can't get internet access, what am i missing

unfortunately there's no way to add in static routes on the apple extreme base. As least not that I know off. Is the problem here the return traffic?

Thats  likely the problem

If you can configure NAT for both these 2 networks to a free address on the 192.168.1.x/24 network you should be OK

WIthout needed to configure a static route

So technically if I added in another VLAN and did something like this


Then anything on VLAN 3 should have internet access. It won't resolve the issue with Vlan 1 or 2.

If you can configure NAT for both these 2 networks to a free address on the 192.168.1.x/24 network you should be OK

Do you mean to Nat the addresses from Vlan1 and Vlan 5 to a 192.168.1.x address  before it hits the apple extreme base station?

The Cisco doesn't have any Nat functionality.

as nazsky said, setup NATing for VLAN 2 and 3 to the IP address that the L3 switch uses on the 192.168.1.x network.

Or put the Airport behind the L3 switch. The L3 switch is more capable.

So either I have static routes on the Apple extreme base station for 192.168.3.0/24 and 192.168.5.0/24

Or Nat Vlan1 and Vlan2 to the IP address that the L3 switch is using on the 192.168.1.x network

The Cisco switch is small business edition and does not offer any Nat functionality. The Apple extreme base station doesn't offer any ability to add in static routes.

would adding another router between the L3 and the apple extreme base station resolve the problem?

The next hop address for the L3 would be the address of the second router. The second router would have static routes for 192.168.3.0/24 and 192.168.5.0/24.

I think that going out and getting small wireless router from Linksys/Cisco or DLink makes more sense. You are adding so much complexity to your setup that it will be difficult to troubleshoot without proper documentation. I would keep it simple.

I am sure that you can use Apple thing somewhere else.

I would replace it but a number of users are mac users who prefer using the using the apple extreme and since it's already configured and working I rather just let it stay put. The second network may be removed and relocated after 8 months

If i wanted to go the Nat route with the second router. Will most consumer routers allow you to Nat 2 different networks to 1 IP? Or would I need to get something higher up?

I didn't see where anyone has asked:  Why are you messing around with VLANs in the first place?  Get rid of that and the problem should be solved.  Or, if you must in Cisco-speak, just use one VLAN.

the reason we have 2 Vlans is for testing ESXI and Vms

you will just need to check to make sure that the router will support static routes. You should be able to find a relatively cheap router that can do this.

if you want to do it for free, you could find some kind of linux software router and load it up as a VM, then put that VM on VLAN 1 and use it as the router.

OK .. testing VLANs.
I don't see how this can work.  Let's analyze the packets:

A packet leaves a computer on subnet 192.168.3.0/24 ... er.. it is /24 right?
Let's say it's destined for an internet address.  
Where's the internet gateway?  I don't see one.
What is the gateway address on the computers in that subnet?
Ditto for 192.168.5.0/24 computers.

I'll make a wild guess and figure that the Layer 3 switch has IP addresses for each subnet.  If so, then it can be the gateway.  If it's the gateway then it also has a routing table .. what Layer 3 switches are for.  So the default gateway route in the switch then would be the Apple at 192.168.1.1.  There may be more to it but that's a start.  Does this make sense in the context of your switch?

I looked at this again and I do not think you will be able to crawl your way out of this one. The Apple piece with its lack or routing and switch not able to perform NAT to overcome lack of routing...
You can try to build a Linux box and put it in between the switch and the Apple, so it does routing and NAT. Again, this is only feasible when you have spare hardware (workstation with 2 NICs)  and you are proficiency with Linux (routing and ipTables).

Otherwise buy Dlink.

Good luck!

Since you have a VM server, you can easily spin up a VM to act as a router. you can probably find an appliance like vyatta, but for free.

Of course the easiest thing is going to be to just buy a router to handle nating and static routes.

Might this help?
http://www.cisco.com/en/US/tech/tk389/tk815/technologies_configuration_example09186a008019e74e.shtml

it is not the intervlan routing that is the issue. It is the lack of being able to configure a static route on the Airport

OK .. testing VLANs.
I don't see how this can work.  Let's analyze the packets:

A packet leaves a computer on subnet 192.168.3.0/24 ... er.. it is /24 right?
Let's say it's destined for an internet address.  
Where's the internet gateway?  I don't see one.
What is the gateway address on the computers in that subnet?
Ditto for 192.168.5.0/24 computers.

I'll make a wild guess and figure that the Layer 3 switch has IP addresses for each subnet.  If so, then it can be the gateway.  If it's the gateway then it also has a routing table .. what Layer 3 switches are for.  So the default gateway route in the switch then would be the Apple at 192.168.1.1.  There may be more to it but that's a start.  Does this make sense in the context of your switch?

Yes Vlan1 network is 192.168.3.0, the default gateway is 192.168.3.1. Vlan2 is network 192.168.5.0 and gateway is 5.1. Both ESXI and the server can communicate with either other fine with no problems. On the L3 switch I added a default gateway of 0.0.0.0 mask of 0.0.0.0 192.168.1.1

I looked at this again and I do not think you will be able to crawl your way out of this one. The Apple piece with its lack or routing and switch not able to perform NAT to overcome lack of routing...
You can try to build a Linux box and put it in between the switch and the Apple, so it does routing and NAT. Again, this is only feasible when you have spare hardware (workstation with 2 NICs)  and you are proficiency with Linux (routing and ipTables).

Otherwise buy Dlink.

Good luck!

That was something I asked. If getting a second consumer router and placing it between the L3 and the apple extreme would work. And the answer I'm getting so far is yes.

networks 5.0 and 3.0 would go to the 2nd router as it's next hop. And the 2nd router will have static maps to the L3 switch. The 2nd router will then connect to the apple extreme.

As you just mentioned, you can get a consumer/prosumer router and that will work, as long as it:
1. supports natting
2. supports static routes

But still people on Apple router will have issues accessing servers as you will have to set One-to-One NAT on the Dlink/Linksys.

If it is a test network and you only need internet access, then that will work fine.

If not you should then put the router in front of the Airport, and just plug into one of the LAN ports on the Airport, so you can just use it as an access point and not the router.

But still people on Apple router will have issues accessing servers as you will have to set One-to-One NAT on the Dlink/Linksys.

Sorry I was not  clear, people who are connecting via wifi to the apple extreme base station will not need access to the server or the workstation. Internet access is only for the test network and people within the test network

then putting the router after the airport will be fine.

Than yes you do not need to worry about them at all. And in case they need access you can use 121 NAT to the ESX, printer, etc...

Which devices have those gateway addresses?

Which devices have those gateway addresses?

What do you mean?

Than yes you do not need to worry about them at all. And in case they need access you can use 121 NAT to the ESX, printer, etc..

I thought you needed to have public IP's to do a one to one nat. Can I actually do it with private ips

yes, you can do it with internal IPs, so that devices connected to the Airport will be able to access your test network devices.

You only need public IPs if you want those devices to be available from the internet.

Okay but I do not think most consumer routers will do 1 to 1 NAT....

Do you know of any off the top of your head?

I am positive that most of the cheap consumer routers will do it. They call it port forwarding. Most of then will only do 1 IP address assigned to the WAN interface. You have to do your own research. In your case the WAN interface will have a private IP address but still you will be NATing from e.g. 192.168.1.100 to 192.168.5.25 on port 23 TCP. (just an example)

On more sophisticated routers you can have have multiple WAN (external) IPs NATed to multiple LAN/DMZ IPs.

If you need to provide support for VLANs, wireless and security you can look at Sonicwall TZ100W. It does all this for the small price and is not a toy like Apple. It will do your internal routing as well. So if you decide to trunk from the switch to the sonicwall you can create ACL between ports.

It is so cool to do VLANs right on the ESX and use SW as your internal router. I have my lab set up like this.

I don't think it's the same but I see where you are going. In either case you're forwarding outside traffic in.

From what I understand in port forwarding, you declare the port and the destination IP address. With one to one NATing you associate one address to another address ( all ports going are open unless you close them off at the firewall)

I think that he means PAT (Port Address Translation) versus 1 to 1 NAT. Usually you will need a little more advanced device for that. Probably $100 or less for something that will do PAT, versus $300 for 1-to-1 NAT.

you can associate a port from an IP on the inside, to a port on the WAN address of the new router. This is PAT.

well I have a cheap router that does PAT/NAPT but i don't think it works that way. The idea was that if i wanted to let users on the wifi network onto the test network, I would do 1 to 1 NAT so that the "wifi networK" (outside) could reach (inside) the ESXI or server on the test network.

PAT/NAPT works from LAN to WAN. I don't think it works the reverse ex WAN to LAN

I do not think that nickel and diming over nomenclature will help. People say NAT and what they really mean is PAT, this is know in the industry. Clients most of the time will be talking about NAT really meaning something else. Bottom line is do you want your wireless clients to have access to other networks or not. Do you need access to one or more IPs on your VLAN networks? How much money do you want to spend? Is technical support needed? Is warranty important to you? Do you need 24 replacement? I am sure that you can get a small router for about $20-30 but you may run in problems with something else and you've mentioned that you had users on your network so going cheap may not be at the best interest of your client.

I guess at the end of the day you got your solution. It requires some money and we all failed to provide elegant system based exclusively on existing components. So what? At least you are not going to spent next several days trying to achieve impossible.

I'll end up getting the sonicwall that you mentioned. At this point the wireless clients do not need access to the test network. So the static route with the 2nd router will work. However the idea that you brought up regarding client access to the  test network  was intriging. There are confusion over nat/pat. I hate think think I'm misunderstanding  1 to 1 nat/ pat/ port forwarding and etc. As far as I know most consumer routers do napt/pat since most home Internet connections have only 1 ip address from their ISP. Someone mentioned that you meant pat and I'm assuming that you didn mean pat. I'm just trying to clarify.

Yes, most if not all firewalls use PAT for outbound traffic. They do not have more than one IP address to translate to. The number of sessions that can be carried on a single IP address is impressive. I worked for organizations with 2000+ users running of one IP (PATing)

They use NAT for the inbound traffic where each internal server has its private IP address translated to the public one. Unlike PAT the port numbers are preserved. PAT translates not only IP address but also the source port (going outbound) then it builds its PAT table and this way tracks returning traffic. When the packet comes back it changes port number to the original one so the sending host has no idea that it happened.

Cisco has great PDFs on their website I remember reading PAT/NAT years ago for my CCNA certification. Google for them and read - time well spent.

On SW you may like not only VLANs but wireless VLANs too. The IPSec VPN for remote access is something that you will not get on regular home router.

Bottom line; it will be difficult for me to explain differences between NAT and PAT in some short form. To make things simple (or over simplified ;-) remember that PAT affects the source port on the packet, NAT preserves port numbers and changes only IP in the packet's header.

Last but not least, nobody ever speaks about PAT! People always call it NAT, this is wrong but this is also a fact of life. I have never attended a meeting where someone would say "our firewall is PATing to this IP address" I am not kidding!

Sorry it took me a bit of time to get back:

When you say:
"Yes Vlan1 network is 192.168.3.0, the default gateway is 192.168.3.1. Vlan2 is network 192.168.5.0 and gateway is 5.1"

and I asked:
"Which devices have those gateway addresses?"

I mean: which device has 192.1698.3.1 as its IP address?  and which device has 192.168.5.1 as its IP address?  These devices will be the next hop if those addresses are entered as the "gateway" in each subnet.  So, I think it would be very useful to know which computer or router or switch has those particular addresses.

192.168.3.1
192.168.5.1

both are gateways on the L3 switch.

I didn't fully get to test the 2nd router as I ran into a little problem with the L3 switch. I'm closing this question as the solution sounds correct. If the solution doesn't work I'll re-post the question.