Hello Community,
I am operating a MAX BR1 5G and trying to fulfill a customer request, which is to bridge two physical networks, using the LAN interfaces on the BR1, and provide access to a secondary network device. Below are the current settings.
LAN Network and Port Settings
The primary network is 192.168.0.1/24, DHCP is enabled, VLAN set to None (default). This is the simple flat network that normal devices are on. Normal means workstations, APs, cameras, Sonos, etc…
The secondary network is 172.16.20.1/24, with VLAN set to 1 (required 1-4094). This network has our destination device attached, currently set to IP 172.16.20.119.
LAN Port 1 and Port 2 are enabled and both set to Trunk, with Any VLAN allowed. Inter-VLAN routing is enabled for each network
Specific allow rules have been set in the Internal Network firewall rules which allow our source network (192.168.0.1/24) to reach our destination network (172.16.20.1/24). Each rule has been set to log events, but nothing is showing up in the firewall logs in Status > Event Log > Firewall.
Downstream of each LAN port, there are a couple unmanaged switches. No other network gear other than APs of the primary network.
Misc/Troubleshooting Items
- I am VPN’d in the primary network with an IP of 192.168.0.57 and cannot ping LAN P2 IP 172.16.20.1.
- I am unable to reach 172.16.20.119 via a web interface that we confirm is working if we set a laptop to 172.16.20.118, pull up the device IP and navigate accordingly
- With the unmanaged switches, we can’t tag ports for specific VLANs, which is why I attempted to use VLAN 1, often a default for equipment.
- The target device on the secondary network has no options to specify a VLAN on the local settings, which
I am looking for suggestions on troubleshooting steps, or other ways to accomplish this task without adding more equipment (e.g. a managed switch), if possible. Looking forward to find out what I may be overlooking.
Don’t use VLAN1 for the 2nd network. Use VLAN ID 10 instead. See if the problems go away.
2 Likes
Assuming that the devices in each subnet are configured to use the Peplink as their gateway this is quite simple, but what you are describing is routing, not bridging (briding is a layer 2 thing).
Change them to access, put them into the correct VLAN for each as your switches are unmannaged they will not tag frames towards the Peplink, and whilst a trunk port will accept untagged frames it will also expect your “VLAN1” side of this to explicitly tag frames for that VLAN.
To start with maybe connect a device directly to the Peplink and check end to end connectivity.
Martins suggestion to not use “VLAN1” as a tagged vlan is also a good one, many people consider vlan1 as an untagged network in a lot of cases, Peplink lets you tag it explicitly. Either way shouldn’t matter if your ports are in access mode not trunk but it is generally a bit cleaner than having two VLANs configured which may be understood in some cases to be untagged.
Other basic steps to prove things are working:
Connect a device directly to each port, can you configure a static IP and ping the gateway / IP of the Peplink.
Then insert the switches in between, if things are still working they should be good at least as far as each local segement goes.
After that it should be simply a case of checking that a device on the 192 net can ping a device on the 172 net.
If that does not work then you should check the local configuration of the devices, do they have the correct gateway assigned.
The config on the Peplink side is pretty basic here as it should be as you have done a case of just ticking the “inter vlan routing” box and if necessary any rules to permit traffic.
Martin and Will, thank you for the suggestions! I was delayed on an update but wanted to highlight the changes made below.
- The secondary network is 172.16.20.1/24, with VLAN now set to 10.
- LAN Port 1 and 2 have been changed to Access ports, with the proper network assigned in the VLAN dropdown.
- Specifically LAN Port 1 = Access for the primary network (192.168.0.1/24) and LAN Port 2 = Access for the secondary network (172.16.20.1/24)
After applying the changes, I freshly connected into the network via VPN, received a DHCP IP on the primary network (192.168.0.1/24), but I am unable to reach either the IP set for LAN Port 2 (172.16.20.1) or the destination device (172.16.20.119). No effective change has occurred post the adjustments mentioned above.
I double checked the Internal Network Firewall Rules were also specifically set to allow src 192.168.0.1/24 to dst 172.16.20.1/24, and vice versa.
For some of the additional steps suggested, we will be having a tech on-site to knock those out. The only remote test I could perform was on the primary network side, from the VPN connection, and I can ping the gateway of 192.168.0.1 successfully.
Will, as you stated in the end of your post, the Peplink side should indeed be basic! I won’t be surprised in the least when it ends up being a simple setting that I overlooked.
I appreciate the responses. Please let me know if anything else pops up as an idea. Thank you.