On 12.07.2017 22:43, O. Hartmann wrote: > Now the FUN PART: > > From any host in any VLAN I'm able to ping hosts on the wild internet via their IP, on > VLAN 1000 there is a DNS running, so I'm also able to resolv names like google.com or > FreeBSD.org. But I can NOT(!) access any host via http/www or ssh. You have not specified where is the NAT configured and its settings is matters. VLANs work on the layer2, they do not used for IP routing. Each received packet loses its layer2 header before it gets taken by IP stack. If an IP packet should be routed, the IP stack determines outgoing interface and new ethernet header with VLAN header from this interface is prepended. What I would do in your place: 1. Check the correctness of the switch settings. - on the router use tcpdump on each vlan interface and also directly on igb1. Use -e argument to see ethernet header. Try ping router's IP address from each vlan, you should see tagged packet on igb1 and untagged on corresponding vlan interface. 2. Check the correctness of the routing settings for each used node. - to be able establish connection from one vlan to another, both nodes must have a route to each other. 3. Check the NAT settings. - to be able to connect to the Internet from your addresses, you must use NAT. If you don't have NAT, but it somehow works, this means that some device does the translation for you, but it's configuration does not meet to your requirements. And probably you need to translate prefixes configured for your vlans independently. -- WBR, Andrey V. Elsukov
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:12 UTC