Wireless router and layer 2 smart switch = no internet.

[Philsburry]

Hello,

I am wondering if someone with routing/vlan/switch knowledge can assist.

My setup:

Synology RT1900AC wireless router
HP 1910 24port switch

- 3 vlans created on the switch. The switch takes care of the internal routing as I understand it.
10.3.2.0
10.3.6.0
10.3.8.0

- 1 static route created on the switch 0.0.0.0 / 0.0.0.0 / 10.3.2.1
There were multiple entries created when I created the vlan interfaces on the switch:
Destination IP Mask Protocol Preference Next Hop Interface
0.0.0.0 0.0.0.0 Static 6 10.3.2.1 Vlan-interface2 (the one I added)
10.3.2.0 255.255.255.0 Direct 0 10.3.2.254 Vlan-interface2
10.3.2.254 255.255.255.255 Direct 0 127.0.0.1 InLoopBack0
10.3.6.0 255.255.255.0 Direct 0 10.3.6.254 Vlan-interface6
10.3.6.254 255.255.255.255 Direct 0 127.0.0.1 InLoopBack0
10.3.8.0 255.255.255.0 Direct 0 10.3.8.254 Vlan-interface8
10.3.8.254 255.255.255.255 Direct 0 127.0.0.1 InLoopBack0
127.0.0.0 255.0.0.0 Direct 0 127.0.0.1 InLoopBack0
127.0.0.1 255.255.255.255 Direct 0 127.0.0.1 InLoopBack0

- Static routes created on the router
network dest netmask gateway
10.3.8.0 255.255.255.0 10.3.2.254
10.3.6.0 255.255.255.0 10.3.2.254
10.3.2.0 255.255.255.0 10.3.2.254


I'm able to ping devices within the switch and to devices on the router, but i cannot ping the net (e.g. 8.8.8.8 Google DNS) from devices on the switch. I have a DC that performs the DNS forwarding that is on vlan 8. It was working with the old E3000 setup with Tomato, but it cannot resolve the forwarder IP now with this new setup.

Please let me know what other information I can provide that I have missed.

I'm fairly new to this, so please take it easy on me.

Thanks,
Philsburry

 

[System Error Message]

Your router network setup is wrong. Firstly do not route over loopback as you're doing more steps than necessary. Erase all the configs you have on your router.

create 3 vlan interfaces. Give an IP address for each VLAN (this will be the gateway for each layer 3 segment). Connect each SSID to each vlan interface. Between the switch and the router use active vlans. Between the vlans and the SSIDs use passive VLANs. Unless you use active vlan config for your clients you will need 3 SSIDs for the usual zero configuration. Set up DHCP for each of the IP networks.

Switch doesnt take care of internal routing because your main network is the router itself not the switch. If your switch is layer 3 you will see an IP routing config section which you can use to route within the switch itself.

Now for both the switch and the router if you want inter routing so the 3 networks can talk to each other you have to this for every network to talk to every network you want. This means You have to set up a route between network A and network B, network B and network A. Only some routers require this configured but it may not be likely but your switch will need this configured.

For example:
Dest Network A src Network B gateway Switch/gateway B
Dest Network B src Network A gateway Switch/gateway A

On the switch you will need this:
dest 0.0.0.0/0 src Network A gateway A
dest 0.0.0.0/0 src Network B gateway B
...

where A, B and C are your router's IP addresses.
Essentially you want the packets to go straight to their network rather than going through loopback. Going through loopback is dangerous as you may end up filling up your CPU bus and making proper firewall protection and configs difficult.

This is just to allow communication between 2 layer 3 networks. You want the routing to be done as close as possible so it is best for both the router and switch to perform routing rather than over the 1 Gb/s wire between the router and switch.

To check, have 2 devices connected through wifi on different SSIDs and have them talk to each other, monitor the traffic on the ethernet interface to see if any traffic goes through. Do the same for the switch.

 

[Philsburry]

Hi SEM, thanks for your prompt response. I have some comments/questions:

Your router network setup is wrong. Firstly do not route over loopback as you're doing more steps than necessary. Erase all the configs you have on your router.

I'm not sure what you mean by 'route over loopback'. Did you mean don't create the static routes on the router to point to the .254 addresses?

create 3 vlan interfaces. Give an IP address for each VLAN (this will be the gateway for each layer 3 segment). Connect each SSID to each vlan interface. Between the switch and the router use active vlans. Between the vlans and the SSIDs use passive VLANs. Unless you use active vlan config for your clients you will need 3 SSIDs for the usual zero configuration. Set up DHCP for each of the IP networks.

I don't have the ability to create vlan interfaces on the wireless gateway router. I only saw that option on the HP1910 switch. (Did you mean the static routes?)

Switch doesn't take care of internal routing because your main network is the router itself not the switch. If your switch is layer 3 you will see an IP routing config section which you can use to route within the switch itself.

It's a layer 2 'smart' switch. It has the ability to create static routes only. Before I connected the switch to the wireless gateway router, I was able to communicate between the subnets. The only thing I did to achive this was to create the vlans, and the vlan interfaces on the switch.

Now for both the switch and the router if you want inter routing so the 3 networks can talk to each other you have to this for every network to talk to every network you want. This means You have to set up a route between network A and network B, network B and network A. Only some routers require this configured but it may not be likely but your switch will need this configured.

For example:
Dest Network A src Network B gateway Switch/gateway B
Dest Network B src Network A gateway Switch/gateway A

On the switch you will need this:
dest 0.0.0.0/0 src Network A gateway A
dest 0.0.0.0/0 src Network B gateway B
...

On the switch, after I create the Vlans, and vlan interfaces, I am able to communicate between the 3 subnets. I just cant reach the internet.

Essentially you want the packets to go straight to their network rather than going through loopback. Going through loopback is dangerous as you may end up filling up your CPU bus and making proper firewall protection and configs difficult.

The loopbacks were created automatically when I created the vlan interfaces on the switch. There's no option to remove them.

I just want to give the PCs on the switch access to the internet as they currently are able to communicate between each other on the switch. This is the part that's giving me grief.

Thx,
Philsburry

 

[System Error Message]

Thanks for letting me know what the synology router can or cant do. They're actually new into the router world.

So with your current config (which isnt optimal) Your devices can communicate but cant access the internet. Can your PCs which are on different subnets communicate with each other?
Between the router and the switch do you use active VLANs? On the switch itself just follow my advice on the static routes as it may be lacking the 0.0.0.0/0 config which means all IP addresses. Make sure the distance is higher than your LAN routes.

 

[Philsburry]

If I plug this PC into the switch, I can access my servers/nas/other PCs on the network. (But just can't get the net.)

Can you explain what you mean by Active VLANs?

On the switch I have the following created when I created the vlan interfaces:

Destination IP Address Mask Protocol Preference Next Hop Interface
0.0.0.0 0.0.0.0 Static 4 10.3.2.1 Vlan-interface2 < this is the only entry that I made. The 10.3.2.1 is the router IP on the LAN side.

The following below were created when I created the Vlan interfaces:

10.3.2.0 255.255.255.0 Direct 0 10.3.2.254 Vlan-interface2
10.3.2.254 255.255.255.255 Direct 0 127.0.0.1 InLoopBack0
10.3.6.0 255.255.255.0 Direct 0 10.3.6.254 Vlan-interface6
10.3.6.254 255.255.255.255 Direct 0 127.0.0.1 InLoopBack0
10.3.8.0 255.255.255.0 Direct 0 10.3.8.254 Vlan-interface8
10.3.8.254 255.255.255.255 Direct 0 127.0.0.1 InLoopBack0
127.0.0.0 255.0.0.0 Direct 0 127.0.0.1 InLoopBack0
127.0.0.1 255.255.255.255 Direct 0 127.0.0.1 InLoopBack0

 

[System Error Message]

sorry i mean tagged vlans. It may be your router is fine and you have to enter the entries into your switch correctly. If you were to use the PCs on the router itself (ethernet) do you still get the same problem?

 

[Philsburry]

No, no issues when I'm connected directly to the wireless router ethernet port.

I do have vlan tagging, but it's all on the switch side. The wireless router does not have that ability to assign vlans. (Well...it does, but it's for the ISP and IPTV/VOIP).

On the previous wireless router, I had all this working. The only difference now is that I have a different wireless router.

With the old wireless router (Linksys E3000 / tomato firmware), I was able to set one of the ports to vlan 2 and all traffic from the switch was able to reach the internet also the internal network.

 

[System Error Message]

you could try that with your current router, use 3 cables to switch and a vlan for each of them untagged.

 

[Philsburry]

was hoping to avoid that...thanks for your assistance!

 

[System Error Message]

Yeah without some form of STP and bonding it generally isnt recommended. But synology still hasnt broken from consumer router features yet so not much you can do. If you got a router like ubiquiti, mikrotik or even built x86 it would be much easier. Some of those non consumer wifi APs have VLAN capability too making it much easier to perform segmentation. Its not necessary to buy them as openWRT has a nice GUI for configuring zones and segmentation and the same capability.

 

[Philsburry]

Update: I went ahead and purchased the Netgear R7000 today. The issues I had are resolved now after upgrading to TomatoARM from Shibby.

One thing though after upgrading to the Tomato firmware, the WAN to LAN speed lower. I was able to get 600mbps +, now I'm only getting an average of 300 +/- 10%.

Any one have some info about that? I've tried searching the net, but was not able to find any solutions.

TIA,
Philsburry.

 

[sfx2000]

Going back to the original problem - sit down and write out the intended the design on a notepad... you'll see the problem perhaps. A likely reason not to do it will result.

Only use VLAN's as a necessity - as they will complicate your setup and cause all sorts of issues with debug if they're not done right - and for most folks they shouldn't do it because they "can" - should only do it because they "must" - needs vs. wants after all...

VLAN's are a black box for the average Joe - no matter how much cut/paste and googling to sort it out.

Keep it simple, and build it up from a baseline... take it from me, been there/done that...

 

[Philsburry]

sfx2000, I appreciate your input. I understand most ppl do not require vlans, but for my case I do as I'm running a test domain environment.

It's funny that you mention putting things down on paper, as I'm doing that right now to see where I've messed up.

(Keep it simple, and build it up from a baseline... take it from me, been there/done that...)
- Understood, will do try.

Thanks,
Philsburry

 

[sfx2000]

Insight from one of my managers, years back - going into his meeting - better bring a notebook -

Memory fails when you need it...