VLAN's and NAT

acherman · April 25, 2005, 5:43pm

This will be for Support Guy or people using VLAN’s.

I have some gear on my desk that I am testing with. I am using NAT acting as DHCP server, not a client. I am using VLAN’s, leaving managment on VID 1, unatgged packets to VID 10. When I leave the managment VID as 1 I lose all NATing. Nothing goes through. I get a DHCP address from the SM, but can’t ping it!?! WTF!? Nothing passes through. Chnage the managment VID to 10 and things are great. :? Oh yah, tried 6.1 and 7.0.

Ideas, anyone?

Aaron

msmith · April 25, 2005, 9:13pm

Hey acherman,

You have helped me in the past with VLAN theory, so I may able to help you out with your issue. During our discussion on the forum a few months back, I was also talking to Moto via e-mail about my questions. You probably already know this, but the Management VID is the ID that is used to get to the web config of the radios.

So, if your untagged ID is 10, it is going to tag anything from your PC to the SM with a VID if 10. If you try to get to the web interface, it won’t work because the web interface is expecting to see a VID of 1. If you keep your AP tagged VID to 1, then you can access an SM through an AP’s LUID.

I am not sure why it would not work with NAT.

Does this help?

acherman · April 25, 2005, 10:49pm

Thanks, I understand all of that. I do understand that I won’t be able to get to the config stuff with a different VID, but when it serves an address I can’t get through the SM or even ping the DHCP serve address (the NAT private address).

I’m basically trying to keep customers from being able to access the config pages, without even being prompted for the passwords.

Aaron

msmith · April 26, 2005, 1:43am

If you leave the untagged set to 10, and turn off NAT, can traffic pass through?

acherman · April 26, 2005, 2:00pm

Yup. Works good.

Aaron

msmith · April 26, 2005, 7:23pm

Aaron,

Do the DES-3225 and DES-3226 D-Link switches allow ports to be members of multiple VLANs?

acherman · April 26, 2005, 8:41pm

Yes, ports can be members of multiple VLAN’s - but they need to be tagged. The switches do have an option for asymmetric VLAN’s which should allow an untagged port to be a member of multiple VLAN’s without being tagged, but I haven’t played with this yet so I amnot sure of this. I will try to test it this week (I still have a few of these switches in my office).

Aaron