× NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Orbi WiFi 7 RBE973
Reply

Sharing internet access on m4250

i15
Aspirant
Aspirant

Sharing internet access on m4250

Hi everyone,

 

Occasionally, we need to connect our m4250 to other private networks. We've allocated 2 ports for this, designated as external VLAN 80.

 

Could someone advise on how to grant access to this external VLAN for our internal devices? More importantly, how can I share internet access from this external VLAN to devices on the internal VLAN?

 

I understand it would be double NAT or something like that, but it is not that important. So basically, how can I make it work as a router? I am pretty sure I can figure out, I just can't find the right instruction.

 

Thank you.

Message 1 of 3
LaurentMa
NETGEAR Expert

Re: Sharing internet access on m4250

Hi @i15 ,

 

The switches won't do NAT, so NAT is needed outside each time on the internet gateway with the opposed static routes. Switches will automatically have static routes between your VLANs, but using the external gateway you need static routes for the routes back. This is why I highly encourage you to use a router in between each external LAN and the AV switches.

 

Please consult our app notes here: https://www.netgear.com/hub/business/av/av-tech-guides/

The section called "AV Network Topology" is explaining the NAT and routing needed on the external router.

 

Also for your reading and understanding I am explaining an "industry" standard how-to below using PfSense, but our course it will be much simpler if you are using a NETGEAR Router such as our PR460X:

 

***********************************************************************

When we have an installation comprised of one or several switches for AV (with multiple VLANs, DHCP Servers, and routing): This is a “sub-network” with a connection/uplink to a venue network where there is an internet gateway, or firewall.

 

If we want to provide internet connectivity to the VLANs in our NETGEAR sub-network, configuration is needed on the venue gateway.

 

For this example, I am assuming that the venue is using an industry-standard third-party firewall (PfSense).

 

On the NETGEAR sub-network, we could create a routed interface on a port connecting to the venue, or even an Internet VLAN with a port connecting to the venue. But to keep it very simple here, I am just assuming that we are connecting the VLAN 1 (management VLAN of the NETGEAR switches) to the venue’s network where there is internet connectivity. Also, for simplicity, I am assuming only 1 NETGEAR switch for this sub-network.

 

Sub-network (NETGEAR – only one switch):

  • Management VLAN 1 (connects to the venue’s network where there is the PfSense firewall, VLAN 1 interface is DHCP Client, PfSense DHCP Server is attributing a local IP address like 192.168.0.100/255.255.255.0)
  • Control VLAN 100 (Static 192.168.100.0/24 and DHCP Server for the nodes connecting to this VLAN)
  • Dante VLAN 20 (Static 192.168.20.0/24 and DHCP Server for the nodes connecting to this VLAN)
  • NDI VLAN 10 (Static 192.168.10.0/24 and DHCP Server for the nodes connecting to this VLAN)

 

The goal is to provide internet connectivity to all three VLANs 10, 20 and 100 for instance – the NETGEAR switch takes care of inter-VLAN local routing for unicast.

 

The venue’s firewall is a PfSense appliance with one WAN port (default gateway) and one LAN port 192.168.0.254/255.255.255.0 with a DHCP server 192.168.0.0/24 for all clients in the venue.

The NETGEAR switch Management VLAN 1 is connected to the venue’s LAN and acquires 192.168.0.100/255.255.255.0 on this network.

VLAN 1 has internet connectivity.

 

What needs to be done on the PfSense gateway for our VLANs 10, 20 and 100?

Two things:

1/ Gateway and Static routes so that the PfSense knows how to reach our VLANs 10, 20 and 100 on the LAN side

2/ Firewall rules so that the PfSense allows VLANs 10, 20 and 100 to get “out” to the internet on the WAN side

 

Here is what needs to be done on PfSense for 1/ and 2/:

 

1/ Gateway and Static routes so that the PfSense knows how to reach our VLANs 10, 20 and 100

  1. In System/Routing/Gateways, we need to add a new gateway.

Click “add” in System/Routing/Gateways/Edit, and add a new gateway on the LAN side this way:

Name: NETGEAR Sub-Network

Interface: LAN

Address family: IPv4

Gateway: 192.168.0.100

  1. Create new static routes that will use the above new gateway

Click “add” in System/Routing/Static Routes, and add three new static routes on the LAN this way:

First static route:

Destination network: 192.168.10.0   / 24

Gateway: NETGEAR Sub-Network – 192.168.0.100

Second static route:

Destination network: 192.168.20.0   / 24

Gateway: NETGEAR Sub-Network – 192.168.0.100

Third static route:

Destination network: 192.168.100.0   / 24

Gateway: NETGEAR Sub-Network – 192.168.0.100

 

2/ Firewall rules so that the PfSense allows VLANs 10, 20 and 100 to get “out” to the internet on the WAN side

Go to Firewall/Rules/LAN. Add three outbound new rules under all existing rules (last positions) this way;

First rule:

Action: Pass

Interface: LAN

Address Family: IPv4

Protocol: Any

Source: Network              192.168.10.0   / 24

Destination: Any

Second rule:

Action: Pass

Interface: LAN

Address Family: IPv4

Protocol: Any

Source: Network              192.168.20.0   / 24

Destination: Any

Third rule:

Action: Pass

Interface: LAN

Address Family: IPv4

Protocol: Any

Source: Network              192.168.100.0   / 24

Destination: Any

 

 

When all these changes are all saved on the venue’s PfSense firewall, then all nodes in all three VLANs on the NETGEAR sub network have access to internet all right.

Message 2 of 3
i15
Aspirant
Aspirant

Re: Sharing internet access on m4250

Thank you, @LaurentMa 

 

The switches won't do NAT, so NAT is needed outside each time on the internet gateway with the opposed static routes.

Interesting. I always thought L3 switches can do NAT routing (or similar) and can replace router if needed.

For us, it is impossible to request any changes on the networks we connect to.

Message 3 of 3
Discussion stats
  • 2 replies
  • 309 views
  • 0 kudos
  • 2 in conversation
Announcements