0

I'm coming to this forum because after a lot of research and testing, I'm unable to set up a VLAN solution on a Stormshield SN 510. Regarding my infrastructure, a router providing internet access and a second router providing access to an VPNnetwork (multiple warehouse).

The Stormshield has its output on the internet router and its input on a bridge with the VPN router. So far, so good. My network is 192.168.1.0/24 GW 192.168.1.254, and there are no problems accessing the network, VPN, or internet.

I tried adding a third interface with a VLAN underneath, but after configuring the various switches, I can't ping the gateway with a test PC.

bridge=Stormshield 192.168.1.254+BVPN 192.168.1.253 => switch1 => switch2 => PC test 172.16.1.1/24 GW 172.16.1.254

interface 172.16.10.254/24 - VLAN 10: 172.16.1.254/24 => switch1

My other pc in 192.168.1.0/24 ping the gateway VLAN10 My PC test isn't pinging the gateway VLAN 10. VLAN 10 is declared on all switches and tagged on the port where my PC is connected.

In the firewall rules, the VLAN 172.168.1.0/24 is indeed authorized to ping.

Did I forget to configure something? Or is my approach incorrect?

Thank you for your attention to my problem.

Did I forget to configure something? Or is my approach incorrect?

Improve this question
0

1 Answer 1

Reset to default
0

Your actual configs are missing from your question, so we can only provide general advice:

  • Tag VLANs between switches and routers (trunking) and use a single untagged VLAN on access port towards end nodes.
  • Configure tagged VLANs in exactly the same way on both sides of a link - switch ports use VLAN membership, routed ports most often subinterfaces.
  • Check VLAN connectivity by inspecting the MAC table on a switch, or ARP/NDP caches on routed interfaces.
  • Each node needs to be able to ping (or at least ARP) its default gateway.
  • Don't forget DHCP on extra VLANs for end nodes expecting automatic configuration - either a directly attached DHCP server or a DHCP relay.
  • VLANs need to be routed in between, either by an L3 switch or a router.
  • Don't forget to propagate new VLAN subnets to routers that are not directly attached. You can use static routes or a routing protocol like OSPF. Without proper routing, packets end up taking the default route.
Improve this answer
2
  • Thank you for this valuable advice I'm making some progress with the connections. I can ping the pctest=>gateway VLAN on the switch communicating with the firewall - I have VLAN 10 tagged on ports 4 (connected to the network) and 9 (connected to the firewall). The other ports are untagged. on the switch connected to the test PC - I have VLAN 10 tagged on ports 23 and 25 (connected to the rest of the network). I have PVID 10 on port 23. Now I'd like to add a VLAN 20, except that I can only put one PVID on port 23 of the switch. I'm assuming that multiple devices (printer, PC) can connect to thi Commented Aug 12 at 8:27
  • @FranckF If an answer solved your question then please accept it or your question will keep popping up here forever. Please also consider voting for useful answers. Commented Aug 12 at 9:32

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.