Multiple Subnet VLAN's sharing Internet Access

[ryanz]

Hi guys,

This post seems to be closest to what we need.
http://forumz.tomshardware.com/netw...ies-FSM-7328s-VLAN-Creation-ftopict21617.html

Could someone check or advise if this is correct using a Netgear FSW7326P L2/L3 switch.

We need to give 3 Subnets Internet Access through a pre-configured Firewall Gateway but the 3 Subnets must NOT be able to share data between each other (unless enabled later)

Here are some basic network details:
-------------------------------------------
Firewall Green IP : 192.168.0.1 (Internet Gateway)
Netgear Layer2/3 Switch IP : 192.168.0.254

Subnet-0 : 192.168.0.0/24 (Switch & Firewall Gateway)
Subnet-1 : 192.168.10.0/24
Subnet-2 : 192.168.11.0/24
Subnet-3 : 192.168.12.0/24

All subnet masks : 255.255.255.0
All IP's assigned statically, no DHCP running.


VLAN SET UP (SWITCH, VLAN, CONFIG):
-----------------------------------------------

MODIFY VLAN 1 (UNTAGGED):
Ports 1-24 "Default"

Create VLAN 2 (UNTAGGED):
Ports 1-4 "Switch & Firewall Gateway VLAN"

Create VLAN 3 (UNTAGGED):
Ports 5-9 "Subnet-1 VLAN"

Create VLAN 4 (UNTAGGED):
Ports 10-14 "Subnet-2 VLAN"

Create VLAN 5 (UNTAGGED):
Ports 15-19 "Subnet-3 VLAN"

Create VLAN 6 (UNTAGGED):
Ports 1-20 "Internet VLAN"


VLAN PORT CONFIGURATION (SWITCH, VLAN, PORT CONFIG):
------------------------------------------------------------------------

VLAN 2 (ADMIT ALL):
Ports 1-4

VLAN 3 (ADMIT ALL):
Ports 5-9

VLAN 4 (ADMIT ALL):
Ports 10-14

VLAN 5 (ADMIT ALL):
Ports 15-19

VLAN 6 (ADMIT ALL):
Ports 20

Is this the correct setup to allow all subnets access to the internet on Subnet-0 while preventing inter-subnet access?

 

[El0him]

This deployment is not correct. You need to create all layer 3 vlans, filter traffic between the three vlans, and route all internet bound traffic through a point to point between the firewall and a layer three interface on the switch. You could also create three layer 2 vlans, doing router on a stick with the firewall, assuming the firewall understands vlan tagging or you need to put a router between the firewall and switch and do router on a stick. Either way you need to deny all traffic inter-vlan.

Hi guys,

This post seems to be closest to what we need.
http://forumz.tomshardware.com/netw...ies-FSM-7328s-VLAN-Creation-ftopict21617.html

Could someone check or advise if this is correct using a Netgear FSW7326P L2/L3 switch.

We need to give 3 Subnets Internet Access through a pre-configured Firewall Gateway but the 3 Subnets must NOT be able to share data between each other (unless enabled later)

Here are some basic network details:
-------------------------------------------
Firewall Green IP : 192.168.0.1 (Internet Gateway)
Netgear Layer2/3 Switch IP : 192.168.0.254

Subnet-0 : 192.168.0.0/24 (Switch & Firewall Gateway)
Subnet-1 : 192.168.10.0/24
Subnet-2 : 192.168.11.0/24
Subnet-3 : 192.168.12.0/24

All subnet masks : 255.255.255.0
All IP's assigned statically, no DHCP running.


VLAN SET UP (SWITCH, VLAN, CONFIG):
-----------------------------------------------

MODIFY VLAN 1 (UNTAGGED):
Ports 1-24 "Default"

Create VLAN 2 (UNTAGGED):
Ports 1-4 "Switch & Firewall Gateway VLAN"

Create VLAN 3 (UNTAGGED):
Ports 5-9 "Subnet-1 VLAN"

Create VLAN 4 (UNTAGGED):
Ports 10-14 "Subnet-2 VLAN"

Create VLAN 5 (UNTAGGED):
Ports 15-19 "Subnet-3 VLAN"

Create VLAN 6 (UNTAGGED):
Ports 1-20 "Internet VLAN"


VLAN PORT CONFIGURATION (SWITCH, VLAN, PORT CONFIG):
------------------------------------------------------------------------

VLAN 2 (ADMIT ALL):
Ports 1-4

VLAN 3 (ADMIT ALL):
Ports 5-9

VLAN 4 (ADMIT ALL):
Ports 10-14

VLAN 5 (ADMIT ALL):
Ports 15-19

VLAN 6 (ADMIT ALL):
Ports 20

Is this the correct setup to allow all subnets access to the internet on Subnet-0 while preventing inter-subnet access?

 

[ryanz]

Thanks for the reply el0him,

I don't think Smoothwall can handle vlans so I'll need to make another plan or get another type of firewall. Can you suggest an open source firewall or other?

Anyway, I've now played with two setups, one as detailed by the thread from spiralclimbing and one where I setup the Netgear L3 to handle multiple vlans with inter-vlan routing.

The inter-vlan routing option is nice because it allows us to have various subnets but I'm not sure its the otion as the other subnets have access to all services on the main + internet subnet, I think due to the inter-vlan routing function.

The otion from spiralclimbing is more strict and keeps the vlans locked down due to no inter-vlan routing but all vlans are on the same subnet.