunc port to Untangle, VLAN1 Untagged, VLAN20 & 30 Tagged, PVID 1
Port 2 to main switch Untagged VLAN1 PVID1
Port 3 to IoT AP Untagged VLAN20, PVID 20
Port 4 to Guest AP Untagged VLAN30, PVID 30

Like I said, I don't think there is any way I could misconfigure the VLAN switch config to produce this behaviour....

[deleted_account+152373@untangle.com]

I am not familiar with Netgear switches at all but check that the switch is not Isolating the vlakns, as I am sure on a TP-Link switch using PVID it isolates the ports

[tescophil]

The VLANS are of course isolated at the switch level, that's the whole point, it's up to Untangle to route traffic between all the LANs. The purpose of the PVID is to tag untagged traffic coming into that port with the PVID VLAN ID. Thus traffic coming from my WiFi AP's gets tagged with the correct VLAN ID before being sent to the Trunc port that Untangle sits on.

[rauder]

Perhaps you should recheck your Interface settings - a simple way to isolate traffic between VLANS would be to NAT the traffic by enabling the 'IPv4 Options' - NAT traffic coming from this interface (and bridged peers).

[deleted_account+152373@untangle.com]

Well, something must be wrong on the switch side or your config. I have multiple VLANs (UBNT switches) and all work fine, Untangle routs fine between VLANs.

[tescophil]

Well, something must be wrong on the switch side or your config. I have multiple VLANs (UBNT switches) and all work fine, Untangle routs fine between VLANs.

'Something' is not particularly helpful in this context. The setup on the VLAN switch is very simple, you can assign ports for each VLAN ID to be Tagged, Untagged or blank. You then assign a PVID for each of the ports you want tagged with that ID for incoming traffic...

I'll say again, I don' t see any way to mis-configure the switch settings in order to produce this behaviour, but maybe I'm missing _something_, I just wanted some pointers as to what the _something_ might be.