DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

2860 - One Way Connection Between LAN 1 and LAN 2

  • dirksenrdh
  • Topic Author
  • Offline
  • New Member
  • New Member
More
08 Nov 2021 09:08 #100102 by dirksenrdh
Hi all,

I have set up my 2865 with several subnets.
Lan 1 172.17.116.1/24
Lan 2 172.18.116.1/24
Interlanrouting between Lan 1 and Lan 2
Vlan 0 is non-tagged on port 1 and 2 LAN 2
Vlan 1 is tagged on port 3 LAN 1 & VID = 1

The effect is that I can access devices in Lan 2 from Lan 1 but I can't access devices in Lan 1 from a device in Lan 2.

Where do I go wrong?

Please Log in or Create an account to join the conversation.

More
08 Nov 2021 15:49 #100103 by hornbyp
The title of your Post says "2860", but there's only a 2865 mentioned in the text. Is this just a typo, or are there two Vigors involved :?:

Why the /24 subnetting? ... why not just use 192.168.n.0 private addresses which are already Class-C :?: (or let the 172.n default to Class-B)
The reason I ask, is because if you've accidentally accepted the default subnet mask (/16) on some other devices it could cause some confusion...


Assuming only one Vigor...
... and there's isn't a Firewall Rule that's causing this..


What is the device plugged into Port 3 :?:
Presumably it's a switch (otherwise you wouldn't really need the VLAN tag). Is this device (switch?) set to understand tagged traffic (from the Vigor) and to tag outbound traffic (to the Vigor)?

What does the Routing table on Vigor show :?:

What do end-to-end 'traceroutes' from LAN1 <--> LAN2 show? (and vice-versa) :?:

Please Log in or Create an account to join the conversation.

  • dirksenrdh
  • Topic Author
  • Offline
  • New Member
  • New Member
More
10 Nov 2021 15:48 #100110 by dirksenrdh
Thanks for your reply.
the 2860 is a typo. sorry for that, we are talking about an 2865.

I deliberately use the 172 class B space to be sure not to get any conflict when for example setting up a VPN from a 192.168 network.
Yes I took care not to make misstakes with the subnetmasks.

On port3 of the Vigor I connected a trunk from a Netgear switch, this trunk handles traffic from 2 subnets. VlanID=1 from the first subnet and VlanID=2 from the second subnet.
unfortunately I have other equipment that is not capable of vlan tagging. this equipment is connected to port1 an port2 of the Vigor.
I need this untagged traffic to communicate with te tagged traffic (port 3) with VlanID=1. to realize that I switched on the inter lan communication between Lan1 and Lan2.

Now it looks like I can communicatie from the tagged LAN1 to the untagged LAN2 but not vice versa.
No I don't have used the Vigor firewall yet and also in the untagged components are no firewalls active but I''ll verify that point once again.

Yes the Netgear switch is configured to deal with the tagged traffic to and from the vigor.

now the tracert is interesting.
from tagged to untagged
Code:
C:\Users\rdirk>tracert 172.18.116.50 Tracing route to 172.18.116.50 over a maximum of 30 hops 1 <1 ms <1 ms <1 ms 172.17.116.1 2 1 ms <1 ms <1 ms 172.18.116.50 Trace complete.


from untagged to tagged
I get to the 172.18.116.1 and after than only timeouts.

Relevant lines from the routing table:
Code:
C~ 172.17.116.0/ 255.255.255.0 directly connected LAN1 C~ 172.18.116.0/ 255.255.255.0 directly connected LAN2

Please Log in or Create an account to join the conversation.

More
11 Nov 2021 00:45 #100111 by hornbyp
How about tracert to the switch's management IP address, from VLAN0/LAN2 :?:

I don't think this is an Routing Issue (at least not in the Vigor). How does a client on 172.17.116 know where to send traffic destined for 172.18.116 :?: Does it have specific route configured, or does it rely on the default gateway being 172.17.116.1 :?: (I have seen devices (TVs etc) with nowhere to configure a Default Gateway - presumably instead relying on Proxy ARP - which then failed. (They worked with DHCP supplying a D.G. :roll: )

You could try and simplify the problem, by removing the Netgear switch; i.e. plugging a PC into Port 3 directly. (Configured with a 172.17.116.n address and a VLAN TAG=1. Of course, it seems to be luck of the draw, whether or not you can actually configure a VLAN tag on a PC's LAN adapter...).

Please Log in or Create an account to join the conversation.

Moderators: ChrisSami