Quanta LB6M (10GbE) -- Discussion

josh

Active Member
Oct 21, 2013
597
178
43
What we did a long time ago was to make sure that all vlans were trunked to a different switch to make sure that the VLAN was active for L3 to work properly.
What is the command for turning a port into a trunking port?
 

josh

Active Member
Oct 21, 2013
597
178
43
Any VLAN experts able to troubleshoot what's wrong with my config? I'm trying to get the default VLAN to carry traffic from 192.168.2.0/24 and VLAN 500 to carry traffic for 192.168.5.0/24.

Code:
#show ip vlan

MAC Address used by Routing VLANs:   X:X:X:X:1B:4A

           Logical
VLAN ID   Interface        IP Address       Subnet Mask
-------  --------------  ---------------  ---------------
1        2/1             192.168.2.1      255.255.255.0
500      2/2             192.168.5.1      255.255.255.0
Both VLANs have an IP on their VLAN interfaces which should function as a gateway. ip routing is enabled and should carry public traffic through port 0/28 which has been configured with a public address.

Code:
#show ip route

Route Codes: R - RIP Derived, O - OSPF Derived, C - Connected, S - Static
       B - BGP Derived, IA - OSPF Inter Area
       E1 - OSPF External Type 1, E2 - OSPF External Type 2
       N1 - OSPF NSSA External Type 1, N2 - OSPF NSSA External Type 2

S      0.0.0.0/0 [1/0] via x.x.x.1,   01h:17m:02s,  0/28
C      x.x.x.0/24 [0/1] directly connected,   0/28
Ports 0/1-0/27 participate in the VLANs. (Why does it show current as Exclude whilst configured as Include)?

Code:
#show vlan 1
VLAN ID: 1
VLAN Name: default
VLAN Type: Default

Interface   Current   Configured   Tagging
----------  --------  -----------  --------
0/1         Exclude   Include      Untagged
0/2         Exclude   Include      Untagged
0/3         Exclude   Include      Untagged
0/4         Exclude   Include      Untagged
0/5         Exclude   Include      Untagged
0/6         Exclude   Include      Untagged
0/7         Exclude   Include      Untagged
0/8         Exclude   Include      Untagged
... all the way to 0/27

Code:
#show vlan 500

VLAN ID: 500
VLAN Name: VLAN0500
VLAN Type: Static

Interface   Current   Configured   Tagging
----------  --------  -----------  --------
0/1         Exclude   Include      Tagged
0/2         Exclude   Include      Tagged
0/3         Exclude   Include      Tagged
0/4         Exclude   Include      Tagged
0/5         Exclude   Include      Tagged
0/6         Exclude   Include      Tagged
0/7         Exclude   Include      Tagged
0/8         Exclude   Include      Tagged
... all the way to 0/27
The default VLAN interface seems down even though no shutdown has been set.

Code:
#show ip interface 2/1

Routing Interface Status....................... Down
Primary IP Address............................. 192.168.2.1/255.255.255.0
Method......................................... Manual
Routing Mode................................... Enable
Administrative Mode............................ Enable
Forward Net Directed Broadcasts................ Disable
Proxy ARP...................................... Enable
Local Proxy ARP................................ Disable
Active State................................... Inactive
Link Speed Data Rate........................... 10 Half
MAC address.................................... X:X:X:X:1B:4A
Encapsulation Type............................. Ethernet
IP MTU......................................... 1500
Bandwidth...................................... 10000 kbps
Destination Unreachables....................... Enabled
ICMP Redirects................................. Enabled
But there are active ports that are participating in the VLANs.

Code:
#show port all
                  Admin    Physical   Physical   Link   Link    LACP   Actor
Intf      Type   Mode     Mode       Status     Status Trap    Mode   Timeout
--------- ------ --------- ---------- ---------- ------ ------- ------ --------
0/1              Enable    10G Full   10G Full   Up     Enable  Enable long
0/2              Enable    10G Full              Down   Enable  Enable long
0/3              Enable    10G Full              Down   Enable  Enable long
0/4              Enable    10G Full              Down   Enable  Enable long
0/5              Enable    10G Full              Down   Enable  Enable long
0/6              Enable    10G Full              Down   Enable  Enable long
0/7              Enable    10G Full   10G Full   Up     Enable  Enable long
0/8              Enable    10G Full   10G Full   Up     Enable  Enable long
... all the way to 0/27
2/1              Enable    10 Half               Down   Enable  Enable N/A
2/2              Enable    10 Half               Down   Enable  Enable N/A
Please help this is extremely frustrating.

Thanks!
 

josh

Active Member
Oct 21, 2013
597
178
43
On the LVL7-derived operating systems? "switchport mode trunk". You may also want "switchport general acceptable-frame-type tagged-only".
Tried that. Doesn't exist.

Code:
(Interface 0/1)#switchport ?

protected                Configure Switchport to Protected mode.
 

Terry Kennedy

Well-Known Member
Jun 25, 2015
1,118
569
113
New York City
www.glaver.org
Tried that. Doesn't exist.
Sorry. I don't have a LB6M - I have a Powerconnect 8024 in service which uses the same Broadcom OS (formerly LVL7) but comes default with all of the features enabled. It looks like the LB6M comes with some features disabled, but not necessarily the same features for each purchaser.
 

josh

Active Member
Oct 21, 2013
597
178
43
Alright seems like I managed to make it work for now. It appears that the pvid was set to a non-default VLAN. Setting it back seems to have brought up all the VLANs which is pretty interesting. I'm still not getting interVLAN routing to work though.

x.x.x is a public routable subnet. I am able to ping x.x.x.1 (internet gateway) from the switch. However, I'm unable to ping this gateway from a machine on the default VLAN (192.168.2.x). According to the routing table, the packet should travel - 192.168.2.x -> 192.168.2.1 -> port 0/28 -> x.x.x.1 -> internet. However, it just seems to stall at the IP on port 0/28. Am I missing something from the routing table? routing is enabled on all VLANs and so is ip routing.

Edit: Seems like I'm missing a route from 192.168.2.0/24 to the port 0/28 ip (x.x.x.150). Problem is, I can't seem to add such a route.

Code:
#ip route 192.168.2.0 255.255.255.0 x.x.x.150

The specified Static Route Next Hop Router Address is invalid.
Code:
#show ip route

Route Codes: R - RIP Derived, O - OSPF Derived, C - Connected, S - Static
       B - BGP Derived, IA - OSPF Inter Area
       E1 - OSPF External Type 1, E2 - OSPF External Type 2
       N1 - OSPF NSSA External Type 1, N2 - OSPF NSSA External Type 2

S      0.0.0.0/0 [1/0] via x.x.x.1,   00h:45m:29s,  0/28
C      x.x.x.0/24 [0/1] directly connected,   0/28
C      192.168.2.0/24 [0/1] directly connected,   2/1
C      192.168.5.0/24 [0/1] directly connected,   2/2
Any VLAN experts able to troubleshoot what's wrong with my config? I'm trying to get the default VLAN to carry traffic from 192.168.2.0/24 and VLAN 500 to carry traffic for 192.168.5.0/24.

Code:
#show ip vlan

MAC Address used by Routing VLANs:   X:X:X:X:1B:4A

           Logical
VLAN ID   Interface        IP Address       Subnet Mask
-------  --------------  ---------------  ---------------
1        2/1             192.168.2.1      255.255.255.0
500      2/2             192.168.5.1      255.255.255.0
Both VLANs have an IP on their VLAN interfaces which should function as a gateway. ip routing is enabled and should carry public traffic through port 0/28 which has been configured with a public address.

Code:
#show ip route

Route Codes: R - RIP Derived, O - OSPF Derived, C - Connected, S - Static
       B - BGP Derived, IA - OSPF Inter Area
       E1 - OSPF External Type 1, E2 - OSPF External Type 2
       N1 - OSPF NSSA External Type 1, N2 - OSPF NSSA External Type 2

S      0.0.0.0/0 [1/0] via x.x.x.1,   01h:17m:02s,  0/28
C      x.x.x.0/24 [0/1] directly connected,   0/28
Ports 0/1-0/27 participate in the VLANs. (Why does it show current as Exclude whilst configured as Include)?

Code:
#show vlan 1
VLAN ID: 1
VLAN Name: default
VLAN Type: Default

Interface   Current   Configured   Tagging
----------  --------  -----------  --------
0/1         Exclude   Include      Untagged
0/2         Exclude   Include      Untagged
0/3         Exclude   Include      Untagged
0/4         Exclude   Include      Untagged
0/5         Exclude   Include      Untagged
0/6         Exclude   Include      Untagged
0/7         Exclude   Include      Untagged
0/8         Exclude   Include      Untagged
... all the way to 0/27

Code:
#show vlan 500

VLAN ID: 500
VLAN Name: VLAN0500
VLAN Type: Static

Interface   Current   Configured   Tagging
----------  --------  -----------  --------
0/1         Exclude   Include      Tagged
0/2         Exclude   Include      Tagged
0/3         Exclude   Include      Tagged
0/4         Exclude   Include      Tagged
0/5         Exclude   Include      Tagged
0/6         Exclude   Include      Tagged
0/7         Exclude   Include      Tagged
0/8         Exclude   Include      Tagged
... all the way to 0/27
The default VLAN interface seems down even though no shutdown has been set.

Code:
#show ip interface 2/1

Routing Interface Status....................... Down
Primary IP Address............................. 192.168.2.1/255.255.255.0
Method......................................... Manual
Routing Mode................................... Enable
Administrative Mode............................ Enable
Forward Net Directed Broadcasts................ Disable
Proxy ARP...................................... Enable
Local Proxy ARP................................ Disable
Active State................................... Inactive
Link Speed Data Rate........................... 10 Half
MAC address.................................... X:X:X:X:1B:4A
Encapsulation Type............................. Ethernet
IP MTU......................................... 1500
Bandwidth...................................... 10000 kbps
Destination Unreachables....................... Enabled
ICMP Redirects................................. Enabled
But there are active ports that are participating in the VLANs.

Code:
#show port all
                  Admin    Physical   Physical   Link   Link    LACP   Actor
Intf      Type   Mode     Mode       Status     Status Trap    Mode   Timeout
--------- ------ --------- ---------- ---------- ------ ------- ------ --------
0/1              Enable    10G Full   10G Full   Up     Enable  Enable long
0/2              Enable    10G Full              Down   Enable  Enable long
0/3              Enable    10G Full              Down   Enable  Enable long
0/4              Enable    10G Full              Down   Enable  Enable long
0/5              Enable    10G Full              Down   Enable  Enable long
0/6              Enable    10G Full              Down   Enable  Enable long
0/7              Enable    10G Full   10G Full   Up     Enable  Enable long
0/8              Enable    10G Full   10G Full   Up     Enable  Enable long
... all the way to 0/27
2/1              Enable    10 Half               Down   Enable  Enable N/A
2/2              Enable    10 Half               Down   Enable  Enable N/A
Please help this is extremely frustrating.

Thanks!
 
Last edited:

keoki

New Member
Jun 2, 2016
21
19
3
60
Josh, are you using NAT anywhere? I don't see any nat statements. I don't have my LB6M running yet, so I don't know if it even supports nat.

Regardless of that, for your public IP'd machine to return ping packets to your private subnets, either you have to be using "overload" NAT on the LB6M's public IP, or the public next hop machine must have routes for all of your private networks, pointed at the LB6M's public IP.

/------------------------------LB6M----------------------\
private network 1 192.168.0.0/24 with .1 on VLAN1
private network 2 192.168.1.0/24 with .1 on VLAN2
Private network 3 192.168.2.0/24 with .1 on VLAN3
Private network 3 192.168.3.0/24 with .1 on VLAN4
Public network 100.100.100.0/24 with .150 on VLAN5 ----------------------------100.100.100.1 Internet router

In this diagram I have 5 vlans on the switch. The first 4 VLANs are private addressed networks, each with a different subnet, with the x.x.x.1 address of the private networks on the vlan interface in the LB6M. So a machine in VLAN1 would have a default gateway of 192.168.0.1. The other private networks would have machines use the .1 network address as default route for each respective subnet.

The LB6M would have it's default gateway set to 100.100.100.1.

So far this is simple. But what is missing is the route from the Internet router to each of the private VLANs.

If you want to route to the internet, so the private vlans can be used to surf the net, you need to have NAT configured in the LB6M. Assuming the LB6M supports NAT, you need to configure the LB6M to translate 192.168.0.0/22 (all 4 private networks) to use the overload NAT IP of 100.100.100.150.

With Nat, if you ping from 192.168.0.4 to 100.100.100.1, the packet will appear to come from 100.100.100.150, and 100.100.100.1 will know how to get there because it is on the local subnet. But 100.100.100.1 cannot ping any of the private networks, it can only see 100.100.100.150.

But lets say you are not using nat, this is just "plain jane" routing. In that case, a client at 192.168.0.3 will have a gateway of 192.168.0.1. The LB6M will have a default gateway of 100.100.100.1. The router at 100 .100.100.1 will need a route of 192.168.0.0/22 with the destination of 100.100.100.150, in addition to whatever routes it has to get to the Internet. If you do this, your private networks can ping 100.1001.00.1, but they still have no way to get traffic back from the Internet. To get traffic back from the Internet, to a private addressyou, must use NAT, or all IP's must be public, with routes that allow the traffic to find it's way to you. You need routes out of the network to the next hop, but you also need routes that point back to you. NAT reduces the need to have external routers know your private IP's to return traffic back to your first public network address. This works because the device that does net makes all of the private IP addresses look like the one public IP.

But in all of your discussion, I don't see any routes back to your private IP's, or any NAT statements.

Does this make sense?

Now as I mentioned, I don't have my LB6M configured yet. And I can't find NAT mentioned in any of the manuals I downloaded from this forum. Generally speaking, NAT is not usually configured on switch, instead it is configured on a router/firewall.

Typically the layer 3 switch in an enterprise is configured with no public IP addresses on the switch itself. A publiv vlan may exist on the switch to transport somewhere else, but with no local IP address. You generally don't want routing between public and private network segments without a natting firewall separating public from private addresses. that way the internet doesn't attack your switch and hack into your private network.

So a likely configuration is you have a /24 of public IP's in a network segment that is between your Internet edge router, and your firewall box, and behind the firewall box you have your LB6M. The firewall will have to have routes for all private subnets pointed at the LB6M, as well as a default route to the Internet pointed at the next hop at the ISP...

In addition to the firewall, other things might live in the /24 of public IP's, such as load balancers, web servers, email servers, etc... Or at least firewalls that sit in front of those public facing servers.

I use a Cisco ASA firewall at home and at the office, but there are many other commercial and open source systems, monowall, Juniper, netopia, etc... You can also use the CPE that is supplied by your Internet provider, and those typically are configured with NAT by default.

And Sleyk, I was pushing vlans at Josh based on a conversation he was having with someone on the whole "no switchport" issue. But Josh needs NAT or routing on both sides of his network to get those pings to work... and he will eventually need a trunk port.
 
Last edited:
  • Like
Reactions: Chuntzu

josh

Active Member
Oct 21, 2013
597
178
43
Hi keoki

Josh, are you using NAT anywhere? I don't see any nat statements. I don't have my LB6M running yet, so I don't know if it even supports nat.

Regardless of that, for your public IP'd machine to return ping packets to your private subnets, either you have to be using "overload" NAT on the LB6M's public IP, or the public next hop machine must have routes for all of your private networks, pointed at the LB6M's public IP.

/------------------------------LB6M----------------------\
private network 1 192.168.0.0/24 with .1 on VLAN1
private network 2 192.168.1.0/24 with .1 on VLAN2
Private network 3 192.168.2.0/24 with .1 on VLAN3
Private network 3 192.168.3.0/24 with .1 on VLAN4
Public network 100.100.100.0/24 with .150 on VLAN5 ----------------------------100.100.100.1 Internet router

In this diagram I have 5 vlans on the switch. The first 4 VLANs are private addressed networks, each with a different subnet, with the x.x.x.1 address of the private networks on the vlan interface in the LB6M. So a machine in VLAN1 would have a default gateway of 192.168.0.1. The other private networks would have machines use the .1 network address as default route for each respective subnet.

The LB6M would have it's default gateway set to 100.100.100.1.

So far this is simple. But what is missing is the route from the Internet router to each of the private VLANs.

If you want to route to the internet, so the private vlans can be used to surf the net, you need to have NAT configured in the LB6M. Assuming the LB6M supports NAT, you need to configure the LB6M to translate 192.168.0.0/22 (all 4 private networks) to use the overload NAT IP of 100.100.100.150.

With Nat, if you ping from 192.168.0.4 to 100.100.100.1, the packet will appear to come from 100.100.100.150, and 100.100.100.1 will know how to get there because it is on the local subnet. But 100.100.100.1 cannot ping any of the private networks, it can only see 100.100.100.150.

But lets say you are not using nat, this is just "plain jane" routing. In that case, a client at 192.168.0.3 will have a gateway of 192.168.0.1. The LB6M will have a default gateway of 100.100.100.1. The router at 100 .100.100.1 will need a route of 192.168.0.0/22 with the destination of 100.100.100.150, in addition to whatever routes it has to get to the Internet. If you do this, your private networks can ping 100.1001.00.1, but they still have no way to get traffic back from the Internet. To get traffic back from the Internet, to a private addressyou, must use NAT, or all IP's must be public, with routes that allow the traffic to find it's way to you. You need routes out of the network to the next hop, but you also need routes that point back to you. NAT reduces the need to have external routers know your private IP's to return traffic back to your first public network address. This works because the device that does net makes all of the private IP addresses look like the one public IP.

But in all of your discussion, I don't see any routes back to your private IP's, or any NAT statements.

Does this make sense?

Now as I mentioned, I don't have my LB6M configured yet. And I can't find NAT mentioned in any of the manuals I downloaded from this forum. Generally speaking, NAT is not usually configured on switch, instead it is configured on a router/firewall.

Typically the layer 3 switch in an enterprise is configured with no public IP addresses on the switch itself. A publiv vlan may exist on the switch to transport somewhere else, but with no local IP address. You generally don't want routing between public and private network segments without a natting firewall separating public from private addresses. that way the internet doesn't attack your switch and hack into your private network.

So a likely configuration is you have a /24 of public IP's in a network segment that is between your Internet edge router, and your firewall box, and behind the firewall box you have your LB6M. The firewall will have to have routes for all private subnets pointed at the LB6M, as well as a default route to the Internet pointed at the next hop at the ISP...

In addition to the firewall, other things might live in the /24 of public IP's, such as load balancers, web servers, email servers, etc... Or at least firewalls that sit in front of those public facing servers.

I use a Cisco ASA firewall at home and at the office, but there are many other commercial and open source systems, monowall, Juniper, netopia, etc... You can also use the CPE that is supplied by your Internet provider, and those typically are configured with NAT by default.

And Sleyk, I was pushing vlans at Josh based on a conversation he was having with someone on the whole "no switchport" issue. But Josh needs NAT or routing on both sides of his network to get those pings to work... and he will eventually need a trunk port.
Hi keoki. Yes I realised I didn't have routes pointing back and I edited my post (probably after you read it). Seems like I was trying to insert them in the wrong place (tried to add it on the switch itself).

Code:
#ip route 192.168.2.0 255.255.255.0 x.x.x.150

The specified Static Route Next Hop Router Address is invalid.
Can I just place the NAT routes on my edge router and treat it as the "firewall"?

Edit: This is a temporary measure till I get a proper firewall box.
 
Last edited:
  • Like
Reactions: Chuntzu

josh

Active Member
Oct 21, 2013
597
178
43
So I logged into the edge router and added a static route back to port 0/28 on the LB6M.

Code:
$ip route
192.168.5.0/24 via x.x.x.150 dev eth0 proto zebra
I can ping the VLAN "gateway" (192.168.5.1) from the edge router. I can ping a machine on the VLAN itself (192.168.5.2). On the machine I can ping up to the internet gateway (x.x.x.1). Traceroute dies off at x.x.x.1 as well. Something still getting lost between the edge router and the switch.
 
  • Like
Reactions: Chuntzu

keoki

New Member
Jun 2, 2016
21
19
3
60
Yes, any natting router can be your basic firewall.

Generally you don't typically see public IP's connect directly to interior switches, but that is not a hard rule, as you might have a DMZ, and use private IP's for say a database server feeding data into a web server, with the web server in the DMZ. Without going into a lot of detail, the DMZ typically has limited access both in to the private network, and out to the public network, so firewalls might be on either end of the DMZ.

But yes, a firewall at the edge, with the firewall able to route to each subnet internally.

There are different levels of security, and basic nat is a good starting point. Obviously you will want protections on that edge router to prevent it from being hacked, so the fewer ports it has open to the Internet, the better. In an ideal world, the only open ports it has are part of the NAT flows, and no local services like ssh, SNMP, etc... In fact, you can make it not respond to pings or traceroutes from the outside, and reduce the attack surface to nearly zero. When NAT is set up, one of the first goals of the firewall is to protect itself. And you can do some of that with your basic natting router.

For the purposes of this discussion, nat is enough to start with. Nat is the way to connect the private network to the public network.

I have a network simulation lab with a lot of different types of network equipment, so I have a router, a firewall, and another router, and then my layer 3 switches, and other equipment. That way I can place public subnets outside the firewall, or behind the firewall. Sometimes I have to deliver a public network all the way to the desktop, so I try to always do that past the firewall, and the vlan I use for that has no IP addresses in my switches to keep the switches unreachable to the traffic flowing through them. Public networks inside the lab are dangerous, but are part of what I need to be able to do. Sometimes I need equipment in the DMZ to support the DMZ, like PPPoE servers, or DHCP servers. One way to reduce the attack profile of those servers is to not give them a default route. A tunnel server might only have a route to the other endpoint, and no default route. So for example I have a router that someone on the other side of the world needs to access over the internet to test some code, and for sanity that don't want a firewall at all. I restrict the ports as much as I can with access lists on the router, and then give it a route to the network the engineers come from, but give it a default gateway that points to something like a unused local IP, or it's own loopback interface... anything other than the Internet gateway. None of this is perfect security, but it is pretty good, and avoids people blaming my firewall every time they do something wrong. The point is, you don't /have/ to have a firewall, even on a network with a lot of public IP's... just don't do anything stupid like connect a machine that has a public address to an internal network. Don't let a hacker turn a test server into a jump server to the inter regions of your network. And be aware that any router can be turned into a jump server... So let your routers route traffic to other machines, but don't let your router become a destination.
 

keoki

New Member
Jun 2, 2016
21
19
3
60
I can ping the VLAN "gateway" (192.168.5.1) from the edge router. I can ping a machine on the VLAN itself (192.168.5.2). On the machine I can ping up to the internet gateway (x.x.x.1). Traceroute dies off at x.x.x.1 as well. Something still getting lost between the edge router and the switch.
I guess I don't understand what you think is getting lost.

So a machine at 192.168.5.2 can ping the internet gateway... so your internal routing is working.

What are you doing a traceroute from and to? From 192.168.5.2 to google for example, if it dies at the edge router, then your nat isn't working yet... is that what you mean?
 

keoki

New Member
Jun 2, 2016
21
19
3
60
Keep in mind that when you set up nat, you have to nat everything, not just the network directly connected to the edge router. So your nat statements need to cover both the directly connected network, and all of your other private networks as well.

Nat statements vary a lot for different kinds of equipment, and not every cheap soho Internet router can nat for networks that are not directly connected.

So assuming your edge router has enough support to do it, you need to either set a netmask on the nat statement large enough to include everything (like 192.168.0.0/16) or you may have to have a separate NAT statement for each subnet.
 
  • Like
Reactions: Chuntzu

Sleyk

Your Friendly Knowledgable Helper and Techlover!
Mar 25, 2016
1,345
686
113
Stamford, CT
Keoki my friend, you sure know alot about networking. Wish I knew as much.

Aw man, is there a class for networking? I need class 101. Heck, I might need a remedial class. You guys are way more advanced in networking than I am. Darnit, I think I need to buy me a book.

Goodness gracious.....DMZ, NAT, VLAN's, TRACEROUTES, STATIC ROUTES....

I felt happy when I learned what it meant to ping, and I felt like a boss when I learned how to use iperf.

I must admit that Networking is probably my weakest area of knowledge. I have been learning a lot while messing around with the LB6M though.

Josh, no worries, STH got your back....hopefully we can pinpoint and troubleshoot this problem for you.

When I say we, I mean these guys, as my knowledge of VLAN's is at the poverty level. Time to capitalism the crap out of learning networking!
 

keoki

New Member
Jun 2, 2016
21
19
3
60
There are lots of classes for networking, courses all over the net. TCP/IP for Dummies is a great book, but unless they revised it a lot since I used it to train my staff, it may not cover VLANs. I used that book to train my Internet support staff, starting back in 1994. but I have been building networks since around the early 1980's.

The TCP/IP for dummies book covers some protocols like FTP, talks about servers, but also takes a deep dive into things like netmasks... Critical knowledge.
 
Last edited:
  • Like
Reactions: Chuntzu

josh

Active Member
Oct 21, 2013
597
178
43
Keep in mind that when you set up nat, you have to nat everything, not just the network directly connected to the edge router. So your nat statements need to cover both the directly connected network, and all of your other private networks as well.

Nat statements vary a lot for different kinds of equipment, and not every cheap soho Internet router can nat for networks that are not directly connected.

So assuming your edge router has enough support to do it, you need to either set a netmask on the nat statement large enough to include everything (like 192.168.0.0/16) or you may have to have a separate NAT statement for each subnet.
I just have separate static routes on the edge router pointing each subnet to the public ip on the LB6M. My edge router is literally EdgeRouter by Ubiquiti :D

Here's what I'm trying to do. I have two NICs on this machine. One connects to the edge router direct (just for testing), the other through the LB6M on VLAN 192.168.5.0/24. #traceroute 8.8.8.8 -S publicip goes all the way to Google DNS. #traceroute 8.8.8.8 -S 192.168.5.2 has a last hop at the edge gateway. Something is broken but I can't wrap my mind around it. The packet makes it to the edge gateway but doesn't go further than that.

Edit: Nvm I realised it didn't save the NAT rule for 192.168.5.0/24 to the LB6M. It's working now. For anyone else trying to do the same thing in the future, you need both a static route and a NAT rule. Won't work without both.
 
Last edited:

Sleyk

Your Friendly Knowledgable Helper and Techlover!
Mar 25, 2016
1,345
686
113
Stamford, CT
TCP/IP for dummies it is!

Glad you got it working Josh, and may the network odds be ever in your favor!
 

keoki

New Member
Jun 2, 2016
21
19
3
60
I think it is your nat configuration is failing. Same gateway in both cases, I assume... so we know the Internet side works, directly connected nat works, it is the nat for the routed subnets that is failing. The fact your traceroutes get all the way to the edge router means that path is working. Remember things like ping and traceroute test both directions, so I think your internal routing is sound. what I think is failing is that the default NAT behavior is for the locally connected subnet, so you may have to add more nat statements or make the one that is there more inclusive with a fat netmask. I don't know anything about that router, but that is where the issue is. The problem could be that the right support for routed nat isn't there, or that you need to connect your switch to a port with a private network. From a software point of view, anything should be configurable. But most soho routers have a simplified interface, and simple documentation, so they don't expose the full power of the box unless you can get to the actual command line. I don't mean the configuration command line, I mean like a shell.

But I just looked at the docs and the gui seems to be oriented to things you aren't trying to do. You want the Masquerade function, the src and dest are more for allowing public access to servers, but I don't see what I'm looking for. The Masquerade function should be able to be given a private subnet to translate, but the description of source and destination don't seem to be for Masquerade. You may need to ask this question in the ubiquity forums. What you want is to use Masquerade to nat multiple subnets that are not directly connected.
 
Last edited:

Chuntzu

Active Member
Jun 30, 2013
383
98
28
Keep up the good discussion with this vlan routing, I will be going through this shortly after I decommission my z9000 and set up my lb6m. One thing I am curious about is does this switch have dhcp helper address function? It took me two weeks to figure this out along with intervlan routing on a Cisco Nexus switch I was using so I could use 1 dhcp server to give out addresses to each vlan segment.i hope to not spend that much time this go around with the lb6m. Thank you.

Sent from my SM-N920T using Tapatalk
 

keoki

New Member
Jun 2, 2016
21
19
3
60
I saw DHCP helper functionality in the documentation posted in this thread... Pretty much all VLAN capable enterprise grade switches have to have that. Every enterprise class company I have ever worked in has enough VLANs that it would be stupid not to have this feature. One of the first VM's I plan to implement at home will be a DHCP/DNS server. Routers do DHCP ok, but nothing beats having a real server for that. but yes, at the office I have only ever needed a single DHCP server, while I see people in other offices avoiding VLANs because they think they need to build a DHCP server for every vlan, or have a dozen network ports in the DHCP server... My DHCP server has no layer 2 DHCP services, the subnet it is in is a static server subnet with lots of isolation. All of the DHCP comes in over layer 3 from my DHCP helper statements in every VLAN that requires DHCP. The main exceptions to using the IP helper is when the testbed provides DHCP as part of the protocol test function, and for server vlans where I don't want resource race conditions causing issues after returning from a power issue. I've never been given a budget for UPS power in the lab... so server subnets have static IP allocations so servers can come up before other parts of the network. But VLANs make it easy to have different configuration policies, and to change policies as needed for a single class of systems.
 
  • Like
Reactions: Fritz and Chuntzu

josh

Active Member
Oct 21, 2013
597
178
43
I think it is your nat configuration is failing. Same gateway in both cases, I assume... so we know the Internet side works, directly connected nat works, it is the nat for the routed subnets that is failing. The fact your traceroutes get all the way to the edge router means that path is working. Remember things like ping and traceroute test both directions, so I think your internal routing is sound. what I think is failing is that the default NAT behavior is for the locally connected subnet, so you may have to add more nat statements or make the one that is there more inclusive with a fat netmask. I don't know anything about that router, but that is where the issue is. The problem could be that the right support for routed nat isn't there, or that you need to connect your switch to a port with a private network. From a software point of view, anything should be configurable. But most soho routers have a simplified interface, and simple documentation, so they don't expose the full power of the box unless you can get to the actual command line. I don't mean the configuration command line, I mean like a shell.

But I just looked at the docs and the gui seems to be oriented to things you aren't trying to do. You want the Masquerade function, the src and dest are more for allowing public access to servers, but I don't see what I'm looking for. The Masquerade function should be able to be given a private subnet to translate, but the description of source and destination don't seem to be for Masquerade. You may need to ask this question in the ubiquity forums. What you want is to use Masquerade to nat multiple subnets that are not directly connected.
I managed to get it to work by fixing my NAT rules after reading your post. I'm trying to figure out another problem. It seems that EQL SANs don't support joining a VLAN. I came up with a theoretical workaround. Is it possible to configure the switch to dynamically add/remove tags from traffic passing through a particular port?

Let's say I have 192.168.10.0/24 on VLAN 3 designated for traffic between hosts and SAN (192.168.10.3). If I hook the SAN to port 0/1, can I route VLAN3 tagged traffic with destination 192.168.10.3 to port 0/1 and add the VLAN3 tag to all traffic coming out of port 0/1? Would that allow machines on VLAN3 to communicate with the SAN that isn't on VLAN3? How would I go about doing this? Forgive me if it sounds stupid