NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
M4300 Inter-VLAN routing not over default gateway
Hello Community, I need your help, please. Maybe this topic has already been discussed here, but unfortunately I have found nothing. I have two questions about the switch. 1. We have created 3...
OK thank you very much. I believe it won't work per your requirements with current static routing. I would revert back to pure Layer 2 installation of your VLAN 12 and your VLAN 21. These two VLANs should not be "routing VLANs" anymore and all their traffic should be sent to your firewall straight. A trunk with all VLANs should go to your firewall and your firewall should act as the gateway for VLAN 12 and VLAN 21. This way, your firewall rules will function normally. schumaku do you think the same?
The switches' management VLAN 254 can remain a routing VLAN, in order to let all services function normally in the switch. I hope this helps -
Hello schumaku,
Thank you for your prompt reply.
No, the switch is the gateway for the PCs. Please see the attachment below.
The second picture is the packet capture of my sonicwall. You can see the ingress interface.
Still correct - looks like the switch default gateway (configured along the management IP config) is on the VLAN 256. The fun of static routing. All traffic flowing out over one VLAN, over that one subnet with the (management, sigh...) IP network, nd that network is on VLAN 256.
You seem to expect that the switch does inter-VLAN routing while keeping the "outgoing" traffic dedicated on each VLAN which is connected to the security appliance, do you?
No, i know the definition of the defaut route and i know that the switch does everything right. I am not expecting that the switch send the traffic to dedicated vlan but i would make my job easier if it worked.
If it does not work, then please answer the second question. How can I prevent the PCs from accessing the web interface?
THX!
oheymanns wrote:
No, i know the definition of the defaut route and i know that the switch does everything right. I am not expecting that the switch send the traffic to dedicated vlan but i would make my job easier if it worked.
If it does not work, ...xxxx
I'm still confused.
What is "if it worked" and "if it does not work" here?
What test/ping is done on this Windows PC? Any routing between the switch connected and L3 routed subnets must work locally on the switch, undoubted.
The security appliance does receive the ICMP originating from the PC LAN interface on the VLAN 256 with a subnet different from the routing config for this very VLAN on some 192.168.0.x subnet, or this is another subnet on the security appliance as it says forwarded to 192.168.0.2. As this subnet isn't a part of the switch routing config, I state it's correct that the traffic is sent to the switch default gateway.
oheymanns wrote:
How can I prevent the PCs from accessing the web interface?
What is the relation of PCs to the switch management interface - in VLAN, in IP addresses, ....?
In general, I tend to put up outgoing ACLs from networks I don't want to grant access to the management VLAN, based on IP or based on the services run on the management network.
It's hard to provide community assistance based on very limited information. I'm not Netgear, further on I have no access to a crystal ball, too.
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
