NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
M4300 Inter-VLAN routing not over default gateway
Hello Community, I need your help, please. Maybe this topic has already been discussed here, but unfortunately I have found nothing. I have two questions about the switch. 1. We have created 3...
OK thank you very much. I believe it won't work per your requirements with current static routing. I would revert back to pure Layer 2 installation of your VLAN 12 and your VLAN 21. These two VLANs should not be "routing VLANs" anymore and all their traffic should be sent to your firewall straight. A trunk with all VLANs should go to your firewall and your firewall should act as the gateway for VLAN 12 and VLAN 21. This way, your firewall rules will function normally. schumaku do you think the same?
The switches' management VLAN 254 can remain a routing VLAN, in order to let all services function normally in the switch. I hope this helps -
Still correct - looks like the switch default gateway (configured along the management IP config) is on the VLAN 256. The fun of static routing. All traffic flowing out over one VLAN, over that one subnet with the (management, sigh...) IP network, nd that network is on VLAN 256.
You seem to expect that the switch does inter-VLAN routing while keeping the "outgoing" traffic dedicated on each VLAN which is connected to the security appliance, do you?
No, i know the definition of the defaut route and i know that the switch does everything right. I am not expecting that the switch send the traffic to dedicated vlan but i would make my job easier if it worked.
If it does not work, then please answer the second question. How can I prevent the PCs from accessing the web interface?
THX!
oheymanns wrote:
No, i know the definition of the defaut route and i know that the switch does everything right. I am not expecting that the switch send the traffic to dedicated vlan but i would make my job easier if it worked.
If it does not work, ...xxxx
I'm still confused.
What is "if it worked" and "if it does not work" here?
What test/ping is done on this Windows PC? Any routing between the switch connected and L3 routed subnets must work locally on the switch, undoubted.
The security appliance does receive the ICMP originating from the PC LAN interface on the VLAN 256 with a subnet different from the routing config for this very VLAN on some 192.168.0.x subnet, or this is another subnet on the security appliance as it says forwarded to 192.168.0.2. As this subnet isn't a part of the switch routing config, I state it's correct that the traffic is sent to the switch default gateway.
oheymanns wrote:
How can I prevent the PCs from accessing the web interface?
What is the relation of PCs to the switch management interface - in VLAN, in IP addresses, ....?
In general, I tend to put up outgoing ACLs from networks I don't want to grant access to the management VLAN, based on IP or based on the services run on the management network.
It's hard to provide community assistance based on very limited information. I'm not Netgear, further on I have no access to a crystal ball, too.Sorry for the confusion and thank you for your time.
The PC is on VLAN 21 with the IP 10.21.21.100 and ping a device on the sonicwall with a separeted network. The netgear switch is on mgmt V254 and send all outgoing traffic over V254 to my sonicwall. But the destination ip is not important, the source VLAN254 that receives the sonicwall is the problem. I would prefer if the switch would send the traffic not over VLAN254 but over VLAN21 to the sonicwall. if I understood you correctly, that will not work.
The PC on VLAN21 can open the webinterface on 10.21.21.240. How can i deny the access?
Let's try to call in LaurentMa here. On one hand ref an ability to configure just inter-VLAN L3 routing for attached networks but keeping a plain L2 LAN-local default gateway & as well a user friendly KB on how to protect the management port/L3 router LAN IP from access by direct connected devices. I know there are a few KB entries, but it's more than crzptic for the average network admin. Merci LaurentMa 8-)
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
