I’m having an issue with inter-VLAN routing. I’ve read through lots of other posts on the forum with similar questions and the responses make sense to me in theory (and I believe I have set it up as described therein), but don’t seem to work for me in practice.
Here is my setup:
Surf SOHO Mk3 with AP turned off
Two separate Peplink APs connected to Surf SOHO via LAN Ports set to Trunk / Any
All devices are on the latest firmware version.
I have 2 vLANs:
Untagged vLAN (x.x.2.x with subnet mask 255.255.255.0 /24) is used for computers, mobile devices, etc.
vLAN #3 (x.x.3.x with subnet mask 255.255.255.0 /24) is used for IoT devices
Inter-VLAN routing is turned ON for both and Layer 2 Isolation is turned OFF. On the two access points, I have separate SSIDs for each of the untagged vLAN and #3 and the vLAN IDs in the SSID settings match to the IDs above. My Internal Network Firewall Rules are set to allow all and I don’t have any other Internal rules.
The issue is that I am finding that devices on the untagged vLAN cannot communicate with devices on vLAN 3 and vice versa. As best I can tell with the combination of inter-vLAN routing, no Layer 2 isolation, firewall rules set to allow all, this should work.
On untagged vLAN my router has address x.x.2.6 and on vLAN 3 its x.x.3.6.
Here is what I have tried to test it:
From device on untagged LAN, ping device on untagged LAN = works as expected
From device on untagged LAN, ping device on vLAN 3 = does not work / no response
From router, ping device on untagged LAN = works as expected; router pings from x.x.2.6
From router, ping device on vLAN 3 using “Connection” set to LAN= does not work; router pings from x.x.2.6
From router, ping device on vLAN 3 using “Connection” set to vLAN 3 = works; router pings from x.x.3.6
I confirmed that the device on the receiving end of the ping has its internal firewall turned off (its a computer).
I am relatively new to networking, so possible I am just misunderstanding something fundamental here. But I would have expected that it would work this way: ping comes from device on untagged LAN, goes to router, router says “this belongs on other network x.x.3.x” and sends it to the device on vLAN #3; the response to the ping would then follow the same path in reverse.
To test interVLAN routing, try to ping the router interface on the other network. In other words, device on x.x.2.0/24 network should try to ping x.x.3.6 router interface. If you cannot ping the router interface on the other network (x.x.3.6), but can ping the local router interface (x.x.2.6), the issue is with the settings in the router related to interVLAN routing. If you can ping that interface, then there is some other issue.
as @d_cyril_colbeck says. Make sure devices on either network can ping both of the router IPs first.
If they can ping the router IP on the same VLAN as the device sits but not the other router IP, the issue is nearly always the default gateway IP has not been set to the SOHO LAN IP on some or all of the LAN devices.
Thank you both. I can confirm that the device I’m testing can ping the router at the IP address within the same VLAN, but cannot ping the router at the other IP address. It does seem in that case that the issue is with settings in the router related to inter-VLAN routing.
The default gateway on the test device is showing as x.x.2.6 when on untagged VLAN and x.x.3.6 when on VLAN 3, which I think is what would be expected?
Other than the setting to allow or disallow inter-VLAN routing, any idea what other settings could be causing this? I don’t have any of the advanced settings related to inter-VLAN enabled.
If the device you are testing from can ping the router on its own IP subnet / vlan but not the other VLAN and it has the default gateway set, then something is blocking the traffic.
You said your internal firewall rules are set to any / any /allow? enable logging on that default rule and run your pings again. See what it says about the pings that fails…
Thank you, I was able to figure it out with your suggestion.
When I added an internal firewall rule to log everything I tried ping and got…nothing. I realized that meant that the ping wasn’t even reaching the router. The reason: the VPN on my device was sending the ping over the VPN instead of within the LAN. I had set the VPN up to allow LAN access which was working for devices on the same subnet, but apparently it must allow only traffic on the same subnet, not to all private IPs. When I turned off the VPN or set it to exclude private IPs, I was able to ping devices on the VLAN. I thought I would have noticed this because I had tried ping from another device, but that also had a separate VPN doing the same thing… Thanks for the help!