Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Need VLAN Help

  1. #1
    Newbie
    Join Date
    Nov 2020
    Posts
    7

    Default Need VLAN Help

    I am new to VLAN's but not Networking. I think I have everything setup right but I am not getting expected results. What I have is a physical network with an internal IP of 192.168.72.0/24 what I am trying to achieve is this:

    Untangle:
    External Interface Eth0 70.x.x.x (Sorry it's late and I am to lazy to look it up lol)
    Internal Interface Eth1 192.168.72.1/24
    VLAN Interface Eth1.1 192.168.1.1/24 (Tagged VLAN 10)

    Cisco WRVS4400N Router:
    WAN Port Not Used
    Port 1 VLAN 1
    Port 2 VLAN 1
    Port 3 VLAN 1, VLAN 10
    Port 4 VLAN 1, VLAN 10

    The internal Interface is plugged into Port 4 on the Cisco. Port 1 Plugs into the 8 Port generic switch, Port 3 plugs into my Linux Box
    (See Drawings Below)

    What I am expecting is to see my Linux Box get a DHCP of 192.168.1.1XX
    What I am getting is 192.168.72.1XX

    With 192.168.72.1XX I can ping 192.168.1.2 which is the VLAN interface of the untangle router and get internet (easy enough to see why). But cannot ping 192.168.1.1

    If I set my Linux Box to a static IP of 192.168.1.6/24 I can ping 192.168.1.1 but not 192.168.1.2 or get internet.

    Obviously I have something wrong but I am not sure what. I can us any help.

    Network Drawing(s)
    Network Setup With VLAN.png

    CISCO VLAN PORT MEMBERSHIP
    Screenshot from 2020-11-10 22-16-58.png
    Screenshot from 2020-11-10 22-18-47.png

    Untangle Interface Config
    Untangle Internal Interface.PNG
    Untangle Internal Interface DHCP Server.PNG

    Untangle VLAN interface Config
    See this post for next pics
    forums.untangle.com/networking/43877-need-vlan-help-cont.html#post247415
    Last edited by dsherer; 11-10-2020 at 10:44 PM.

  2. #2
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,469

    Talking Welcome

    ...to Untangle, and the forums!

    From
    Quote Originally Posted by dsherer View Post
    forums.untangle.com/networking/43876-need-vlan-help.html

    Attachment 10787
    Attachment 10788
    Last edited by Jim.Alles; 11-11-2020 at 06:45 AM.

  3. #3
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,469

    Default

    Good Morning.
    I haven't had coffee, consider this at your own risk:

    1. dnsmasq is used in NGFW and it likes to calculate some things about subnets. Although it is not technically wrong to use the 192.168.100.2 address I don't see any compelling reason to avoid the convention, so I would recommend giving the .1 address to NGFW.

    2. pick a single VLAN (like 10) for port ?/ Linux box (your text says port 4, the diagram seems to show port 3, but which one is irrelevant) unless there is something to consider that you haven't mentioned.

    disclaimer: I am not familiar w/ Cisco hardware, and did not even glance at those config screens.

    Thank you for the attached images.
    Last edited by Jim.Alles; 11-11-2020 at 06:49 AM.

  4. #4
    Master Untangler
    Join Date
    Nov 2018
    Posts
    141

    Default

    I'm not familiar with CISCO either but I thing vLAN port assignment is wrong. Try this:
    Tagged=>port 1 (make sure Untangle is connected to this port)
    Untagged=> port 3 (and 4 if you'll connect something later on that port which needs to be assigned to 192.168.1.0 subnet)

    It doesn't matter from which port you connect second switch as long it is not vLAN assigned port. In your case 3 & 4. Use port 2 to connect second switch.

    As Jim already mentioned I would also assign .1 to your vLAN address.
    Last edited by soldier; 11-11-2020 at 10:29 AM.

  5. #5
    Newbie
    Join Date
    Nov 2020
    Posts
    7

    Default

    Quote Originally Posted by Jim.Alles View Post
    Good Morning.
    I haven't had coffee, consider this at your own risk:

    1. dnsmasq is used in NGFW and it likes to calculate some things about subnets. Although it is not technically wrong to use the 192.168.100.2 address I don't see any compelling reason to avoid the convention, so I would recommend giving the .1 address to NGFW.

    2. pick a single VLAN (like 10) for port ?/ Linux box (your text says port 4, the diagram seems to show port 3, but which one is irrelevant) unless there is something to consider that you haven't mentioned.

    disclaimer: I am not familiar w/ Cisco hardware, and did not even glance at those config screens.

    Thank you for the attached images.
    Quote Originally Posted by soldier View Post
    I'm not familiar with CISCO either but I thing vLAN port assignment is wrong. Try this:
    Tagged=>port 1 (make sure Untangle is connected to this port)
    Untagged=> port 3 (and 4 if you'll connect something later on that port which needs to be assigned to 192.168.1.0 subnet)

    It doesn't matter from which port you connect second switch as long it is not vLAN assigned port. In your case 3 & 4. Use port 2 to connect second switch.

    As Jim already mentioned I would also assign .1 to your vLAN address.
    Thank you guys. I am at work now and won't be home for 7 or 8 hours. I will try it then and post back.

  6. #6
    Newbie
    Join Date
    Nov 2020
    Posts
    7

    Default

    okay I have finally had a chance to work on it and, again, thank you guys. I know have a better understanding on how this works. so now I have this configuration. (sorry no screenshots or drawings)

    Untangle:
    VLAN Interface Eth 1.1 IP: 192.168.1.1

    Cisco Router:
    IP: 192.168.1.3
    Port 1: 1untag,10tag
    Port 2: 1 untag
    Port 3: 10untag
    Port 4: 10untag

    Untangle Interal Interface is plugged into Port 1 on the Cisco
    Cisco Router Port 2 goes back to the Generic Switch
    Linux Box is on Port 4 with static IP: 192.168.1.6

    Ping stats are as expected
    192.168.1.6 to 192.168.1.3 true
    192.168.1.6 to 192.168.1.1 true
    192.168.1.6 to 192.168.72.3 false
    192.168.1.1 to 192.168.1.6 true
    192.168.72.3 to 192.168.1.6 false

    Need to check the wireless on the cisco now.

    So I just have one thing to do and one more problem.
    The one thing to do is get internet on VLAN 10
    The one problem is when I set the linux box to DHCP for address it get and address 192.168.2.100 (Not expected, Expected 192.168.1.100) This now becomes a problem as I need to work on IP Phones for work and I need to have them on a 192.168.2.X Network.
    Not sure how it is getting this address. The DHCP server in the CISCO is turned off. Any Ideas?

    Edit:
    problem solved. On the Cisco Router I had a DHCP server active on VLAN 10 that I forgot about. After turning that off I could connect to the internet.

    But now I can ping from a VLAN 1 to VLAN 10 and VICE VERSA, not what I want
    Last edited by dsherer; 11-11-2020 at 09:43 PM.
    Jim.Alles likes this.

  7. #7
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,469

    Default

    OK so you want to block traffic between interfaces. there are options.
    The Firewall App is only capable of blocking TCP/UDP traffic (despite all of the check-boxen), but it will provide detailed reporting.
    The Filter Rules is capable of blocking everything, including ICMP.

    It is a trick of logic, but here is a screenshot for a suggestion to do this in a single filter rule:
    blocks Screenshot 2020-11-12 031716.png

    I use the firewall for TCP/UDP. Leave that Protocol Condition (exception) out of the rule to cover all of the bases in one filter rule.
    Last edited by Jim.Alles; 11-12-2020 at 02:00 AM.

  8. #8
    Newbie
    Join Date
    Nov 2020
    Posts
    7

    Default

    Unfortunately the rules didn't work. It is most likely on the cisco router side

  9. #9
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,469

    Default

    show us a screenshot of the rules?

  10. #10
    Master Untangler
    Join Date
    Nov 2018
    Posts
    141

    Default

    I do it according the KISS rule.
    Source interface is Any Non-WAN
    Destination interface is Any Non-WAN
    Action=Block
    All internal interfaces don't see each other. Especially useful if you later add more interfaces. And you can build it from here. If you need access to some interface or IP address just add a rule for and what is more important this allow rule should always be above this block rule.

Page 1 of 2 12 LastLast

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2