Solved

No internet access on vlans

Posted on 2014-01-21
10
1,677 Views
Last Modified: 2014-01-31
I'm going to try and be as detailed as possible about this setup.
Modem/Router - AT&T uverse - Motorola NVG510 @ 192.168.2.254 - IP passthrough
Wireless Router - Netgear WNDR4300 @ 192.168.1.254
Netgear - M4100-D12G layer 3 switch
Multiple 24 port "dumb" switches

The goal here is to segment internet access for multiple offices.
I have 3 vlans setup on the m4100.
Vlan 1 @ 192.168.1.0 with vlan interface of 192.168.1.250 - untagged member ports 1-12
Vlan 3 @ 192.168.3.0 with vlan interface of 192.168.3.250 - untagged member port 3
DHCP from the m4100 with gateway of 192.168.3.250
Vlan 4 @ 192.168.4.0 with vlan interface of 192.168.4.205 - untagged member port 4
DHCP from the m4100 with gateway of 192.168.4.250
The m4100 has a default route setup with next hop of 192.168.1.254 to get to the physical router.
The WNDR4300 has static lan routes for 192.168.3.0 and 192.168.4.0 pointing to 192.168.1.250.
Physically I have a net cable from a lan port on the nvg510 to the wan port of the WNDR4300.
I have a net cable from a lan port on the WNDR4300 to port 10 of the m4100.
I have a net cable from port one on the m4100 to a 24 port "dumb" switch, switch A.
I have a net cable from port three on the m4100 to a 24 port "dumb" switch, switch B.
I have a net cable from port four on the m4100 to a 24 port "dumb" switch, switch C.

With all of this connected, If I connect a laptop to switch A, I get a good address on the 192.168.1.0/24 subnet and I can ping all three vlan interfaces, the WNDR4200, the external IP of the WNDR4300, 8.8.8.8, and www.google.com and I have complete lan and internet access.

If I connect a laptop to switch B, I get a good address on the 192.168.3.0/24 subnet and I can ping all three vlan interfaces, the WNDR4200, the external IP of the WNDR4300, but I cannot ping 8.8.8.8, or www.google.com and I have no internet access. I do have lan access to machines on 192.168.1.0/24 if I so choose.

If I connect a laptop to switch C, I get a good address on the 192.168.4.0/24 subnet and I can ping all three vlan interfaces, the WNDR4200, the external IP of the WNDR4300, but I cannot ping 8.8.8.8, or www.google.com and I have no internet access. I do have lan access to machines on 192.168.1.0/24 if I so choose.

A tracert to google.com reaches 192.168.1.254, (WNDR4200 router) but does not go further when connected to switch B or C.

I have checked and triple checked and I cannot for the life of me figure out why I can't get internet access on vlans 3 and 4. I'm stumped.
0
Comment
Question by:sdholden28
  • 6
  • 3
10 Comments
 
LVL 4

Expert Comment

by:tmx84
ID: 39796995
Could you just post your running config on the switch after removing any passwords...
0
 

Author Comment

by:sdholden28
ID: 39797159
I can, but it will be a few days until I'm back on-site. I do not have remote access.
0
 

Author Comment

by:sdholden28
ID: 39797315
I know this is speculation at this point, but I'm inclined to believe that the switch config is correct. If I can ping all vlan interfaces, and the physical router, and a tracert propagates from local ip->vlan interface->to physical router, then static routes and switch config would have to be correct, no?
0
 

Author Comment

by:sdholden28
ID: 39797355
Had a copy of the config saved on my laptop.

!Current Configuration:
!
!System Description "M4100-D12G ProSafe 12-port Gigabit L2+ Intelligent Edge Desktop Managed Switch, 10.0.1.16, B1.0.0.9"
!System Software Version "10.0.1.16"
!System Up Time          "0 days 0 hrs 49 mins 2 secs"
!Additional Packages     QOS,IPv6 Management,Routing
!Current SNTP Synchronized Time: SNTP Last Attempt Status Is Not Successful
!
network protocol none
network parms 192.168.99.1 255.255.255.0 192.168.99.2
vlan database
vlan 3-4,99
vlan name 3 "VLAN 3"
vlan name 4 "VLAN 4"
vlan name 99 "Mgmt"
vlan routing 3 1
vlan routing 4 2
vlan routing 1 3
exit
network mgmt_vlan 99
configure
time-range
ip routing
ip route 0.0.0.0 0.0.0.0 192.168.1.254
username "admin" password 6acb4ee5c146ea7e6836abd279c28c8b39f0d18adf486b98a2e09dadf1fcd2b7548f71c6c79e83b28d03f20e5d74e597bafe528808a95943b12ca8d0762d6dce level 15 encrypted
line console
exit
line telnet
exit
line ssh
exit
!
interface 0/1
exit
interface 0/2
exit
interface 0/3
vlan pvid 3
vlan participation include 3
exit
interface 0/4
vlan pvid 4
vlan participation include 4
exit
interface 0/5
exit
interface 0/6
exit
interface 0/7
exit
interface 0/8
exit
interface 0/9
exit
interface 0/10
exit
interface 0/11
exit
interface 0/12
exit
interface lag 1
exit
interface lag 2
exit
interface lag 3
exit
interface lag 4
exit
interface lag 5
exit
interface lag 6
exit
interface lag 7
exit
interface lag 8
exit
interface lag 9
exit
interface lag 10
exit
interface lag 11
exit
interface lag 12
exit
interface vlan 3
routing
ip address 192.168.3.250 255.255.255.0
exit
interface vlan 4
routing
ip address 192.168.4.250 255.255.255.0
exit
interface vlan 1
routing
ip address 192.168.1.250 255.255.255.0
exit
service dhcp
ip dhcp excluded-address 192.168.3.250 192.168.3.250
ip dhcp excluded-address 192.168.4.250 192.168.4.250
ip dhcp pool "VLAN 3"
lease infinite
dns-server 192.168.1.254
default-router 192.168.3.250
network 192.168.3.0 255.255.255.0
netbios-node-type b-node
exit
ip dhcp pool "VLAN 4"
lease infinite
dns-server 192.168.1.254
default-router 192.168.4.250
network 192.168.4.0 255.255.255.0
netbios-node-type b-node
exit
exit
0
 
LVL 26

Accepted Solution

by:
Soulja earned 500 total points
ID: 39797384
Are you absolutely sure the ATT router is in bridged mode. If not, you will need default routes to it and return routes to get back to your lan.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:sdholden28
ID: 39797411
Bingo, that has to be it. The NVG510 doesn't have a "true" bridge mode. Its a giant pain in this area. You can get very close to bridge mode but setting it to "IP passthrough", but even then you have to limit its dhcp scope and place it on a different subnet to get it to work. So the att router is at 2.254, the netgear is at 1.254. What routes do I need, and will a default route on the m4100 work or will a static route need to be in place on the NVG510? I don't believe the NVG510 will do a static route so that may stop this in its tracks.
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39797455
The outside interface of the netgear and the inside of the ATT router needs to be in the same subnet.  I am assuming the 1.254 is the netgear's inside interace, so you can make it outside interface 2.253 with the same subnet mask as the ATT.  The ATT will have to have static routes to return traffic back to your internal vlans.  I can't imagine it not having a setting for static routes.

All in all,

L3 switch default to Netgear, Netgear default to ATT. It almost seems like one of these routers is not needed.
0
 

Author Comment

by:sdholden28
ID: 39797526
You would be correct, except that the NVG510 is does not support port forwarding very well, and does not support dynamic DNS at all, so for remote access, the netgear router was added. Don't underestimate the deficiencies of the NVG510 as its really a residential device that AT&T is passing off to its business customers, and losing those customers quickly I might add.
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39800318
Any update?
0
 

Author Comment

by:sdholden28
ID: 39825509
Sorry for the delay. You were spot on Soulja as I was able to make the setup work when connected to a cable modem, with no changes. Due to the clients location, the AT&T uverse is the only internet option available, so we must work with it. I'm going to attempt to setup multiple routers behind the uverse modem to create a solution. Thanks.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now