Upcoming Maintenance Alert:

The UBNT Community will be upgraded at 5pm MDT on April 25th. During this time the community forums will be set to read-only status.

Learn more

×
Reply
New Member
Posts: 2
Registered: ‎01-26-2017
Kudos: 11

EdgeRouter X Inter-VLAN routing issues (How I solved it)

[ Edited ]

Hey guys, I'm hoping to save someone some headaches by putting this out there.

 

I have a simple configuration with and EdgeRouter X.  It consists of a LAN and a Guest network.  The LAN has a couple of servers I needed to publish through NAT and firewall rules to the WAN and the Guest network.

 

I setup the router with eth0 - eth3 as switchports and eth4 as my WAN port.  I created a switch0.100 VLAN for my Guest network.  I set the switchports to be VLAN aware and added 100 to eth0's VID.  I connected eth4 to my cable modem, eth0 to my access point, and the rest to my PCs and Servers.  I setup the appropriate NAT and firewall rules and I was off to the races.  I have Internet access from my wireless LAN, wireless Guest, and LAN networks.  I had the servers published to the Internet.  Life was great.  Until I tried to access the LAN from the Guest or the Guest from the LAN.  Traffic would just not route no matter what I tried.

 

Here's the non-working setup:

 

Interface IP Address S/L Description
--------- ---------- --- -----------
eth0                                             u/u     Switch Port - Access Point
eth1                                             u/u     Switch Port - Server
eth2                                             u/u     Switch Port - Office 1
eth3                                             u/u     Switch Port - Office 2
eth4               *.*.141.188/20       u/u     WAN
switch0          10.255.255.1/24    u/u     Default VLAN 
switch0.100   10.255.0.1/24        u/u     Guest

 

 Bad config.JPG

 

 

 

After fighting with it for ages, I ran a few packet captures.  What I discovered was the traffic going between the default VLAN(switch0) and the Guest VLAN(switch0.100) was getting lost coming out of the switch0 interface.  Now this was really puzzling to me because the WAN traffic was flowing just fine.  A ping from a device on LAN to a device on Guest looked like this:  LAN -> switch0 -> switch0.100 -> Guest (reply) Guest -> switch0.100 -> switch0 -> ....  It just disappeared!

 

I'm not sure if this is a *feature* or by design, but in order to get the VLANs to talk to each other properly, I had to create a new default VLAN.  I created switch0.1 and assigned it to the PVID of eth0-eth3.  I moved my management IP to switch0.1 and updated my firewall/NAT rules.  After that, everything was talking.  I created a couple loopback NAT rules for Guest to access the server on LAN using its WAN IP and everything was great.  This loopback is fairly well documented in other posts so I won't go into that. 

 

Here's the working setup:

 

Interface IP Address S/L Description
--------- ---------- --- -----------
eth0                                             u/u     Switch Port - Access Point
eth1                                             u/u     Switch Port - Server
eth2                                             u/u     Switch Port - Office 1
eth3                                             u/u     Switch Port - Office 2
eth4               *.*.141.188/20       u/u     WAN

switch0                                        u/u

switch0.1       10.255.255.1/24    u/u     Default VLAN 
switch0.100   10.255.0.1/24        u/u     Guest

 

 Good Config.JPG

Senior Member
Posts: 4,153
Registered: ‎03-24-2016
Kudos: 1169
Solutions: 491

Re: EdgeRouter X Inter-VLAN routing issues (How I solved it)

Good that you sorted it out yourself.  It's a known issue, that keeps re-appearing on the forum.

I'll try to add it to bug list, referencing your post

New Member
Posts: 4
Registered: ‎04-15-2017

Re: EdgeRouter X Inter-VLAN routing issues (How I solved it)

Nice workaround method!

 

I'm stucked in this problem too, and could you give more details on "moved my management IP to switch0.1 and updated my firewall/NAT rules" ?

 

Thanks!

Senior Member
Posts: 4,153
Registered: ‎03-24-2016
Kudos: 1169
Solutions: 491

Re: EdgeRouter X Inter-VLAN routing issues (How I solved it)

[ Edited ]

Connect to GUI/CLI , but not using switch0 interface address, so you don't disconnect yourself when making changes

 

-Remove the IP address from switch0.  Create VIF1 under switch0, and configure IP address there.

-Check if firewall rules are applied to switch0, reapply them to switch0.1

-Check NAT rules (and portforward).  Change references to switch0 into switch0.1

-DNS forwarder:  remover switch0 , add switch0.1 as listening interface

-Restart DHCP server (or reboot router),  as on startup, the deamon figures out which interfaces to listen on

 

edit:

When using loadbalancing, use the CLI to move firewall modify ruleset from switch0 to switch0_vif1

New Member
Posts: 1
Registered: ‎04-15-2017
Kudos: 1

Re: EdgeRouter X Inter-VLAN routing issues (How I solved it)

I joined the community simply to post about this! It was driving me nuts! Fortunately I saw this thread on the front page! Extra kudos for the screen grabs!
New Member
Posts: 27
Registered: ‎01-02-2017
Kudos: 13

Re: EdgeRouter X Inter-VLAN routing issues (How I solved it)

Here's a relevant video about a similar VLAN configuration on the ER-X. Not my video, I just find it well done so figured I'd share it.

Emerging Member
Posts: 83
Registered: ‎06-16-2016
Kudos: 14

Re: EdgeRouter X Inter-VLAN routing issues (How I solved it)

Thanks so much, I have almost the exact same setup in my office and was scratching my head as to why the hell I couldn't route between my default LAN and my LAB Vlan!

 

I was about to start some tcpdump investigation, but you just saved me a crapload of time =)

 

Actually, when you think about it though this is the exact same behaviour and config for a Cisco router with switchports...you default IP address for the LAN interface is on a VLAN, not directly on the interface itself.

 

 

 

New Member
Posts: 13
Registered: ‎06-13-2017
Kudos: 1

Re: EdgeRouter X Inter-VLAN routing issues (How I solved it)

Just to remark: Does this issue also afect ER-5 routers? (like ERPOE-5)

 

I guess it does, but the problem is that in this one we don't have the vlan-aware switch so I can't untagg the VLAN 1 if I move it from switch0 to switch0.1

 

Hope someone can confirm this

New Member
Posts: 1
Registered: ‎03-20-2017

Re: EdgeRouter X Inter-VLAN routing issues (How I solved it)

Me too! I've given you some kudos just for having the same issue as me Man Happy
New Member
Posts: 7
Registered: ‎11-05-2015

Re: EdgeRouter X Inter-VLAN routing issues (How I solved it)

Thank you, thank you, thank you, THANK YOU!

 

I have spent 3 days trying to get tagged->untagged routing to work and arrived here to post for help... and saw this post! 5 minutes' later and I'm now up and running!

 

Cheers, B

Ubiquiti Employee
Posts: 506
Registered: ‎05-08-2017
Kudos: 104
Solutions: 83

Re: EdgeRouter X Inter-VLAN routing issues (How I solved it)

I talk about this exact behavior in this video as well. It can be very confusing and it is easy to lock yourself out of the device if you do not have a backup management connection.

 

Ben

New Member
Posts: 13
Registered: ‎06-13-2017
Kudos: 1

Re: EdgeRouter X Inter-VLAN routing issues (How I solved it)

Do you believe we can expect to haave vlan-aware switch in ER-5 too? Or will never come?

Emerging Member
Posts: 98
Registered: ‎02-28-2016
Kudos: 13
Solutions: 4

Re: EdgeRouter X Inter-VLAN routing issues (How I solved it)

Ohh wow, Benpin works for UBNT, now it all makes a lot more sense why he created so many awesome videos on youtube for UBNT products.

 

Keep up the good work Ben!  I enjoyed and learned a lot from your content!

Emerging Member
Posts: 98
Registered: ‎02-28-2016
Kudos: 13
Solutions: 4

Re: EdgeRouter X Inter-VLAN routing issues (How I solved it)

 "I created a couple loopback NAT rules for Guest to access the server on LAN using its WAN IP and everything was great.  This loopback is fairly well documented in other posts so I won't go into that."

 

Not that it matters, but you could also achieve the same end goal by using split-DNS, include a host record alias in the edge-router and poke a hole in the firewall on the guest network to simply allow the traffic to pass for whatever service hosted in the DMZ:

 

set system static-host-mapping host-name YOUHOSTNAME inet x.x.x.x

set system static-host-mapping host-name YOUHOSTNAME alias FQDN_HOSTNAME

 

then poke your holes into the guest network to the server host and make sure the guest network uses the Edgerouter-X for DNS resolution and you're done.

 

more than 1 way to crack the egg thing type of thing.

 

Have a good one

 

New Member
Posts: 7
Registered: ‎08-01-2017
Kudos: 1

Re: EdgeRouter X Inter-VLAN routing issues (How I solved it)

Thanks for this. I was beating my head against the wall. I just assumed no VLAN was VLAN1, and the fact that it kind of worked was driving me bonkers.
Reply