NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
[MS108TUP] - Switching - VLAN and routing
Hello everyone, I've this network configuration: Firewall --> MS108TUP --> Access Point Wifi The firewall and the AP is not a Netgear product. I've a domotic house so I've decided to separa...
The firewall can just jump in on connections or sessions between -different- IP subnets respectively between different zones.
192.168.0.5 --> 192.168.0.6 directly
In this way the traffic is bypassing the firewall, because remain into the "switch" level
Yes, these two addresses are very likely in the same IP subnet and therefore in the same zone - so the behaviour is intentional.
Why oh why should the correct working L2 switch send some traffic through this firewall, as everything is in the same IP subnet?
Some firewall systems can be configured as a transparent firewall, also known as a bridge firewall, is a Layer 2 application that installs easily into an existing network without modifying the Internet Protocol (IP) address. The transparent firewall is not a routed hop but instead acts as a bridge by inspecting and moving network frames between interfaces.
Needless to say this traffic must flow direct through this bridge respectively the firewall.
Hi schumaku
I've configured the interface of the firewall as "VLAN" (not bridge), in this way the firewall create a new network with is own DHCP Server and subnet.
I think that all pass throught the firewall, because is the firewall that "generate" the VLAN.
So, if the devices take the IP from the firewall, why the traffic not pass throught it also in "intra-VLAN"?
So, if the devices take the IP from the firewall, why the traffic not pass throught it also in "intra-VLAN"?
The short answer is that this isn't working as you expect because the devices are on the same subnet.
The client devices only send their traffic to the router (firewall in your case) when they are trying to reach a device on a different subnet. Otherwise, they send it directly to the mac address of the destination device. The switch will then forward that traffic directly to the destination.
I've configured the interface of the firewall as "VLAN" (not bridge), in this way the firewall create a new network with is own DHCP Server and subnet.
I think that all pass through the firewall, because is the firewall that "generate" the VLAN.Two VLANs, and both are in the same IP subnet - reads like an illegal config for your unknown firewall (make, model, firmware). or in fact for any common router in general.
Such a firewall should not accept such a configuration - regardless of a device with a security zone concept like e.g a ZyXEL - it can't deal with, since at the end of the day its a router and it can and will work as a basic router. So two IP networks with the same subnet and address range will never work...
So two IP networks with the same subnet and address range will never work...
M4v3r1cK87: What you need to do is
- put all your IoT devices on a different VLAN from your "main" network devices
- use different subnets for the main network and the IoT network
This won't isolate IoT (or main network) devices from each other, but it will ensure that all traffic going between the two networks runs through the firewall,
Hello StephenB
It's already done, but my interesting is to isolate the traffic between devices in the same VLAN. Seems that I need to create a "bridge" interface.
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
