× NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Orbi WiFi 7 RBE973
Reply

Re: GS724T - access profile from another VLAM / network

hacesoft
Tutor

GS724T - access profile from another VLAM / network

Good day,

what should I set up to have access to the switch configuration from another VLAN / other network, specifically I want to access the switch via VPN. I have a VPN configured and I can see all devices except the switch. I have a switch management PC on the same VLAN as the switch access. So far, I'm missing what to set up to manage the switch from the 10.69.9.2 network, which is VPN access. The management PC has the address 192.168.20.20 and the switch has the IP address 192.168.20.10. Even if I deactivate the ACCESS PROFILE CONFIGURATION profiles, I also do not have access to the switch via the HTTP web interface.

 

You can guide me what to set where it works ....

Thank you in advance for any information that will help me with the setup.

Model: GS724Tv4|ProSafe 24 ports Gigabit Smart switch
Message 1 of 13

Accepted Solutions
hacesoft
Tutor

Re: GS724T - access profile from another VLAM / network

Good day,

after a long search for a solution to why the switch cannot be managed across VLANs or VPNs, I found an error in the IPv4 Network Interface Configuration settings in the Default Gateway field.

I set the right address and divse the world, it's already working :).

View solution in original post

Message 13 of 13

All Replies
schumaku
Guru

Re: GS724T - access profile from another VLAM / network

First isolate the management VLAN at almost every cost, and then connect things together again... Can't deny I'm always a little bit smiling when reading such requests.

 

Assume your "normal" VPN reachable subnet is the work network. If you want to make the management VLAN reachable from the VPN, the management VPN must be integrated in some routing design. But wait - it won't be easy to detect each VPN, and you would have to add some IP firewall rules allowing the access only from the VPN, but not from the work subnet. Of course, this also requires configuring the VPN to include the route to the management VLAN, and the router back from the management VLAN to the VPN. If not - re-think if you really need to isolate the switch management....

 

A possible alternate approach would be to allow some kind of remote access to that management PC by having an additional interface on the work network. Now you can use remote desktop or the like to reach the management PC, and don't need to expose the management VLAN and subnet.

 

 

Message 2 of 13
hacesoft
Tutor

Re: GS724T - access profile from another VLAM / network

Good day,

I have a total of 5 VLANs in my home network. I have the appropriate ACL rules set for them on the switch. Each VLAN has its rights. Only one VLAN (vlan20) has access to all other VLANs. And I want VLAN20 to be accessible via VPN for remote home network messaging. Everything works for me. Cameras on VLAN70 + DVR for cameras, firewall on VLAN5, etc. Only the switch resists. I don't know how to access the configuration from any other VLAN ... VPN is an extra bonus.

I then want to access the network configuration via VPN.

 

Using a PC as a remote desktop VLAN access is unusable. That PC is turned on sometimes ...

Message 3 of 13
schumaku
Guru

Re: GS724T - access profile from another VLAM / network

So make the VLAN 20 IP subnet available from the only VLAN/subnet the VPN does have access to, and put up some ACLs according to the IP addresses only the VPN is using (if possible, and not a nicely bridged-in network). Everything just plain basic IPv4 routing, isn't it?

Message 4 of 13
hacesoft
Tutor

Re: GS724T - access profile from another VLAM / network

I think I do.

At 192.168.20.150 I have a door control device. I have access to it via VPN, but there is also a switch with the address 192.168.20.10 on the same VLAN and I do not have access to it.

Message 5 of 13
schumaku
Guru

Re: GS724T - access profile from another VLAM / network


@hacesoft wrote:

At 192.168.20.150 I have a door control device. I have access to it via VPN, but there is also a switch with the address 192.168.20.10 on the same VLAN and I do not have access to it.


The route back to the VPN from the switch management intrface is correct and workable?

Message 6 of 13
hacesoft
Tutor

Re: GS724T - access profile from another VLAM / network

I do not understand

Message 7 of 13
hacesoft
Tutor

Re: GS724T - access profile from another VLAM / network

However, when I query the VPN for the IP address of the switch, and look at the listing from the firewall, I can see that 5 packets arrive at the switch, but there is no more from the switch.

Message 8 of 13
schumaku
Guru

Re: GS724T - access profile from another VLAM / network

As the firewall show just syn sent .... any security on the switch prohibiting access from say a different subnet?

Message 9 of 13

Re: GS724T - access profile from another VLAM / network

He already said he tried it with security profiles off.

 

5 VLANS is IMHO rediculous for a home network.  But whatever, maybe he's just using this as a learning tool about VLANS.

 

At least 1 of the Netgear switches has a bug in current firmware where it will not respond to packets that are smaller than 1500 bytes in size  (1500 is MTU for Ethernet)  Apparently the TCP stack in the switch cannot fragment packets.

 

Maybe this model has that same bug in it's firmware.

 

If he's coming in on a VPN if it's an OpenSSL or some such then the max MTU is very much lower than 1500.  If the switch cannot negotiate MTU path discovery then he's going to be unable to connect to it.

 

The other possibility is if he's using the switch as a router between vlans.  In this case he's trying to hairpin traffic.  While a router should be able to do this a switch isn't a "real router" as they say (even though switches are commonly used for high speed routing)  If that's the case then move the management interface into the subnet used for remote access (it sounds like the remote access device is using proxy-arp to a subnet the switch has)

 

Unfortunately not enough info is supplied here.  What is being used for the VPN and how is it configured?

Message 10 of 13
schumaku
Guru

Re: GS724T - access profile from another VLAM / network


@tmittelstaedt wrote:

Unfortunately not enough info is supplied here.  What is being used for the VPN and how is it configured?


Yeah, and much more. Some tracroute forth and back, details on routings, probably routers involved acting as the default gateway, ... would be informative for example, too - also from the switch.

 


@tmittelstaedt wrote:

He already said he tried it with security profiles off.


I had the switch in mind, not the security appliance 8-)

 

Off topic most likely:

 

@tmittelstaedt wrote:

At least 1 of the Netgear switches has a bug in current firmware where it will not respond to packets that are smaller than 1500 bytes in size  (1500 is MTU for Ethernet)  Apparently the TCP stack in the switch cannot fragment packets. Maybe this model has that same bug in it's firmware.


This issue is isolated to a series of Plus switches, GSxxxE[wahtever], with some 2.7 firmware version.

Message 11 of 13
hacesoft
Tutor

Re: GS724T - access profile from another VLAM / network

good day,

i don't use any router, it replaces my PfSense firewall, 2.5.2-RELEASE (amd64) built on Fri Jul 02 15:33:00 EDT 2021 FreeBSD 12.2-STABLE.

Sending photos of firewall settings. In my opinion, I have nowhere blocked communication from VPN to VLAN20. On the firewall there is a policy that is not allowed it does not work and on the switch I think it works the other way around. I don't have a blocked VPN network in the ACL on the switch. I have one port set as a trunk on the switch, and the switch then feeds the individual VLANs to the specific ports. The ACL between individual VLAs is set on the switch. ACL rules do not include VLAN5, which is a network for PfSense firewall and VPN. As I wrote, I think the switch works in a way that is not forbidden in the switch, it works. The routing switch does not perform. It only isolates VLANs.

 

According to the previous post, I think that a packet from a PC connected via VPN reaches the switch and it no longer responds.

Message 12 of 13
hacesoft
Tutor

Re: GS724T - access profile from another VLAM / network

Good day,

after a long search for a solution to why the switch cannot be managed across VLANs or VPNs, I found an error in the IPv4 Network Interface Configuration settings in the Default Gateway field.

I set the right address and divse the world, it's already working :).

Message 13 of 13
Top Contributors
Discussion stats
  • 12 replies
  • 2433 views
  • 0 kudos
  • 3 in conversation
Announcements