NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
VLAN Internet Connection and Access To Another VLAN
Hello,
This is my first time setting up VLANs and I need help. I have the following equipment and IP settings:
M6100 Chassis with XCM8944 Managed Switch
Firmware Version 11.0.0.18
IP Address: 19.67.0.2
Subnet: 255.255.255.0
Gateway: 19.67.0.1
This chassis/switch is connected to a cable modem which the ISP provided. I manually set the IP address of the cable modem to be 19.67.0.1
I have successfully set up the VLANs and corresponding DHCP servers:
VLAN Name Description
1 Management Network Admin, Switches, AP Controller, Access Points
10 Resources Printers, Apple TV
20 VoIP Future VoIP Network
30 Staff LAN for Staff, Access to VLAN 10 Resources
40 Staff WLAN WLAN for Staff, Access to VLAN 10 Resources
50 Student WLAN WLAN for Students, Access to VLAN 10 Resources
60 Guest WLAN WLAN for Guests, Internet only
VLAN IP Range Subnet Mask Gateway Assigned IP
1 19.67.0.1 – 19.67.0.254 255.255.255.0 19.67.0.1 19.67.0.2
10 19.67.10.1 – 19.67.10.254 255.255.255.0 19.67.10.1 19.67.10.1
20 19.67.20.1 – 19.67.20.254 255.255.255.0 19.67.20.1 19.67.20.1
30 19.67.30.1 – 19.67.30.254 255.255.255.0 19.67.30.1 19.67.30.1
40 19.67.40.1 – 19.67.40.254 255.255.255.0 19.67.40.1 19.67.40.1
50 19.67.50.1 – 19.67.50.254 255.255.255.0 19.67.50.1 19.67.50.1
60 19.67.60.1 – 19.67.60.254 255.255.255.0 19.67.60.1 19.67.60.1
I left Port 1 to have all VLANs untagged, with PVID 1. Connecting a laptop to this port via ethernet cable gives me an IP address of 19.67.0.xxx. I can access the internet fine. I can ping devices with an IP address of 19.67.0.xxx
I have configured Port 2 to have all VLANs untagged, with PVID 30. Connecting a laptop to port 2 via ethernet cable gives me an IP address of 19.67.30.xxx. I cannot access the internet at all. I can ping devices from all VLANs.
HERE IS MY QUESTION:
I would like to connect a laptop to port 2 giving me a IP address with the range for VLAN 30 (19.67.30.xxx), be able to access the internet, and be able to access resources in VLAN 10. How do I go about doing this?
Thank you in advance for your help.
Hi hamajang,
Please add Named IP ACL such as:"VLAN_60" or special number IP ACL with "101-199" in Page (Security>ACL>Advanced>IP ACL)
Because only advanced ACL support extend rules to control destination IP address.It's my bad that missed this step.:smileyindifferent:
11 Replies
Hi Hamajang,
Welcome to NETGEAR community!:smileyhappy:
We had analyze your concern carefully so let me clear it for you.
For 1st question,
"I would like to connect a laptop to port 2 giving me a IP address with the range for VLAN 30 (19.67.30.xxx), be able to access the internet".
First of all, I want to to remaind you that the cable modem must support IP address NAT/PAT function to convert private IP address to public IP address.
A default route need to configure on M6100 that the destination next hop should be the cable modem.
Please Ignore above remaind if your IP address are all public for Internet or a firewall standready in your topology..:smileysurprised:
Let's begin my answer:
All the clients which need to access Internet should make the DNS server to 16.67.0.1(cable modem is the gateway)
In VLAN 1 ,
the GW and DNS(16.67.0.1.) will offer by DHCP pool but VLAN 30 will offer a wrong DNS (19.67.30.1).
So please modify the DNS server to 16.67.0.1 of every DHCP pool on all VLAN except 1.
For 2nd question, " be able to access resources in VLAN 10"
The Private VLAN function will help you to control VLAN communication which support on M6100 chassis switch.
Such as:
VLAN 1 -> primary VLAN, could connect to VLAN 2/3/4,clients could talk with each other in this VLAN.
VLAN 2 -> community VLAN,could connect to VLAN 1 and VLAN 3, clients could talk with each other in this VLAN.
VLAN 3 -> community VLAN,could connect to VLAN 1 and VLAN 2, clients could talk with each other in this VLAN.
VLAN 4 -> Isolated VLAN, could connect to VLAN1 only, clients can't communicate with each other in this VLAN.
There are also three port type to control VLAN communication:
•Promiscuous port. belongs to a primary VLAN and can communicate with all interfaces in the private VLAN, including other promiscuous ports, community ports, and isolated ports.
•Community ports. These ports can communicate with other community ports and promiscuous ports.
•Isolated ports. These can ONLY communicate with promiscuous ports.Anyway please refer to M6100 manual as below for more details:
M6100 Software Administration Manual (Software Version 11.x)
-->page 54, private VLAN.
M6100 Command Line Interface (CLI) User Manual (Software Version 11.x)
Just remained that make the management connection alone to M6100 during this VLAN deploying.
Let us know if you have new concern.:smileyhappy:
Regards,
Daniel.
Hello Daniel,
Thank you for your reply. Thank you also for steering me in the correct path. I will be going on site to apply fixes later today. I will let you know how I do.
I also found this kb article: https://kb.netgear.com/app/answers/detail/a_id/30818
I will see what I can do with the existing router. Worst case, I will have to purchase a router which can handle the seperate VLANs I have created.
I will also attempt to use ACLs to allow/deny access to other VLANs as well as access to the internet.
Thanks again.
Hi hamajang,
It's good way to add new router about for the separate VLANs traffic forwarding.
And ACL will also make same function with private VLAN.
Look forward to your update:smileyhappy:
Regards,
Daniel.
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
