- This topic is empty.
April 12, 2014 at 12:38 pm #43917N00BMember
I just installed ZS in a lab setting for training purposes.
i have successfully created multiple vlans that are trunked on the interface and passing traffic to a Tomato router that does the virtual wifi.
I can get DHCP from the ZS on each subnet via wifi.
Trying to pass traffic from one vlan to another, I created a rule to allow from one vlan to another, and another to allow esablished and related in the other direction.
Since I can’t get traffic accross the vlans, I was wondering if there is something I need to understand that I am missing.
What does it take for traffic to pass between vlans?
RegardsApril 12, 2014 at 9:21 pm #53276redfiveParticipant
Hi, honestly, I have never had this kind of problems with inter-vlan routing on Zs, and there are a lot of things which could interfere with traffic’s flow , eg … client isolation on APs/SSID ?? I would recomend to enable logging, on the previously created rules, and then investigate on these…also , even though the default policy is drop , sometime is useful add , as last rule , a “drop-log” *everything, for further analisys.
RegardsApril 13, 2014 at 12:09 am #53277N00BMember
Thanks for your help redfive.
It would have been useful if I had a clear understanding of the architecture, but I have not been able to find entry level documentation.
I was able to achieve results after reading a few posts and understanding that the NAT table might have something to do with it.
By adding the interfaces to the “NAT Enabled Interfaces” list, traffic was flowing back and forth between vlans since the deault policy was “ACCEPT”. I had to restart at times, but after turning different things on and off, I was able to narrow it down to the NAT Enabled Interfaces. I had to had the 2 vlans I needed to communicate to that list, then use the firewall’s FORWARD chain to control the traffic.
Thank you again for your help.April 13, 2014 at 6:09 am #53278redfiveParticipant
Actually, I don’t know how your topology has been planned , but a basic idea could be..eth00, eth00.10 and eth00.20 internal lans , eth01 wan (connected, in some manner, to the internet) . In this case , you’d have to put, in Nat enabled interfaces, only the eth01 interface. If you still have issues , try to describe your network topology and what you want achieve.
- You must be logged in to reply to this topic.