GS510TLP inter vlan

Hello, 

Everything you said made sense, except I do not know why Nighthawk would not forward the WAN traffic to the other VLANs unless it has to be VLAN aware?

Yes, the Nighthawk is on the latest version of firmware, V1.0.3.54_1.1.37. 

Is there a name for this certain feature I need on a router to support what I want to do, does Netgear offer a wireless router with feature?

Do I need a router which is interVlan Aware for this to work?

Thanks again, so close now.

Hey,

Yes, it is indeed a good question why the Nighthawk does not forward that traffic correctly.

The Nighthawk does not need to be VLAN aware for this to work. This is one of the reasons they give you static routes :). Also, if the Nighthawk had to be VLAN aware for this to work, then it would not work either with just LAN traffic - but it does! You can sit in VLAN 20 or VLAN 30 and ping 192.168.1.1 - i.e. the static routes work for LAN only traffic. They should work equally for Internet traffic coming back, as well!

You might not realise, but the setup your are doing here is extremely common in all sorts of businesses. It's very common practise to do what you are doing. It is not like we are making some fiddly work-around (though it might seem like it) :).

There is even a Netgear article about it. You can see that it is the same you are doing (except the article highlights some extra stuff, like ACLs and DHCP server). But the core setup is exactly the same:
https://kb.netgear.com/30818/How-to-configure-routing-VLANs-on-a-NETGEAR-managed-switch-with-shared-internet-access

So, it cannot be a question of whether the Nighthawk has to be VLAN aware or not.

You do not have another router we can use for a test? Any brand will do I'd say?

If not, then I think you should do a packet capture (I can explain how to) to 100% confirm my theory. If it proves correct - then raise it with Netgear support. It is not a case of "getting a router that can do this". All routers should be able do what you need. Simple static routes :)

Cheers!

Hello,

OK, I have downloaded Wireshark, please tell me what you want me to do.  I have not used Wireshark before. walk me through it.

thank you,

Hey,

What you are interested in, is this simple question: "When I send traffic from VLAN 20 or VLAN 30, to the Internet, is the switch forwarding that traffic to the Nighthawk?"

Subsequently, you want to know: "If yes, does the traffic come back from the Nighthawk?". It should!

So, to approach this you want to examine the traffic running between the switch and the Nighthawk - in other words the traffic on port 2. In order to capture that traffic, you can use something called port mirror. All switches would have that feature. Basically, you can instruct the switch to copy all ingoing and outgoing traffic on a certain port, to another port. This is very useful in your case.

Essentially, one port is the mirrored port (the port we want to capture traffic from) and one port will be the probe (where we are mirroring to). Let's use port 2 as the mirrored port and port 7 as the probe. I think port 7 is free?
Port mirror is easy to setup. Here is the manual (page 398-400): http://www.downloads.netgear.com/files/GDC/GS418TPP/GS418TPP-GS510TLP-GS510TPP_UM_EN.pdf
You want the source port (mirrored port) to be port 2 and the destination port (probe port) to be port 7. Please make sure the mirror direction is set to "Tx and Rx". We want to see both transmitted and received packets on port 2.

When that is done, you are ready.

1. Plug your PC (with Wireshark installed) into port 7.

2. Start the Wireshark packet capture. Make sure the capture is set to capture packets on the wired NIC as that is the NIC that connects to the switch :)

3. Once the capture is running, you are likely to see various things populate here. In fact, if you don't see packets populate soon enough, the capture is wrong. There can be a lot of packets! However, you are only interested in a few specific ones (the pings). In Wireshark, you can set a filter option using the bar at the top. In that bar type (or copy/paste):
ip.addr==192.168.1.1 || ip.addr==8.8.8.8 && icmp
and hit "Enter".
This filter will look for packets to/from ip 192.168.1.1 or 8.8.8.8 and only find pings. The screen will now show no packets, after you hit "Enter". That is OK. You haven't generated any packets matching the filter - yet.

4. Once the capture is running, we make a test. Let's use the PC in VLAN 30. Start a ping from the PC in port 8. Ping 192.168.1.1. You should see pink coloured packets starting to show in Wireshark.

5. Now, ping 8.8.8.8 from the same VLAN 30 PC. Again, you should see some more pink packet populate.

6. Once those pings are done, take a screenshot of your Wireshark screen, just showing the pink packets. Don't include the stuff below those pink packets as it shows your mac address and it is not needed anyway. Then post the screenshot here.

NOTE: When a port is set to port mirror mode, it is no longer a normal port. It is exclusively a probe port. Turn off port mirror mode to make port 7 a normal port again - whenever you are done.

Thanks!

Hello Hoschen,

My capture is not working and I am not sure what is configured wrong.

I added a PC to the VLAN20 on port 7 at the IP address of 172.16.20.98, I then went to the PC at IP address of 192.168.77.135 on VLAN 30 and did both pings.  Here is my screen shot of Wireshark, nothing there. I am not getting any errors. 

Hey,

I can't see your screenshot yet. But Did you setup the port mirror as well? To mirror port 2, to port 7?

Yes, the mirroring was turned on, mirror from Port 2 to Port 7

---

mrmabmn wrote:

Yes, the mirroring was turned on, mirror from Port 2 to Port 7

 

OK, I am seeing packets, but the filter does not capture anything while pinging

 

I have tried ip.addr==192.168.1.1 || ip.addr==8.8.8.8 && icmp and (ip.addr==192.168.1.1||ip.addr==8.8.8.8) && icmp, here are two screen shots, the first without filter, the second with the filter (ip.addr==192.168.1.1||ip.addr==8.8.8.8) && icmp, I have an ongoing ping from the computer on VLAN30

 

---

Hi,

It looks like the traffic you see (without any filter) is indeed VLAN 99 traffic, meaning that the port mirror is working.

You said that you tried to ping and saw nothing in wireshark. Did the ping work, from the PC in VLAN 30 (port 8)? It should work to 192.16.1.1 (and not work to 8.8.8). So, when you pinged 192.168.1.1 - did you get reply?

Try instead a less restrive filter. Type: icmp
and hit "Enter"

Then ping 192.168.1.1 and 8.8.8.8 (respectively) from the VLAN 30 PC.

As a control test, also take a PC in VLAN 99 (port 3-4) and ping 192.168.1.1 and 8.8.8.8 (respectively) - just to see if wireshark on PC in port 7 picks it ups.

And of course let wireshark run, while you are pinging. Ping at the same time as wireshark captures. I think that is what you did already?

Cheers

Good day Hopchen,

Sorry about the lack of detail, the ping to 192.168.1.1 from VLAN30 was successful, but nothing was visible on wireshark.  The ping to 8.8.8.8 from VLAN30 was NOT successful, again nothing visible on wireshark.

I set the filter to icmp only, and pinged both 192.168.1.1 and 8.8.8.8 from VLAN30 and nothing was visible on wireshark. The ping to 192.168.1.1 was successful, the ping to 8.8.8.8 was NOT successful.

Pinging 192.168.1.1, 192.168.1.250, and 8.8.8.8 from a computer on the VLAN99 (192.168.1.x) with the wireshark filter set to icmp on Port 7 was successful to each address; however NOTHING was visible on Wireshark.

Hi,

Hmmm....

You are pinging correctly, so that is good. We should see that traffic is wireshark.

I am wondering why Wireshark is not picking it up. I think your port mirror is OK.

Do a quick control test.

- Plug the PC in port 7, into port 6 (still VLAN20).
- Start wireshark capture on that PC, with the filter: icmp
- Then Ping 172.16.20.250 and 192.168.1.1 and 8.8.8.8.

Do you see anything in Wireshark. If not, you must be capturing with the wrong interface. Also try and see if you see the pings with no filter on.

Let me know.

Thanks

Hello,

I moved the wireshark PC from port 7 to port 6. I successfully pinged 192.168.1.1 and 172.16.20.250, but was not successful pinging 8.8.8.8 from that PC. I have attached a screen shot of the ping results which are visible in the ICMP filter of Wireshark.  So yes, the wireshark is working, and I am getting results with the wireshark on port6.

Hi,

Thanks for that! So, Wireshark is running correctly and you are capturing using the correct interface. That is good!

Maybe it is the port mirror then afterall. Can you do a screenshot of the port mirror page? So I can see the setup you did?

Thanks!

GS510TLP mirror configurationSure, I should have done this originally.

Hey,

Yeah, that looks good as well. I wonder why Wireshark is not picking anything up???

Can you check that "promiscuous" is enabled in Wireshark? Go to "Capture" --> "Options" --> make sure the box is ticked for: "Enable promiscuous mode on all interfaces".

Can we try again with the capture in port 7 - doublechecking that promiscuous is enabled in Wireshark?

I really have a hard time understanding what is wrong here, why the capture is not working when plugged into port 7??? If that still does not work, I need to try and see if I can somehow "break" my port mirror to make it act yours! Cause I really don't see why this is not working.

Is the switch on the latest fw? Sorry if I asked already, long thread, lol.

Here is a trace from VLAN30, to 8.8.8.8, 192.168.1.1, 172.16.20.250 with the wireshark PC on port 7. The only ping which was not successful from the VLAN30 is the ping to IP address 8.8.8.8.

My switch was on firmware revision 6.6.2.6 it is now at 6.6.2.8

Here is a better wireshark capture of the ping from VLAN30 computer to 192.168.1.1, 172.16.20.250, and 8.8.8.8.  There was no successful ping on 8.8.8.8

Hi again,

Thank you for those screenshots! The port mirror is working now :)

So, it basically just confirms what I thought was the issue: the Nighthawk.

The packet capture clearly shows that if a VLAN 30 device (or VLAN 20 device for that matter - would be the same result) pings the LAN interface of the Nighthawk (192.168.1.1) then the Nighthawk uses its static routes to find the way back to the PC. However, for some reason, the Nighthawk is not using those static routes when Internet traffic returns.

The switch does its job = sends the traffic the Nighthawk, but some traffic never returns. This not an issue on the switch or with your config :)

The packet capture was really just to prove the theory. I am sorry I cannot help you further because I cannot explain why the Nighthawk won't use the configured static routes for the return of Internet traffic.

You have a clear case here now. My suggestion is to raise this to Netgear and let them see why this behaviour happens.

Please keep us posted. Interesting case. Good luck and thanks for co-operation!

Good morning,

 I appreciate ALL OF YOUR HELP and PATIENCE.

You have validated my configuration and verified everything for me.  I will reach out to Netgear about the Nighthawk and see why the static routes are not working.   I could not have completed this without your help. Thank you.

Have a good one.

Hey again,

No problem at all :)

And do please keep us updated. Will be interesting to see what happens next!

Have a good weekend. Cheers!