Device: FVS318N - Prosafe Wireless N VPN Firewall Firmware Version : 4.3.1-22
I'm having problems getting a static route configured. I am logged into the router from 192.168.2.100 and from the CLI I execute the command: show net routing static ipv4 setup
and get the following:
Name Destination Gateway Interface Metric Active Private ---- ----------- ------- --------- ------ ------- ------- test1 192.168.1.15 192.168.1.1 LAN 2 1 1
There is insufficient detail in your post to answer any questions.
We need to know what is connected where, we need to know what the addresses the router interfaces are at - WAN, LAN, any VLANs - please also include subnet masks.
192.168.1.0/24 would have shared printers and a NAS and should be accessible from 192.168.2.0/24 & 192.168.4.0/24
192.168.3.0/24 is for my 'Internet of things' devices; some connected via WiFi, some via RJ45. I'd prefer if each device on this segment not be be able to see what else is on the same segment except for the gateway address 192.168.3.1.(to prevent them from detecting and interacting, but still behind a firewall)
One question I have regards the check box for :Enable Inter VLAN Routing". When it is checked does it immediately open that VLAN to all the other VLANs or does it just allow you to configure individual routes to that VLAN? Also, for it to work, does it have to be set on both the VLAN you want to access and the one you're accessing it from? Sorry if this is a dumb question, but I'm trying to understand any odd details.
192.168.1.0/24 would have shared printers and a NAS and should be accessible from 192.168.2.0/24 & 192.168.4.0/24
192.168.3.0/24 is for my 'Internet of things' devices; some connected via WiFi, some via RJ45. I'd prefer if each device on this segment not be be able to see what else is on the same segment except for the gateway address 192.168.3.1.(to prevent them from detecting and interacting, but still behind a firewall)
I have to assume that you're using VLANs on the FVS318n - or - at the very least you are "multi-homing" - you have assigned multiple ip addresses to the LAN interface.
With that assumption in mind - once interVLAN routing has been enabled, there would/should be no need to establish any static routes, the router will route between the "directly connected" networks - in fact - if interVLAN routing has been enabled, there appears to be no way to filter or restrict interVLAN access.
Regarding your "internet of things" - there's no way, at a network level. to prevent the individual devices from seeing one another on the network, you'll have to control access on the individual devices, through the use of firewalls or similar.
Yes, each of the segments are each separate VLANs (192.168.1-4.0/24). I am not multi-homing. I was uncertain about the implications of the "Enable Inter VLAN Routing" checkbox. Is it an all or nothing or does it just allow you to then configure specific routes? For my Internet of Things segment, I was hoping to achieve the equivalent of wireless client isolation for both wireless and wired nodes on that segment (client isolation feature is only for WiFi clients).
Question about your comment ''"Regarding your "internet of things" - there's no way, at a network level. to prevent the individual devices from seeing one another on the network, you'll have to control access on the individual devices, through the use of firewalls or similar.' Is the FVS318N even capable of this? I would think that given the potential risk of putting some vendor's internet enabled black box appliance on your network that could be used as a 'spy or pivot point for network exploitation, isolating their visibility on the network would be desirable. I'm not paranoid because I've seen it done in penetration tests
Yes, each of the segments are each separate VLANs (192.168.1-4.0/24). I am not multi-homing. I was uncertain about the implications of the "Enable Inter VLAN Routing" checkbox. Is it an all or nothing or does it just allow you to then configure specific routes?
If you don't enable InterVLAN routing you won't be able to pass traffic between the VLANs, and as far as I can tell, it is all or nothing - one of the quirks about routers is that they "learn" the route between directly connected networks, meaning that you do not configure them - and there appears to be no way to create VLAN/VLAN rules to control the traffic - I had a discussion with support on this and it's being treated as feature request, but there is no guarantee that it will ever become a feature.
For my Internet of Things segment, I was hoping to achieve the equivalent of wireless client isolation for both wireless and wired nodes on that segment (client isolation feature is only for WiFi clients).
Question about your comment ''"Regarding your "internet of things" - there's no way, at a network level. to prevent the individual devices from seeing one another on the network, you'll have to control access on the individual devices, through the use of firewalls or similar.' Is the FVS318N even capable of this? I would think that given the potential risk of putting some vendor's internet enabled black box appliance on your network that could be used as a 'spy or pivot point for network exploitation, isolating their visibility on the network would be desirable. I'm not paranoid because I've seen it done in penetration tests
I have no doubt that what you are describing can be done, but, the first thing you need to do to protect your network is physically secure it - it is rapidly becoming standard enterprise practice to use some form of network access control to prevent users from connecting devices not approved by IT, but if IT approves such a device then it will connect and can potentially be used to snoop.
There are a multitude of ways to deal with these issues, but I doubt you will find them available at this price point.
Thank you for your reply. So if I understand,
1.) There isn't a way to create static routes that will allow me to share specific devices on my 192.168.1.0/24 with devices on 192.168.2.0/24 and 192.168.4.0/24, but not the 192.168.3.0/24.
2) Any VLAN with Inter VLAN Routing enabled will allow access from all VLANs without restriction.
3) Client isolation is only for WiFi connected clients and not wired connections.
What if I put my 'Internet of Things' VLAN in the DMZ, then put something like a Sophos UTM home edition between my internet router and the FVS318N? Would that hide my internal network from the IOT devices?
It just dawned on me--why not create a 5th vlan and put your 'Internet of things' in there? Then you can simply allow intervlan communication between all the other the vlans you want.
It just dawned on me--why not create a 5th vlan and put your 'Internet of things' in there? Then you can simply allow intervlan communication between all the other the vlans you want.
Have you tried to control access between VLANs - based on my looking at the interface and my discussions with tech support, once you enable interVLAN routing you have no further control.
It MAY be possible to disable interVLAN routing on a specific VLAN, but I have not tested this. I do have a new 318N still in shrinkwrap I'll break out when I have the time, but that's not going to happen this week.
On the other hand - you CAN set DMZ/LAN rules - so it should be possible to prevent access from the IOT on a DMZ to any or all of the VLANs.
Have you tried to control access between VLANs - based on my looking at the interface and my discussions with tech support, once you enable interVLAN routing you have no further control.
It MAY be possible to disable interVLAN routing on a specific VLAN, but I have not tested this. I do have a new 318N still in shrinkwrap I'll break out when I have the time, but that's not going to happen this week.
On the other hand - you CAN set DMZ/LAN rules - so it should be possible to prevent access from the IOT on a DMZ to any or all of the VLANs.
You're right that it is all or nothing on intervlan routing.
However, you can choose which vlans are in allowed to do intervlan, so you can exclude a single vlan if you want. Hence what I was thinking by putting all the IOT devcies in its own vlan with intervlan disabled.
Ok, so this is something I wasn't clear on; for interVLAN routing to work, does it have to be enabled on each of the VLANs that will talk to each other? For instance, if I have:
VLAN1 - interVLAN routing = ENABLED
VLAN2 - interVLAN routing = ENABLED
VLAN3 - interVLAN routing = DISABLED
VLAN4 - interVLAN routing = ENABLED
Does this allow interVLAN sharing of devices on VLAN1 with VLANS2 & 4 but not to VLAN3 and do I still need to set up static routes to the specific devices once enabled or is that implicit when you enable interVLAN routing. Also in doing this is there's no way block traffic between VLANs 2 & 4?
Ok, so this is something I wasn't clear on; for interVLAN routing to work, does it have to be enabled on each of the VLANs that will talk to each other? For instance, if I have:
Does this allow interVLAN sharing of devices on VLAN1 with VLANS2 & 4 but not to VLAN3 and do I still need to set up static routes to the specific devices once enabled or is that implicit when you enable interVLAN routing. Also in doing this is there's no way block traffic between VLANs 2 & 4?
So in this example, everything on vlan1,2,4 will see each other. Vlans 2 and 4 will have full access to each other.
Which devices are you referring to for static routes? What vlan are they on?
Does this allow interVLAN sharing of devices on VLAN1 with VLANS2 & 4 but not to VLAN3 and do I still need to set up static routes to the specific devices once enabled or is that implicit when you enable interVLAN routing. Also in doing this is there's no way block traffic between VLANs 2 & 4?
I have not attempted interVLAN routing with more than two VLANs, so I can't comment on that, but SamirD seems to be saying that you can exclude a single VLAN.
No static routes will be necessary to permit interVLAN routing as the router will automatically configure the routes required for the directly connected networks, and there is presently no way to block/permit specific traffic between the VLANs 2 & 4
Ok, thank you both. For interVLAN routing to work, you must enable it on all the VLANs you want to be able to pass data between. Checking it on a single one does nothing for you (is that correct?)
In another forum I was told that the FVS318N was limited as far as how you can configure (for my needs) and recommended a ZyWALL USG40W-NB and a managed switch with 'private vlan' or 'guest vlan' feature to support my requirement of isolating my wired 'IoT' devices.
...but SamirD seems to be saying that you can exclude a single VLAN.
Yep, you can. I checked my own 318N Web UI before posting. 😉
tachyon_pulse wrote:
Ok, thank you both. For interVLAN routing to work, you must enable it on all the VLANs you want to be able to pass data between. Checking it on a single one does nothing for you (is that correct?)
In another forum I was told that the FVS318N was limited as far as how you can configure (for my needs) and recommended a ZyWALL USG40W-NB and a managed switch with 'private vlan' or 'guest vlan' feature to support my requirement of isolating my wired 'IoT' devices.
Is there similar Netgear equipment?
Yes, checking on a single vlan does nothing. I think it is checked by default because I found it checked on my default vlan even though I don't have it checked on any other vlans.
The 318N is quite powerful in it's ability to limit it's attached devices from seeing each other. I'm not sure what your physical wiring is to your IOT devices, but a setting a vlan to a particular port and putting only those devices on that port coupled with disabling intervlan should give you the isolation that you want. I've used that several times for internal testing.
The 318N is quite powerful in it's ability to limit it's attached devices from seeing each other. I'm not sure what your physical wiring is to your IOT devices, but a setting a vlan to a particular port and putting only those devices on that port coupled with disabling intervlan should give you the isolation that you want. I've used that several times for internal testing.
Either I'm not understanding what he wants, or you're not understanding what he wants.
Here's what I think he wants - in addition to isolating the IoT VLAN from the rest of the network, he also wants devices on the IoT VLAN isolated from one another.
Wireless it can be done, but wired, it will requires a managed switch with a VLAN for every device, so not with the 318N, unless it's a very small number of devices.
Either I'm not understanding what he wants, or you're not understanding what he wants.
Here's what I think he wants - in addition to isolating the IoT VLAN from the rest of the network, he also wants devices on the IoT VLAN isolated from one another.
haha, I agree. 😄
I've asked a few times if the IOT devices would need to be isolated from each other, but don't remember a clear answer. If they don't need to be, then a separate vlan would be great. If they do...I'll have to think about it a bit.
Yes, so is there an inexpensive managed switch that would work with the 318N to accomplish this?
Unless you have only a few devices, then the 8 vlans might be enough.
What about this idea? Use a wireless to wired bridge and plug in the devices into that bridge. Would the client isolation still work or is that a function of the wireless?
Hi Samir, so that's the bugger, client isolation is only for a VLAN's wireless clients, that is wireless clients can't see each other, but they can see wired clients on the same VLAN and the hardwired clients can 'see' everything. I don't understand why there isn't a simple check-box equivalent for wired clients (or simply all clients on a particular VLAN.
Since I already have the 318N, it would be nice to find a Netgear managed switch that would integrate with the 318N for my isolation needs. Once I get this all set up I plan to do some tests to see if it behaves as I need. Any specific gear recommendations would be appreciated if not, please tell me explicitly the features I need to look for. Thanks. This is an awesome lesson.
When discussing switches, managed & inexpensive don't exactly go hand in hand - what you need is a switch that supports VLANs, so a SmartSwitch could do it, and you need port, one VLAN per device, so take a look at Netgear's SmartSwitch lineup and see what grabs your fancy
