Allow PC (s) in VLAN2 access to Internet in VLAN1

Home Page Forums Network Management Bridges and Routers Allow PC (s) in VLAN2 access to Internet in VLAN1

This topic contains 18 replies, has 0 voices, and was last updated by  rpottersr 6 years ago.

Viewing 15 posts - 1 through 15 (of 20 total)
  • Author
    Posts
  • #43293

    rpottersr
    Member

    Good Evening,

    I have a Catalyst 2960 already setup correctly with the VLANs and trunking on Gig0/2 which goes to a laptop with one lan card ETH00.

    I have setup the VLAN routes in the laptop usiing ZeroShell with the correct IP address for each lan interface.

    I can ping some PCs in VLAN1 from a PC in VLAN2, but cannot access or ping the internet from the PC in VLAN2.

    Could someone please help me on what I’m suppose to do to allow internet access to PCs in VLAN2.

    Thanx.

    #52224

    redfive
    Participant

    ZS works perfectly in a physical and logical topology with the catalyst 2960 , I’m using almost the same ,and I haven’t any problems about VLANs and trunking . But is needed more info about your config. , eg. ip addresses , firewall rules , nat , default gateway …How you connect to the internet ? 3g modem ? an access port of your catalyst is member of VLAN1 and is connected to a modem/router ? ZS acts as default gateway only for hosts on VLAN 2 or hosts on both VLANs 1/2 ?

    #52225

    rpottersr
    Member

    Thanks for the response redfive.

    Currently I’m connecting to the Internet through my web server that also provides DHCP to the rest of the network. Eth0 on the server is connected to Fa0/1 on the 2960 and ETH1 is connected to a DSL modem with a static IP from the ISP.

    I think my problem is I don’t know what firewall rules I’m suppose to setup.

    Server IP 192.168.194.1 (default gw for all PCs)
    VLAN 1 IP 192.168.194.10/24
    VLAN 2 IP 192.168.20.10/24

    The PC that I have ZS running on has an IP 192.168.194.200 on ETH00 and the IP on ETH00 2 is 192.168.20.1.

    Hope this is info you were looking for…

    #52226

    redfive
    Participant

    I’m a bit confused …where did you set the ip address 192.168.194.10/24 VLAN 1, and 192.168.20.10/24 VLAN 2 ? (seems , but maybe I’m wrong , on interface vlan of the catalyst … 🙂 🙂 ) The vlans were created before adding zeroshell in your network ? I suppose that you already have some hosts in the 192.168.194.0/24 network , and their default gateway( as well as their dhcp server) is 192.168.194.1, … who are dhcp server and default gateway for the hosts members of vlan2 ? ( As far I know , on zeroshell machine is not possible implement something like the cisco command “ip helper address” ). But overall , how would you like configure your network ?

    #52227

    rpottersr
    Member

    Yes the IPs are on the VLAN interfaces.

    There is no dhcp server for members of vlan2, from what I read so far I can setup PCs with static addresses pointed back to the PC that handles routing for the VLANS. So if it can be done, I would like to be able to give the PCs on vlan2 access to the internet but not allow them to access PCs on vlan1.

    So far with the routing of the vlans I’m able to ping a couple addresses on vlan1 from a pc that is on vlan2, but I’m not able to ping any web addresses for example google.com.

    The ZS routing table looks something like this:

    192.168.20.0/24 ETH00 VLAN 2
    192.168.194.0/24 ETH00
    Default GW 192.168.194.1

    #52228

    redfive
    Participant

    On the catalyst , interface vlan is needed only for management purpose ( telnet , ssh, ..) , as well as the default gateway is needed for remote management (different networks).
    btw , very fast solution (not the better ) , on the zeroshell , router , nat , nat enabled interfaces , ETH00. In firewall , forward chain , 1st rule

    in ETH00.2 out ETH00 proto all s. ip 192.168.20.0/24  d. ip 192.168.194.0/24 action DROP

    the defaut gateway for PC’s in vlan2 is 192.168.20.1.
    you should be able to ping the internet , surf the web , but no connect any pc/host in vlan1 .
    But this is a very basic config ( just for try ), using the existing topology , I would suggest you something a bit different…
    P.S. sorry for my english

    #52229

    rpottersr
    Member

    Ok, did that but still unable to ping the internet.

    When I ping google.com – I get unknown host response.

    I removed the ip address from vlan 2 and still get the same results.

    You stated that you would suggest something a bit different, I open for any suggestions right now.

    #52230

    redfive
    Participant

    Could you post the output of sh run command typed in the catalyst ?

    #52231

    rpottersr
    Member

    CPIFL#sh run
    Building configuration…

    Current configuration : 5326 bytes
    !
    version 12.2
    no service pad
    service timestamps debug uptime
    service timestamps log uptime
    no service password-encryption
    !
    hostname CPIFL
    !
    enable secret 5 $1$fOiB$idZ1BL8xulIPY2qJRpuZh1
    !
    no aaa new-model
    ip subnet-zero
    !
    !
    mls qos srr-queue input bandwidth 90 10
    mls qos srr-queue input threshold 1 8 16
    mls qos srr-queue input threshold 2 34 66
    mls qos srr-queue input buffers 67 33
    mls qos srr-queue input cos-map queue 1 threshold 2 1
    mls qos srr-queue input cos-map queue 1 threshold 3 0
    mls qos srr-queue input cos-map queue 2 threshold 1 2
    mls qos srr-queue input cos-map queue 2 threshold 2 4 6 7
    mls qos srr-queue input cos-map queue 2 threshold 3 3 5
    mls qos srr-queue input dscp-map queue 1 threshold 2 9 10 11 12 13 14 15
    mls qos srr-queue input dscp-map queue 1 threshold 3 0 1 2 3 4 5 6 7
    mls qos srr-queue input dscp-map queue 1 threshold 3 32
    mls qos srr-queue input dscp-map queue 2 threshold 1 16 17 18 19 20 21 22 23
    mls qos srr-queue input dscp-map queue 2 threshold 2 33 34 35 36 37 38 39 48
    mls qos srr-queue input dscp-map queue 2 threshold 2 49 50 51 52 53 54 55 56
    mls qos srr-queue input dscp-map queue 2 threshold 2 57 58 59 60 61 62 63
    mls qos srr-queue input dscp-map queue 2 threshold 3 24 25 26 27 28 29 30 31
    mls qos srr-queue input dscp-map queue 2 threshold 3 40 41 42 43 44 45 46 47
    mls qos srr-queue output cos-map queue 1 threshold 3 5
    mls qos srr-queue output cos-map queue 2 threshold 3 3 6 7
    mls qos srr-queue output cos-map queue 3 threshold 3 2 4
    mls qos srr-queue output cos-map queue 4 threshold 2 1
    mls qos srr-queue output cos-map queue 4 threshold 3 0
    mls qos srr-queue output dscp-map queue 1 threshold 3 40 41 42 43 44 45 46 47
    mls qos srr-queue output dscp-map queue 2 threshold 3 24 25 26 27 28 29 30 31
    mls qos srr-queue output dscp-map queue 2 threshold 3 48 49 50 51 52 53 54 55
    mls qos srr-queue output dscp-map queue 2 threshold 3 56 57 58 59 60 61 62 63
    mls qos srr-queue output dscp-map queue 3 threshold 3 16 17 18 19 20 21 22 23
    mls qos srr-queue output dscp-map queue 3 threshold 3 32 33 34 35 36 37 38 39
    mls qos srr-queue output dscp-map queue 4 threshold 1 8
    mls qos srr-queue output dscp-map queue 4 threshold 2 9 10 11 12 13 14 15
    mls qos srr-queue output dscp-map queue 4 threshold 3 0 1 2 3 4 5 6 7
    mls qos queue-set output 1 threshold 1 138 138 92 138
    mls qos queue-set output 1 threshold 2 138 138 92 400
    mls qos queue-set output 1 threshold 3 36 77 100 318
    mls qos queue-set output 1 threshold 4 20 50 67 400
    mls qos queue-set output 2 threshold 1 149 149 100 149
    mls qos queue-set output 2 threshold 2 118 118 100 235
    mls qos queue-set output 2 threshold 3 41 68 100 272
    mls qos queue-set output 2 threshold 4 42 72 100 242
    mls qos queue-set output 1 buffers 10 10 26 54
    mls qos queue-set output 2 buffers 16 6 17 61
    mls qos
    !
    !
    no file verify auto
    spanning-tree mode pvst
    spanning-tree extend system-id
    !
    vlan internal allocation policy ascending
    !
    interface FastEthernet0/1
    description SME-Srvr
    !
    interface FastEthernet0/2
    description WRT54G
    !
    interface FastEthernet0/3
    !
    interface FastEthernet0/4
    description TVPC
    !
    interface FastEthernet0/5
    !
    interface FastEthernet0/6
    !
    interface FastEthernet0/7
    description Dell Dock
    !
    interface FastEthernet0/8
    !
    interface FastEthernet0/9
    !
    interface FastEthernet0/10
    !
    interface FastEthernet0/11
    !
    interface FastEthernet0/12
    description On Demand
    !
    interface FastEthernet0/13
    description Garage 1
    switchport access vlan 2
    !
    interface FastEthernet0/14
    description Garage 2
    switchport access vlan 2
    !
    interface FastEthernet0/15
    description Garage WiFi
    switchport access vlan 2
    !
    interface FastEthernet0/16
    description Dad’s PC
    !
    interface FastEthernet0/17
    shutdown
    !
    interface FastEthernet0/18
    shutdown
    !
    interface FastEthernet0/19
    shutdown
    !
    interface FastEthernet0/20
    shutdown
    !
    interface FastEthernet0/21
    shutdown
    !
    interface FastEthernet0/22
    shutdown
    !
    interface FastEthernet0/23
    shutdown
    !
    interface FastEthernet0/24
    shutdown
    !
    interface FastEthernet0/25
    !
    interface FastEthernet0/26
    shutdown
    !
    interface FastEthernet0/27
    shutdown
    !
    interface FastEthernet0/28
    shutdown
    !
    interface FastEthernet0/29
    shutdown
    !
    interface FastEthernet0/30
    description VOIP Srvr
    !
    interface FastEthernet0/31
    shutdown
    !
    interface FastEthernet0/32
    shutdown
    !
    interface FastEthernet0/33
    shutdown
    !
    interface FastEthernet0/34
    shutdown
    !
    interface FastEthernet0/35
    shutdown
    !
    interface FastEthernet0/36
    shutdown
    !
    interface FastEthernet0/37
    shutdown
    !
    interface FastEthernet0/38
    shutdown
    !
    interface FastEthernet0/39
    shutdown
    !
    interface FastEthernet0/40
    shutdown
    !
    interface FastEthernet0/41
    shutdown
    !
    interface FastEthernet0/42
    shutdown
    !
    interface FastEthernet0/43
    shutdown
    !
    interface FastEthernet0/44
    shutdown
    !
    interface FastEthernet0/45
    shutdown
    !
    interface FastEthernet0/46
    shutdown
    !
    interface FastEthernet0/47
    shutdown
    !
    interface FastEthernet0/48
    shutdown
    !
    interface GigabitEthernet0/1
    shutdown
    !
    interface GigabitEthernet0/2
    description Trunk
    switchport mode trunk
    !
    interface Vlan1
    ip address 192.168.194.10 255.255.255.0
    no ip route-cache
    !
    interface Vlan2
    no ip address
    no ip route-cache
    !
    ip default-gateway 192.168.194.1
    ip http server
    !
    control-plane
    !
    !
    line con 0
    line vty 0 4
    login
    length 0
    line vty 5 15
    login
    !
    end

    #52232

    redfive
    Participant

    Did you set , in the zeroshell , the Default GW as 192.168.194.1 ? I’ve just tried a config like yours , but instead of a pc , I used an alix board , and the 2960 , with a soft config…
    int range fa0/1 – 10 , switchport mode access , switchport access vlan 1 , spanning tree portfast
    int range fa0/11 – 24 , switchport mode access , switchport access vlan 2 , spanning tree portfast
    int gi0/1 switchport mode trunk.
    on fa0/1 is linked my router connected to the internet , (192.168.194.1) from fa0/2 till fa0/10 some hosts member of the internal network (192.168.194.0/24) , on gi0/1 is linked the zeroshell ( ETH00 , 192.168.194.2 and ETH00.2, 192.168.20.1) , I enabled the dhcp on ETH00.2 in zeroshell , enabled nat on ETH00 , setted the default router as 192.168.194.1 ,
    Fw policy all default , only add , in forward chain ,
    in ETH00.2 out ETH00 proto all s. ip 192.168.20.0/24 d. ip 192.168.194.0/24 action DROP

    then I connected a laptop in a vlan2 port of the catalyst , I obtained the correct ip address from the zeroshell , I’m able to surf, ping the internet , but no access to the vlan 1

    EDIT..

    #52233

    rpottersr
    Member

    Thank you Redfive 😀 , that’s exactly what I was looking for. It works perfectly.

    #52234

    rpottersr
    Member

    Hey Redfive or anyone that reads this. Everything has been working fine and decided to add a couple of more VLANs – one for a test lab and one for VOIP sometime in the future.

    The problem that I’m having now is that I can ping the gateway of VLAN2 (192.168.20.1), but I’m unable to ping the gateways of VLAN3 (192.168.2.1) and VLAN4 (192.168.40.1).

    Both VLAN3 and VLAN4 have DHCP enabled with those gateways. When I hook a computer up to either of those VLANs it gets internet access with no problems and cannot access VLAN1.

    If I’m able to ping the gateway of VLAN2, why can’t I ping the gateway of the other VLANs.

    Very confusing, any help would be much appreciated.

    #52235

    redfive
    Participant

    Hi rpottersr , how are u ? Hope fine !! btw , I haven’t clearly understood what’s the problem … an host attached to a switchport (eg. member of vlan 3) can surf the web but not pinging his def-gw ?
    With the fw rule posted above ,only traffic from ETH00.2 direct to ETH00 should be denied , but all the rest of traffic should be allowed (since the default policy is accept.. or it was changed ??).
    Did you make any change in the fw rules ? Could you briefly describe your topology , ip addresses, firewall rules, and the most important, the result that would obtain ?
    greetings

    #52236

    rpottersr
    Member

    @redfive wrote:

    Hi rpottersr , how are u ? Hope fine !! btw , I haven’t clearly understood what’s the problem … an host attached to a switchport (eg. member of vlan 3) can surf the web but not pinging his def-gw ?
    With the fw rule posted above ,only traffic from ETH00.2 direct to ETH00 should be denied , but all the rest of traffic should be allowed (since the default policy is accept.. or it was changed ??).
    Did you make any change in the fw rules ? Could you briefly describe your topology , ip addresses, firewall rules, and the most important, the result that would obtain ?
    greetings

    Everything is good, thank you for asking.

    The FW rules that are currently setup are as follows

    Fw policy all default , only add , in forward chain ,
    in ETH00.2 out ETH00 proto all s. ip 192.168.20.0/24 d. ip 192.168.194.0/24 action DROP

    in ETH00.3 out ETH00 proto all s. ip 192.168.2.0/24 d. ip 192.168.194.0/24 action DROP

    in ETH00.4 out ETH00 proto all s. ip 192.168.40.0/24 d. ip 192.168.194.0/24 action DROP

    the three VLANs listed above can access the internet, but cannot access VLAN1. Plus each computer on the VLANs can talk to each other in their own segment without any issues.

    I think what I want to do is be able to access a computer on one of the other VLANs from VLAN1. If this is possible??

    #52237

    redfive
    Participant

    Of course…Add , as first rule in forward chain, Input * , Output ETH00, s.ip *, dest.ip 192.168.194.0/24 , state RELATED, ESTABLISHED, action ACCEPT .
    This is the first step for setting up a stateful firewall.. Try and post the result.
    bye

Viewing 15 posts - 1 through 15 (of 20 total)

You must be logged in to reply to this topic.