This topic has been marked solved and closed to new posts due to inactivity. We hope you'll join the conversation by posting to an open topic or starting a new one.
FVS318Gv2 - Not NAT routing non-local subnet traffic to internet
I have an existing setup that works just fine, but need to upgrade to devices that support 1G interfaces to take advantage of an upgraded Internet speed (150Mb/s). The existing network looks like this.
Internet<—>CM400<—>WGR614v9<—subnet A—>layer-3 switch<—subnet B
Devices on subnet A and subnet B can both comunicate with each other and with the internet. A static route exists on the WGR614v9 to route traffic to subnet B via the layer-3 switch. A default static route to the WGR614v9 exists on the layer-3 switch.
I'm trying to replace the WGR614v9 with a FVS318Gv2. I'm not using VPNs. I only need the functionality that existed in the WGR614v9. The new configuration looks like this.
Internet<—>CM400<—>FVS318Gv2<—subnet A—>layer-3 switch<—subnet B
A static route was added to the FVS318Gv2 for subnet B. Devices on subnet A and subnet B can communicate withe each other and devices on subnet A can communicate with the internet. But devices on subnet B cannot communicate with the internet. There is however, limited communications i.e devices on subnet B can nslookup, ping and traceroute to the internet but no connection oriented communications such as http, ssh, scp, apt-get, etc. It's like there is an implicit (either in-bound or out-bound) firewall rule for non-local (to the FVS318Gv2) subnets. Tech support says it should work.
I'm wondering if anyone here has a similar setup or has similar issues.
Re: FVS318Gv2 - Not NAT routing non-local subnet traffic to internet
>Would you mind if you will create two VLANs on the FVS318Gv2 on different subnets instead?
That's not practical in my network. The FVS318Gv2 is in a wiring closet on the other side of the building of where the layer-3 switch (connecting to the cluster of servers) reside. It is also two layer-2 switch hops away.
Re: FVS318Gv2 - Not NAT routing non-local subnet traffic to internet
Hi synoptics,
Kindly answer the questions below:
a. Since there is a static route on the FVS318Gv2 going to subnet B, have you configured a default route for subnet B to access the internet?
b. Is the Layer 3 switch directly connected to the FVS318Gv2? It would be best if you post a screenshot of your detailed network diagram on how is everything connected.
c. Are there any Access Control Lists configured on the Layer 3 switch? If yes, kindly try to disable it then check if there will be internet access for both subnet A and B.
d. Since you will just replace the WGR614v9 with an FVS318Gv2, have you tried to perform a factory reset on the FVS318Gv2 then reconfigure it from scratch?
Re: FVS318Gv2 - Not NAT routing non-local subnet traffic to internet
> a. Since there is a static route on the FVS318Gv2 going to subnet B, have you configured a default route for subnet B to access the internet?
Yes there is a static (default) route on the layer-3 switch that points to the FVS318Gv2 (or the old WGR614v9) I stated this in my original post.
> b. Is the Layer 3 switch directly connected to the FVS318Gv2? It would be best if you post a screenshot of your detailed network diagram on how is everything connected.
Internet<--->CM400<--->FVS318Gv2<---subnet A--->GS116NA<--->layer-3 switch<---subnet B
The layer-3 switch is 10 ports. Ports 1-4 are on subnet B and 5-10 are on subnet A.
>c. Are there any Access Control Lists configured on the Layer 3 switch? If yes, kindly try to disable it then check if there will be internet access for both subnet A and B.
There are no ACLs configured on the device (cisco SG300-10). Again, all I am doing is replacing a working WGR614v9 with the FVS318Gv2. I'm not changing anything in my configuration except for the router.
>d. Since you will just replace the WGR614v9 with an FVS318Gv2, have you tried to perform a factory reset on the FVS318Gv2 then reconfigure it from scratch?
Yes. I did a factory reset when I upgraded the firmware to version 4.3.3-6.
One thing I failed to mention to keep things simple, is there is some limited communication to the internet from subnet B through the FVS318Gv2. Meaning I can nslookup, ping, traceroute and even get some limited TCP connections established. For example I can get the ftp-control (port 21) established to a FTP server on AWS, but as soon as a ftp-data (port 20) connection (e.g. for a directory listing) is established (i.e. syn, syn-ack, ack) packets after that are dropped. I'll see resets (TCP RST), lost sequence ACKs, etc. This tells me packets are being dropped. Using the packet capture feature on the FVS318Gv2 I have taken traces from both the WAN and the LAN and analyzed them with wireshark for ssh, http and ftp. All will get the initial TCP connection established, but after that packets are dropped. This proves that the low level IP forwarding/routing is setup correctly and it's the FVS318Gv2 that is dropping the packets for some reason. Again, my hypothesis is the forwarding logic for non-local subnet traffic is treated differently than local traffic. This behavior is seen in your newer consumer grade products (e.g. WNR3500Lv2). But in that case all non-local subnet traffic is dropped. I went down this path with the WNR3500Lv2 and was told by Netgear Tech support that I needed a ProSAFE business class router, such as the FVS318Gv2 if I wanted this capability. This should be something that is easily reproducible and verified by engineering or tech support.
I noticed a feature called "LAN Multi-homing" on the FVS318Gv2. It says "If computers on your LAN use different IPv4 networks (for example, 172.124.10.0 or 192.168.200.0), you can add aliases to the LAN ports and give computers on those networks access to the Internet". I don't know if this applies but seems related. I tried adding subnet, which it didn't take and a specific address. For whatever reason, this blocked all traffic from that host to both the internet (meaning I couldn't even ping) and to subnet A.
Re: FVS318Gv2 - Not NAT routing non-local subnet traffic to internet
One thing I noticed on the serial console interface when the FVS318Gv2 boots, one of the last thing it outputs before the login prompt is:
"Enable hardware natting for forwarding acceleration"
I'll bet the hardware nat function only has a table for locally configured addresses and if source addresses (in my case from subnet B) come outside that range they get punted to the slow path for software forwarding. This may explain why the slower functions such ping, nslookup, ftp-control work and higher throughput traffic such as http, ssh, etc. gets dropped.
I noticed a feature called "LAN Multi-homing" on the FVS318Gv2. It says "If computers on your LAN use different IPv4 networks (for example, 172.124.10.0 or 192.168.200.0), you can add aliases to the LAN ports and give computers on those networks access to the Internet". I don't know if this applies but seems related. I tried adding subnet, which it didn't take and a specific address. For whatever reason, this blocked all traffic from that host to both the internet (meaning I couldn't even ping) and to subnet A.
Since you have tried LAN Multi-Homing, to isolate the problem, have you tried to connect a PC (that has a static IP address as with subnet B) directly to the FVS318Gv2 then try to access the internet (it should have access to the internet). If not yet, kindly try it to check if LAN Multi-homing works. However, I am not that sure if at the same time, the subnet configured in LAN Multi-Homing will have communication on the default LAN (subnet A) on the FVS318Gv2.
Let me also share this old forum threads below that is similar to your concern though the network setup is kinda different:
Re: FVS318Gv2 - Not NAT routing non-local subnet traffic to internet
Yes. I was able to get the LAN multi-homing to work. But this isn't a solution for my configuration. I need the isolation the layer-3 switch provides. The hosts on subnet B will have services (such as DHCP for VMs, tagged vlans, etc.) that will conflict with services on subnet A now that they will all be in the same broadcast domain if I use multi-homing.
Re: FVS318Gv2 - Not NAT routing non-local subnet traffic to internet
Hi synoptics,
At least we know that LAN Multi-Homing works on your FVS318Gv2. Going back to your concern, you have already contacted NETGEAR Support about it. Have you already forwarded the configuration file of both WGR614v9 and FVS318Gv2 to NETGEAR Support to be analyzed and for comparison as well? If not yet, I advised you to download the configuration file of both WGR614v9 and FVS318Gv2 as well as the Layer 3 switch then attached it to your open case with NETGEAR Support.
