Draytek 2960 / VLAN Setup (Internet Access)

Ironic Namesake

Ironic Namesake

Ironic Namesake

Soldato
Joined
18 Oct 2002
Posts
7,052
Location
Kuala Lumpur, Malaysia
I'm sure what I'm trying to do is relatively simple, however I haven't been able to get it to work.

We're using a Draytek 2960 router and I need to add a separate independent VLAN (port based) which can't access any other PCs on the network but should have internet access.

So far setup is as below :

LAN 1 = VLAN ID 10 = 192.168.100.xxx , default gateway 192.168.100.2 (the 2960 router)
All PCs etc. connect to each other fine, no problems.
LAN 2 = VLAN ID 20 = 192.168.200.xxx, PCs are getting IPs via DHCP OK, however no internet access.

What setting would I need to change to allow LAN 2 internet access?

I'm sure this is simple enough, however networking really isn't my strong point, and everything I've tried doesn't work :confused:

Thanks in advance :)
 
What IP have you assigned the Draytek for VLAN2?

If you have separated the 2 LANS you will have probably removed VLAN2's access to the gateway address.
 
Devices on LAN2 can ping the Draytek on the LAN2 IP (192.168.200.1) but not on its LAN1 IP (192.168.100.2)

IP for Draytek on LAN2 is set to 192.168.200.1

I did look at static route after some brief research yesterday but couldn't figure out which values to use :p
 
If both VLANs have an interface in the subnet, and they get a DHCP address for the right subnet, then it could just be the firewall rules that need looking at (Allowing traffic out via LAN2 for example)Can the draytek ping a PC? (with its firewall off or icmp allowed to it)
 
Ricimer said:
If both VLANs have an interface in the subnet, and they get a DHCP address for the right subnet, then it could just be the firewall rules that need looking at (Allowing traffic out via LAN2 for example)Can the draytek ping a PC? (with its firewall off or icmp allowed to it)
Click to expand...

Firewall rules are the same as for existing LAN1, so those seem fine.

Currently only one PC on LAN2, can be pinged OK from the router
 
For the static route, i believe you need to do the following

Network: 192.168.200.0
Subnet: 255.255.255.0 (assuming/24)
Gateway: 192.168.100.2

That should then allow your second network access to the internet
 
you shouldn't need a static route, if the router has a directly connected interface in each subnet and the gateway on the client is using that.

The router will probably have
0.0.0.0/0 WAN
192.168.100/24 LAN1
192.168.200/24 LAN2

Oh, for OP the subnet mask is 255.255.255.0 isn't it? (for router/dhcp clients)
 
PC on LAN1 can ping router on LAN1 IP, LAN2 can ping LAN2 IP.

I can't access the test PC any more as I'm doing this remotely and colleagues have gone home for the day - can only access the router for now (unless the test PC on LAN2 comes online on Teamviewer)

Yes subnet is 255.255.255.0/24

Tracert using router diagnostic to 8.8.8.8 has same results when using both LAN1 and LAN2.

This is routing table from diagnostics of router if that helps at all :

Zn1osek.png
 
I would look at the firewall logs to see if traffic from LAN2 is being blocked. I don't see anything wrong with the routing if it's all as described above. Was the tracert from the router or the clients?
 
Ricimer said:
I would look at the firewall logs to see if traffic from LAN2 is being blocked. I don't see anything wrong with the routing if it's all as described above. Was the tracert from the router or the clients?
Click to expand...

You were correct - it was a firewall issue.

I didn't add the new IP range to the firewall rules :o

Thanks for the help, seems to be working now :)
 
You must log in or register to reply here.
Back
Top Bottom