Configuring static route

First and foremost detail every IP in the mix, and then where you are running the tests from.

There is insufficient detail in your post to answer any questions. We need to know what is connected where, we need to know what the addresses the router interfaces are at - WAN, LAN, any VLANs - please also include subnet masks.

Hi tachyon_pulse,

It would be also helpful if you could post a screenshot of your detailed network diagram. :)

Thanks, sorry for the delay in responding (work/life priorities). So here's a rough network diagram and what I ultimately want to accomplish:

Internet Router
|
Netgear FVS318N
|
|----- 192.168.1.0/24
|
|------192.168.2.0/24
|
|------192.168.3.0/24
|
|------192.168.4.0/24


192.168.1.0/24 would have shared printers and a NAS and should be accessible from 192.168.2.0/24 & 192.168.4.0/24

192.168.3.0/24 is for my 'Internet of things' devices; some connected via WiFi, some via RJ45. I'd prefer if each device on this segment not be be able to see what else is on the same segment except for the gateway address 192.168.3.1.(to prevent them from detecting and interacting, but still behind a firewall)

Vlans may be a better way to implement the LAN segmenting you need.

Show us your static route configuration from the web interface. Remember that all the routes there work together and depend on the order for priority.

One question I have regards the check box for :Enable Inter VLAN Routing". When it is checked does it immediately open that VLAN to all the other VLANs or does it just allow you to configure individual routes to that VLAN? Also, for it to work, does it have to be set on both the VLAN you want to access and the one you're accessing it from? Sorry if this is a dumb question, but I'm trying to understand any odd details.

tachyon_pulse wrote:

Thanks, sorry for the delay in responding (work/life priorities). So here's a rough network diagram and what I ultimately want to accomplish: Internet Router | Netgear FVS318N | |----- 192.168.1.0/24 | |------192.168.2.0/24 | |------192.168.3.0/24 | |------192.168.4.0/24 192.168.1.0/24 would have shared printers and a NAS and should be accessible from 192.168.2.0/24 & 192.168.4.0/24 192.168.3.0/24 is for my 'Internet of things' devices; some connected via WiFi, some via RJ45. I'd prefer if each device on this segment not be be able to see what else is on the same segment except for the gateway address 192.168.3.1.(to prevent them from detecting and interacting, but still behind a firewall)

I have to assume that you're using VLANs on the FVS318n - or - at the very least you are "multi-homing" - you have assigned multiple ip addresses to the LAN interface.

With that assumption in mind - once interVLAN routing has been enabled, there would/should be no need to establish any static routes, the router will route between the "directly connected" networks - in fact - if interVLAN routing has been enabled, there appears to be no way to filter or restrict interVLAN access.

Regarding your "internet of things" - there's no way, at a network level. to prevent the individual devices from seeing one another on the network, you'll have to control access on the individual devices, through the use of firewalls or similar.

Yes, each of the segments are each separate VLANs (192.168.1-4.0/24). I am not multi-homing. I was uncertain about the implications of the "Enable Inter VLAN Routing" checkbox. Is it an all or nothing or does it just allow you to then configure specific routes? For my Internet of Things segment, I was hoping to achieve the equivalent of wireless client isolation for both wireless and wired nodes on that segment (client isolation feature is only for WiFi clients).

Question about your comment ''"Regarding your "internet of things" - there's no way, at a network level. to prevent the individual devices from seeing one another on the network, you'll have to control access on the individual devices, through the use of firewalls or similar.' Is the FVS318N even capable of this? I would think that given the potential risk of putting some vendor's internet enabled black box appliance on your network that could be used as a 'spy or pivot point for network exploitation, isolating their visibility on the network would be desirable. I'm not paranoid because I've seen it done in penetration tests

tachyon_pulse wrote:
Yes, each of the segments are each separate VLANs (192.168.1-4.0/24). I am not multi-homing. I was uncertain about the implications of the "Enable Inter VLAN Routing" checkbox. Is it an all or nothing or does it just allow you to then configure specific routes?

If you don't enable InterVLAN routing you won't be able to pass traffic between the VLANs, and as far as I can tell, it is all or nothing - one of the quirks about routers is that they "learn" the route between directly connected networks, meaning that you do not configure them - and there appears to be no way to create VLAN/VLAN rules to control the traffic - I had a discussion with support on this and it's being treated as feature request, but there is no guarantee that it will ever become a feature.

For my Internet of Things segment, I was hoping to achieve the equivalent of wireless client isolation for both wireless and wired nodes on that segment (client isolation feature is only for WiFi clients). Question about your comment ''"Regarding your "internet of things" - there's no way, at a network level. to prevent the individual devices from seeing one another on the network, you'll have to control access on the individual devices, through the use of firewalls or similar.' Is the FVS318N even capable of this? I would think that given the potential risk of putting some vendor's internet enabled black box appliance on your network that could be used as a 'spy or pivot point for network exploitation, isolating their visibility on the network would be desirable. I'm not paranoid because I've seen it done in penetration tests

I have no doubt that what you are describing can be done, but, the first thing you need to do to protect your network is physically secure it - it is rapidly becoming standard enterprise practice to use some form of network access control to prevent users from connecting devices not approved by IT, but if IT approves such a device then it will connect and can potentially be used to snoop.

There are a multitude of ways to deal with these issues, but I doubt you will find them available at this price point.

Thank you for your reply. So if I understand, 1.) There isn't a way to create static routes that will allow me to share specific devices on my 192.168.1.0/24 with devices on 192.168.2.0/24 and 192.168.4.0/24, but not the 192.168.3.0/24. 2) Any VLAN with Inter VLAN Routing enabled will allow access from all VLANs without restriction. 3) Client isolation is only for WiFi connected clients and not wired connections. What if I put my 'Internet of Things' VLAN in the DMZ, then put something like a Sophos UTM home edition between my internet router and the FVS318N? Would that hide my internal network from the IOT devices?