FVS318Gv2 - Not NAT routing non-local subnet traffic to internet

> a. Since there is a static route on the FVS318Gv2 going to subnet B, have you configured a default route for subnet B to access the internet?

Yes there is a static (default) route on the layer-3 switch that points to the FVS318Gv2 (or the old WGR614v9) I stated this in my original post.

> b. Is the Layer 3 switch directly connected to the FVS318Gv2? It would be best if you post a screenshot of your detailed network diagram on how is everything connected.

Internet<--->CM400<--->FVS318Gv2<---subnet A--->GS116NA<--->layer-3 switch<---subnet B

The layer-3 switch is 10 ports. Ports 1-4 are on subnet B and 5-10 are on subnet A. 

>c. Are there any Access Control Lists configured on the Layer 3 switch? If yes, kindly try to disable it then check if there will be internet access for both subnet A and B.

There are no ACLs configured on the device (cisco SG300-10). Again, all I am doing is replacing a working WGR614v9 with the FVS318Gv2. I'm not changing anything in my configuration except for the router.

>d. Since you will just replace the WGR614v9 with an FVS318Gv2, have you tried to perform a factory reset on the FVS318Gv2 then reconfigure it from scratch?

Yes. I did a factory reset when I upgraded the firmware to version 4.3.3-6. 

One thing I failed to mention to keep things simple, is there is some limited communication to the internet from subnet B through the FVS318Gv2. Meaning I can nslookup, ping, traceroute and even get some limited TCP connections established. For example I can get the ftp-control (port 21) established to a FTP server on AWS, but as soon as a ftp-data (port 20) connection (e.g. for a directory listing) is established (i.e. syn, syn-ack, ack) packets after that are dropped. I'll see resets (TCP RST), lost sequence ACKs, etc. This tells me packets are being dropped. Using the packet capture feature on the FVS318Gv2 I have taken traces from both the WAN and the LAN and analyzed them with wireshark for ssh, http and ftp. All will get the initial TCP connection established, but after that packets are dropped. This proves that the low level IP forwarding/routing is setup correctly and it's the FVS318Gv2 that is dropping the packets for some reason. Again, my hypothesis is the forwarding logic for non-local subnet traffic is treated differently than local traffic. This behavior is seen in your newer consumer grade products  (e.g. WNR3500Lv2). But in that case all non-local subnet traffic is dropped. I went down this path with the WNR3500Lv2 and was told by Netgear Tech support that I needed a ProSAFE business class router, such as the FVS318Gv2 if I wanted this capability. This should be something that is easily reproducible and verified by engineering or tech support.

I noticed a feature called "LAN Multi-homing" on the FVS318Gv2. It says "If computers on your LAN use different IPv4 networks (for example, 172.124.10.0 or 192.168.200.0), you can add aliases to the LAN ports and give computers on those networks access to the Internet". I don't know if this applies but seems related. I tried adding subnet, which it didn't take and a specific address. For whatever reason, this blocked all traffic from that host to both the internet (meaning I couldn't even ping) and to subnet A.