This widget could not be displayed.
This widget could not be displayed.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- English
- Other Products
- Networking
- Re: Host access across VLANs, firewall - EBR63
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thursday
Hoping someone has an idea!
On ExpertWiFi EBR63, hosts on different VLANs are unable to communicate, meaning host on vlan1 can't ping or access fileshares on host on vlan2 and vice versa. Pings result in "request timed out" and share access gives "the network name cannot be found".
Hosts on both VLANs pull IPs in the correct scope and can access the internet just fine.
The only way I could enable pinging and share access was by disabling the firewall, but this isn't a viable option beyond testing so I'm out of ideas! I tried this before turning it off:
- Disabled firewall on both hosts
- Created firewall rules for both subnets for port 445 TCP and UDP, and port 139 TCP. After that didn't work, I created rules for the host IPs too.
- For pinging, there is no option for ICMP protocol when creating firewall rules... just TCP and UDP
- Created static routes for both subnets and hosts. When that didn't work, I also created them between hosts
- Disabled and enabled "Access Intranet" on both SDNs/VLANs, testing each time.
- VLAN type is basic 802.1Q with single trunk line going to the router. Double-check trunk port is set to "Allow all tagging".
Solved! Go to Solution.
1 ACCEPTED SOLUTION
Accepted Solutions
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yesterday
I ended up replacing it with an ER605 V2 as I was never able to find settings to resolve my issue. Took almost no time to set up the new router and it gave all the options needed, plus far more than the EBR63 and despite me having very limited networking and VLAN experience.
Afte many days I never did find settings in EBR63 for inter-VLAN traffic, ICMP, any implicit allow or deny rules/settings, and the firewall was so limited in functionality as to be useless.
Seems like consumer router manufacturers love touting VLAN support whether or not the functionality is developed enough to be useful. Yes, my devices had internet without issue....... but that's useless for local stuff like Plex and security cams.
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Friday
Let’s dive deeper into a few areas that might be causing issues:
1. Firewall and ICMP Traffic
ICMP Traffic: You mentioned that you can’t create a firewall rule for ICMP. In many firewall settings, ICMP traffic can be controlled under different sections or as part of general traffic rules. Ensure that ICMP traffic is allowed or check if your firewall has specific settings for enabling ping requests.
Network Isolation: Check if there are any additional network isolation settings or security policies within the firewall or VLAN configuration that might be blocking inter-VLAN traffic. Some systems have features that prevent communication between different VLANs by default.
2. Routing and Inter-VLAN Communication
Router Configuration: Ensure that the router or Layer 3 device responsible for routing between VLANs is properly configured. For VLANs to communicate, the router must have IP addresses on each VLAN and appropriate routing rules.
Static Routes: Double-check your static routes. Ensure that the routes are correctly defined and point to the right next-hop addresses. Misconfigured routes could prevent traffic from reaching the correct destination.
3. VLAN and Switch Configuration
Trunk Configuration: Verify that the trunk port configuration is correct. The trunk should allow all VLANs that you want to route traffic between and be set to the correct VLAN tagging (802.1Q).
VLAN Interfaces: Ensure that the switch or router has VLAN interfaces configured for each VLAN and that these interfaces have IP addresses in the correct subnet.
4. Network Discovery and File Sharing
Network Discovery: Ensure that network discovery is enabled on both hosts. On Windows, this can be checked in the "Network and Sharing Center" under "Advanced sharing settings."
File Sharing: Verify that file sharing settings are configured correctly and that the correct network profile is being used (Private vs. Public).
5. Advanced Checks
Check for Overlapping Subnets: Make sure that the IP address ranges of your VLANs do not overlap and that subnet masks are correctly set.
Test Connectivity: Use tools like tracert or traceroute to see the path taken by packets. This can help you identify where packets might be getting dropped.
Check Logs: Review the firewall logs and router logs to see if there are any messages related to dropped packets or blocked traffic that might give you more insight.
Summary
Check for ICMP traffic handling and make sure it's allowed through the firewall.
Verify router configuration and make sure it is routing between VLANs properly.
Ensure trunk ports and VLAN interfaces are configured correctly.
Confirm network settings on hosts, including network discovery and file sharing configurations.
Look into detailed logs and use diagnostic tools to pinpoint issues.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Friday - last edited Friday
All subnets/address ranges are correct and devices have static IPs. VLAN settings are definitely correct on the switch, and trunk port on router is set to trunk and to "allow all tagging"
There are no settings on the hosts that prevent traffic. I disabled firewall on both, which made no impact........... yet as soon as I turn off the firewall on the router everything works. Turning off router firewall was the last step, after creating firewall rules and checking/changing/testing other settings did not resolve the issue.
Here is a dropped event from just now from the log, port 445 (for accessing file share). I created rules to unblock several days ago for both subnets and both devices (rules are further down):
Sep 6 15:03:32 kernel: DROP IN=br0 OUT=br52 MAC=c8:7f:54:27:fd:b0:84:b1:e2:54:fc:65:08:00 src=192.168.0.83 DST=192.168.1.2 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=32711 DF PROTO=TCP SPT=52412 DPT=445 SEQ=1809515693 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B40103030801010402)
To me it appears there is some router firewall functionality blocking inter-vlan traffic but no way to unblock it OR there is issue with inter-VLAN routing but no setting to change or check, but maybe I'm wrong. But I've looked at every page and setting many times at this point.
There are no settings mentioning:
- Inter-VLAN routing
- ICMP
- No implicit allow or deny rules in the firewall or mention of similar anywhere in settings.
Also:
- Triple-checked VLAN set up on the switch
- Tried various IGMP snooping settings on the switch
The only firewall settings are "Enable firewall", "Enable inbound firewall rules", "Respond ICMP request from WAN" (enabling did not fix pinging), and option to choose what to log (selected all)
Here are all firewall rules. Created rules initially for just the subnets, but when that didn't work I added them for each host too:
| Source IP | Port Range (doesn't allow a range, only integers can be input) | Protocol |
| For VLAN1 subnet | ||
| 192.168.1.0 | 137 | UDP |
| 192.168.1.0 | 138 | UDP |
| 192.168.1.0 | 139 | UDP |
| 192.168.1.0 | 445 | UDP |
| 192.168.1.0 | 445 | TCP |
| For VLAN1 device | ||
| 192.168.1.2 | 137 | UDP |
| 192.168.1.2 | 138 | UDP |
| 192.168.1.2 | 139 | UDP |
| 192.168.1.2 | 445 | UDP |
| 192.168.1.2 | 445 | TCP |
| For VLAN2 subnet | ||
| 192.168.2.0 | 137 | UDP |
| 192.168.2.0 | 138 | UDP |
| 192.168.2.0 | 139 | UDP |
| 192.168.2.0 | 445 | UDP |
| 192.168.2.0 | 445 | TCP |
| For VLAN2 device | ||
| 192.168.2.1 | 137 | UDP |
| 192.168.2.1 | 138 | UDP |
| 192.168.2.1 | 139 | UDP |
| 192.168.2.1 | 445 | UDP |
| 192.168.2.1 | 445 | TCP |
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yesterday
I ended up replacing it with an ER605 V2 as I was never able to find settings to resolve my issue. Took almost no time to set up the new router and it gave all the options needed, plus far more than the EBR63 and despite me having very limited networking and VLAN experience.
Afte many days I never did find settings in EBR63 for inter-VLAN traffic, ICMP, any implicit allow or deny rules/settings, and the firewall was so limited in functionality as to be useless.
Seems like consumer router manufacturers love touting VLAN support whether or not the functionality is developed enough to be useful. Yes, my devices had internet without issue....... but that's useless for local stuff like Plex and security cams.
