T2600G-18TS - Separate VLANs setup, issue with accessing Synology NAS
T2600G-18TS - Separate VLANs setup, issue with accessing Synology NAS
Maybe someone can help with an issue with accessing a Synology NAS that is on VLAN 1 from IoT devices on VLAN 10. I want to stream music to these and I have it working but only because those ports that are on VLAN 10(IoT) are also on VLAN 1. The NAS is also on VLAN 1. I have an EdgeRouter to, with approipate firewall rules to allow IoT to the NAS IP.
Port 17 is the trunk to the EdgeRouter. NAS is on LAG1 (not in first pic) and is tagged member of VLAN1. If I remove Ports 3&4 from VLAN1 I cannot see the NAS nor stream music to IoT. However the firewall rules work as intended.
@R1D2 , can you help bud?
Switch VLAN setup (some of these ports are used by OC200 - eth1 & EAPs - eth2&3) eth 5 is the trunk to port 17 on the switch. I am wondering if it is to do with the Synology NAS only allowing one VLAN in the GUI (PITA) and is is setup as VLAN ID 1
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Pugs wrote
@R1D2 , can you help bud?
Hi Pugs, sorry, I'm not familiar with media server streaming protocols. But maybe you need to allow port 1900 (UPnP), too.
If this doesn't work, I would allow all ports in the Inter-VLAN firewall rule on the EdgeRouter and check with tcpump which ports are actually used by the IoT devices when streaming.
- Copy Link
- Report Inappropriate Content
Thanks, streaming is fine, it's the case once ports 3 & 4 are taken out of VLAN 1 (they are supposed to be members of VLAN 10 only) that streaming stops. I would have hoped that they could be taken out of VLAN 1, don't really want them on that particular VLAN. Does the VLAN assignments look ok to you?
- Copy Link
- Report Inappropriate Content
@Pugs, what's on ports 3 & 4? The LAG to the NAS?
I was wondering about the firewall rule (ports 50001 and ? Is it 50002?). What makes you sure the firewall rule for Inter-VLAN routing works? It seems that it does not work when you remove the NAS from VLAN 1 or did I mis-understand something here? According to the Synology document you need to allow also port 1900, right?
As for the ER VLAN settings:
eth1 is an access port which is untagged member of VLAN 1. Connected to OC200, right?
eth2 is a trunk with membership in VLANs 1T, 10T, 30T, 40T, 200U. Connected to an EAP?
eth3 is a trunk with membership in VLANs 1T, 10T, 30T, 40T, 99T, 200U. Also connected to an EAP?
eth5 is a trunk with membership in VLANs 1T, 10T, 30T, 40T, 50T, 99T, 101T, 200U. Trunk to switch?
As for the switch I can't see all assignments, e.g. for LAG1.
It would best to draw a network diagram showing only switch, NAS, VLANs 1 & 10, EAPs, mapped SSIDs, OC200 Management VLAN setting.
For testing, I would remove the port limitation from the firewall rule. First, try to make a simplified setup working. It can be restricted later èn detail if things are working.
- Copy Link
- Report Inappropriate Content
what's on ports 3 & 4? The LAG to the NAS? Nope 3 & 4 is to an AVR & Smart TV on VLAN 10 IoT. NAS is on LAG 1 (Ports 15 & 16)
I was wondering about the firewall rule (ports 50001 and ? Is it 50002?). What makes you sure the firewall rule for Inter-VLAN routing works? It seems that it does not work when you remove the NAS from VLAN 1 or did I mis-understand something here? According to the Synology document you need to allow also port 1900, right? Firewall is Okay. Log shows it working and only allowing VLAN 10 to VLAN 1 NAS, blocking other subnets (guest, gaming etc)
As for the ER VLAN settings:
eth1 is an access port which is untagged member of VLAN 1. Connected to OC200, right? Yip
eth2 is a trunk with membership in VLANs 1T, 10T, 30T, 40T, 200U. Connected to an EAP? Yip
eth3 is a trunk with membership in VLANs 1T, 10T, 30T, 40T, 99T, 200U. Also connected to an EAP? Yip
eth5 is a trunk with membership in VLANs 1T, 10T, 30T, 40T, 50T, 99T, 101T, 200U. Trunk to switch? Yip
As for the switch I can't see all assignments, e.g. for LAG1. The LAG config is done on the TP-LINK, I JUST DIDN'T SCREENSHOT LAG 1 buts its a tagged member of VLAN1
It would best to draw a network diagram showing only switch, NAS, VLANs 1 & 10, EAPs, mapped SSIDs, OC200 Management VLAN setting. Pretty basic, forget about the EAPs\OC200, that works fine. I only connect my IoT through wired ports (I designed the LAN when i built the house). All IoT are LAN wired (in VLAN10).
So (example - not my real IP ranges)
LAN1 10.1.1.0/24
LAN10 10.1.10.0/24
LAN1 NAS 10.1.1.58, DLNA service (LAG 1 tagged - member 15 & 16)
LAN10 AVR 10.1.10.30, DLNA Client (Port 3 untagged)
Trunk Port 17 to EdgeRouter 10.1.1.1 (DCHP service etc) - eth.5
TP-LINK Jetstream switch - 10.1.1.2
ALL these ports are connected on the switch not the EdgeRouter with the exception of the Trunk Port (17) , OC200 and two EAPs (these aren't the problem, all working, just NAS to IoT)
By the way I created pvid 200 as you once mentioned here to have non assigned traffic going to a an dummy VLAN, so did pvid 200 which doesn't have anything assigned)
For testing, I would remove the port limitation from the firewall rule. First, try to make a simplified setup working. It can be restricted later èn detail if things are working.
- Copy Link
- Report Inappropriate Content
Pugs wrote
LAN1 NAS 10.1.1.58, DLNA service (LAG 1 tagged - member 15 & 16)
LAN10 AVR 10.1.10.30, DLNA Client (Port 3 untagged)
Ok, so I guess that the firewall rule doesn't work if communication breaks between IoT devices and the media server if you remove the IoT devices from VLAN 1.
AFAIK, for DLNA you need to allow:
- Multicast from IoT zone to the media server/NAS,
- UDP port 1900 from IoT zone to multicast UPnP,
- UDP port 1900 from media server to IoT zone,
- TCP (and UDP?) from IoT zone to the media server/NAS.
I think it's best to ask in the Ubiquity forum for help on how to set the firewall up correctly for DLNA.
By the way I created pvid 200 as you once mentioned here to have non assigned traffic going to a an dummy VLAN, so did pvid 200 which doesn't have anything assigned)
- Copy Link
- Report Inappropriate Content
Yeah, just removed one of the two aforementioned IoT devices from VLAN1, it stopped communicating to the NAS. I also then put it back in but blocked it at the firewall (removed from an 'allowed list' of devices), it also was then prevented in communicating, even though still in VLAN1. So i'd say the firewall rules work. Been playing around with this for ages and at a loss. However, work around is having those devices in both VLANs and it appears to work as intended, its just I hate things that dont work as intended and that means getting them off my VLAN1...lol
Ports have all been opened for DLNA and so forth.
- Copy Link
- Report Inappropriate Content
Pugs wrote
Ports have all been opened for DLNA and so forth.
See this video HowTo, it shows how to use a mDNS repeater on EdgeRouter to have IoT devices broadcast between subnets: https://www.youtube.com/watch?v=1mjdkki2pIY
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
maybe you can check VLAN tags with tcpdump or connect the NAS to an access port and let the switch do VLAN tagging/untagging.
Alternatively, consider to move the NAS to the isolated IoT network and use Inter-VLAN routing to use backup functions and other NAS services in your main network. Might be easier to set up.
Except for this, I have no more ideas, sorry.
- Copy Link
- Report Inappropriate Content
Still no luck with this. I'm wondering if the VLANs also require to be setup in the T2600 under L3 features-interface-interface config-Add, then add static IP mode to all of the VLANs that have been setup in the Edgerouter (which controls DHCP) Is this L3 feature also required along with creating the VLANs\Port Configs under L2 Features (which is obviously setup)? Not sure what it brings to the table by adding this L3 feature, since all devices already pick up their correct allocation to a VLAN.
Note my edgeswitch is the DHCP server.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 3747
Replies: 11
Voters 0
No one has voted for it yet.