Help with Layer 3 Switch Setup

[thedroid]

I am trying to apply info in the tutorial and examples from http://www.smallnetbuilder.com/lanwan/lanwan-howto/32098-how-to-use-a-layer-3-switch-in-a-small-network

My hardware is different utilizing a SmartRG 500N as the gateway and an ASUS N-16 running tomato USB as a layer 3 switch. The ASUS has been put in router mode and the wireless has been disabled.

I thought that I had a grasp of it, but things are not working. A tracert on 4.2.2.2 from one of the VLANS on the ASUS get me as far as my isp modem (192.168.1.1) but no further. Doing a tracert from a port on the ISP modem works as expected however.

Configuration and settings screenshots are the links below (sorry can seem to inline images)


Any help would be much appreciated.


Layout
Lan/Wan Settings on ASUS
VLAN Settings on ASUS
Static Routing On ASUS

SETTINGS
MODEM - SMARTRG SR500N
IP - 192.168.1.1

Static Routing
4 192.168.10.0/24 192.168.1.254 br0(LAN)
4 192.168.11.0/24 192.168.1.254 br0(LAN)


ROUTER - ASUS RT-16N, TOMATOUSB, SHIBLY 117, WIRELESS AND WAN PORT DISABLED
LAN SETTINGS
br0 192.168.0.254 - 255.255.255.0 dhcp DISABLED
br1 192.168.10.254 - 255.255.255.0 dhcp ENABLED (192.168.10.1 - 253)
br2 192.168.11.254 - 255.255.255.0 dhcp ENABLED (192.168.11.1 - 253)

VLAN SETTINGS
VLAN VID
1 1 Port 1 (DEFAULT) LAN (BR0)
2 2 WAN WAN (WAN)
10 10 Port 2 LAN1 (BR1)
11 11 Port 3 LAN2 (br2)

STATIC ROUTING (IN ROUTER MODE)
Destination Gateway Subnet Mask Metric Interface
192.168.11.0 * 255.255.255.0 0 br2 (LAN2)
192.168.10.0 * 255.255.255.0 0 br1 (LAN1)
192.168.1.0 * 255.255.255.0 0 br0 (LAN)
127.0.0.0 * 255.0.0.0 0 lo
default 192.168.1.1 0.0.0.0 0 br0 (LAN)

 

[abailey]

Your configuration looks correct to me. It looks to me that something in the ISP Modem is not configured correctly. Can you ping from the Asus router out to the internet (ping from the 192.168.1.254 interface)? One more thing to check is to do a tracert from one of the subnets out to the internet and see how far it goes. If it also makes it to 192.168.1.1 before timing out then the problem is definitely in the IPS Modem.

 

[thedroid]

@abailey, thanks for helping out with this.

Doing a ping or a trace route to www.google.com from within the ASUS works fine. Doing the same from a device on the .10.x or .20.x VLAN does not. This as you stated, only makes it to the 192.168.1.1 interface before it times out. Any suggestions as to what to check for in the modem?

 

[theonlyski]

It's probably a NAT issue. It MAY be a routing issue, but I'm pretty sure it's going to end up being a NAT issue.

Does the ISP modem have anywhere in it specifying an internal NAT network list?

 

[thedroid]

Pretty sure that the routing in the modem is correct. Please see the attached link.

Modem Routing table

I don't see anywhere to get a internal NAT network list.

 

[theonlyski]

Is there a firewall rule set? The manual doesn't seem to show anything.

There may be a rule in there that only allows 192.168.1.0/24 to the internet, you would need to add a new rule for each subnet.

 

[abailey]

Is there a firewall rule set? The manual doesn't seem to show anything.

There may be a rule in there that only allows 192.168.1.0/24 to the internet, you would need to add a new rule for each subnet.

I agree with this. The problem is in the modem config somewhere as you can make it to the modem from the VLANs. From what you have showed, the routes on the modem look correct though I am not familiar with the Flag abbreviations that are in use.

 

[thedroid]

Thanks both for all the help.

As far as I can see, there are two settings with which I can adjust firewall info. One the LAN settings and one on the WAN settings.

Modem_Wan_Settings.jpg

Modem_Lan_Settings.jpg

Currently I have both disabled, but still no luck. I'll dig through the UI for any additional settings that I can find. The manual on this unit leaves a lot to be desired.

 

[theonlyski]

In the WAN settings tab, what are the settings under NAT?

The picture is too low of quality to see anything, but it might be that second option. I just can't read it well enough.

 

[thedroid]

In the WAN settings tab, what are the settings under NAT?

There are three options

Enable NAT (ticked)
Enable Fullcone NAT (unticked)
Enable SIP (unticked)

 

[abailey]

Pretty sure that the routing in the modem is correct. Please see the attached link.

Modem Routing table

I don't see anywhere to get a internal NAT network list.

When I look at this routing table more closely I don't see your default internet gateway listed. On your last item with destination 0.0.0.0 I would have expected your default internet gateway to be listed in the gateway address.

 

[theonlyski]

When I look at this routing table more closely I don't see your default internet gateway listed. On your last item with destination 0.0.0.0 I would have expected your default internet gateway to be listed in the gateway address.

From the OP:

I thought that I had a grasp of it, but things are not working. A tracert on 4.2.2.2 from one of the VLANS on the ASUS get me as far as my isp modem (192.168.1.1) but no further. Doing a tracert from a port on the ISP modem works as expected however.

So it's got the route out, like I said, I bet it's a NAT issue.

 

[theonlyski]

Does the layer-3 switch support NAT?

Not the best idea, but you could probably move a few things around in the network and make the L3 switch do ALL of the routing and NAT... It'll work, but it'll be a funky way to set it up.

I'd engage the vendor and ask them if you could add more networks to the NAT list.

 

[thedroid]

Thanks for the help so far, unfortunately I have to put this down for a couple of days, will review and revisit then