0

I want to set up multiple VLANs in order to be able to isolate different types of devices from each other. More specifically, I want to restrict what Wi-Fi devices can see when exploring the network: for instance they can access the reverse proxy through HTTP, but they shouldn't be able to access the syslog server or sniff SNMP v1/v2 traffic, nor should they know that there is a syslog server or SNMP traffic in the first place.

I'm using Netgear ProSafe smart switches to set up the VLANs. I've:

  1. Created the VLAN 6 for testing purposes.
  2. Set the corresponding switch port to the PVID 6.
  3. Marked the VLAN membership for this port as untagged.
  4. Ensured “Admit all” acceptable frame types is set for all devices for now. According to the documentation, this means that “Untagged and priority tagged frames received on the port are accepted and assigned the value of the Port VLAN ID for this port.”
  5. Set VLAN 6 routing IP address and mask to 192.168.252.1/24.
  6. Ensured the switch is set to run in routing mode.
  7. Reconfigured /etc/network/interfaces of the test machines.

Here's a simplified view of the network:

A network diagram showing two machines on two VLANs.

I was expecting to be able to communicate between test2 and test1, but this is not the case. Currently:

  • test2:~ ping 192.168.252.1 works.
  • test2:~ ping 8.8.8.8 doesn't, nor does ping 192.168.1.5 or ping 192.168.1.1 or ping 192.168.1.3.
  • test1:~ ping 192.168.252.2 doesn't work.
  • test2:~ nc -u 192.168.1.5 53 works (if 192.168.1.5 is in listening mode with nc -ul 53).
  • test1:~ nc -u 192.168.252.2 doesn't work.
  • nc in TCP mode doesn't work in either direction.

The routing table displayed by the switch lists both VLANs in the list of learned routes, indicating the correct VLAN for each route. The same switch displays the ARP cache which contains the correct MAC addresses of all four machines.

What additional things should I do for inter-VLAN communication?

Arseni Mourzenko
  • 2,165
  • 5
  • 23
  • 41
  • 2
    You need inter-VLAN routing... so you need a router. – joeqwerty Dec 12 '20 at 19:41
  • @joeqwerty: are you sure? I was under impression that the switch itself is so smart, that it has a capability to route packets between VLANs. I thought that because (1) there is a lot of features which are beyond the ones someone would expect from a switch (such as ACLs to act as a firewall, for instance), and (2) a bunch of resources ([example](https://serverfault.com/q/274033/39827)) seemed to give a hint that no dedicated router is needed (the author is using, by the way, the exact same switch model I have). – Arseni Mourzenko Dec 12 '20 at 20:39
  • If the Netgear ProSafe can act as a L3 router, then you need to configure it properly. – Tero Kilkanen Dec 12 '20 at 21:06
  • 2
    Regardless of which features are available, they need to be configured. If the switch has routing capability then you need to configure it to do so. Routing doesn't just happen. – joeqwerty Dec 12 '20 at 21:57

1 Answers1

0

It seems that the problem was not the configuration, but something special about VLAN 1 (which is the reserved VLAN, used by default).

In fact, I added a third machine test3 and did some tests. It appears that when I put this third machine on a third VLAN, I can exchange UDP packets between it and test2 (situated on VLAN 6), but I have the exact same problems between test3 and test1 that I had earlier between test2 and test3.

Diagram showing that VLAN 6 - VLAN 7 communication works, but VLAN 1 doesn't

The solution is therefore to simply move all machines from VLAN 1 to some other VLAN.

Arseni Mourzenko
  • 2,165
  • 5
  • 23
  • 41