Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


132 posts

Master Geek
+1 received by user: 2


Topic # 239425 17-Jul-2018 10:29
Send private message quote this post

So I've got the TP-Link T1600G-28PS up and running with 4 VLANs and the connected devices are routing and working great except for Internet Access.

 

I'm setting it up at home initially for testing and connecting to my HG659b VDSL router. I naively thought I could connect an untagged port from the T1600 to a LAN port on the HG659 and be able to route to it. i.e.

 

Diagram

 

However it doesn't appear to work that way. Devices on the other Vlans cannot ping the HG659b LAN interface (but they can ping other devices on Vlan2). A device on Vlan2 can ping the HG659 but cannot use it as a route to the internet despite having a static route in place.

 

Do I need the HG659 to be in Bridge mode? I was about to try but there is no way to specify a PPPoE connection in the T1600.  

 

Am I missing something?

 

 


View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
6311 posts

Uber Geek
+1 received by user: 292

Trusted
Subscriber

  Reply # 2057626 17-Jul-2018 10:52
Send private message quote this post

Hi what is the subnet for vlan2, is there a route on the Huawei to support that subnet.

Cyril

6311 posts

Uber Geek
+1 received by user: 292

Trusted
Subscriber

  Reply # 2057630 17-Jul-2018 10:57
Send private message quote this post

Doh mis read your post, so can the Huawei Nat vlan2 subnet, are there any firewall rules that block vlan 2 subnet

Must admit I would not expect any chance of the Huawei being capable of what you are after, well it might support it but not offer adjustment options

Cyril



132 posts

Master Geek
+1 received by user: 2


  Reply # 2057638 17-Jul-2018 11:19
Send private message quote this post

I can't see anything obvious preventing communication hence I've hit a brick wall. I guess the HG659 isn't designed to be used this.

 

I've got an ASA5505 in production which should resolve the problem. I've taken it out of service this morning and will plug it in tonight and will hopefully have more success. Unfortunately my day job prevents me from playing with this during the day!


316 posts

Ultimate Geek
+1 received by user: 74


  Reply # 2057737 17-Jul-2018 14:05
Send private message quote this post

Can you define routes for the other internal subnets on the router? If not then that is your problem. It will see internal traffic from anything other than 192.168.1.0/24 as spoofed traffic and drop it.

 

 

 

For example if you had a subnet 192.168.2.0/24, then you would have to tell the router to get to 192.168.2.0/24 it routes via the switch (192.168.1.1).




132 posts

Master Geek
+1 received by user: 2


  Reply # 2058049 17-Jul-2018 22:36
Send private message quote this post

Yup that was the problem. Thanks. I can’t define static routes on the internal interface of the HG659 (only allows on internet side) but a quick test on a decent router confirmed this was the problem. Cheers

32 posts

Geek
+1 received by user: 10


  Reply # 2058057 17-Jul-2018 23:31
Send private message quote this post

Coincidence, I'm configuring my EdgeRouter now and just came across the same thing - not being able to add static routes to the LAN side.


6311 posts

Uber Geek
+1 received by user: 292

Trusted
Subscriber

  Reply # 2058101 18-Jul-2018 08:47
Send private message quote this post

Yep whilst the Huawei is fine for basic domestic internet, and performs quite well I must add, it's available feature set is lacking. I use mikrotiks for domestic and sme jobs, never found them lacking, and Sam unless there is is some obscure feature of the ASA you require I suggest you check out a mikrotik as a replacement and save some money on your power bill and take some weight off your racks feet. An edgerouter is another good option.

@Intravix are you saying the edge router cannot provide routes to any interface, I am pretty sure this is not correct, it's a router, and that's what routers do.

Cyril

3098 posts

Uber Geek
+1 received by user: 1199

Subscriber

  Reply # 2058107 18-Jul-2018 09:03
Send private message quote this post

Intravix:

Coincidence, I'm configuring my EdgeRouter now and just came across the same thing - not being able to add static routes to the LAN side.



Are you using the the web interface or the CLI?





316 posts

Ultimate Geek
+1 received by user: 74


  Reply # 2058191 18-Jul-2018 10:07
Send private message quote this post

cyril7: I use mikrotiks for domestic and sme jobs, never found them lacking, and Sam unless there is is some obscure feature of the ASA you require I suggest you check out a mikrotik as a replacement and save some money on your power bill and take some weight off your racks feet. An edgerouter is another good option.

 

One is a firewall, the other is a router. You cannot compare an iptables build with a custom hardened purpose built firewall.


6311 posts

Uber Geek
+1 received by user: 292

Trusted
Subscriber

  Reply # 2058198 18-Jul-2018 10:14
Send private message quote this post

Hi, yes I do appreciate that, we use many ASA's in our systems at work that I am responsible for, it just seems in a small business an ASA may be overkill for what is really required.

 

Cyril


316 posts

Ultimate Geek
+1 received by user: 74


  Reply # 2058210 18-Jul-2018 10:34
Send private message quote this post

cyril7:

 

Hi, yes I do appreciate that, we use many ASA's in our systems at work that I am responsible for, it just seems in a small business an ASA may be overkill for what is really required.

 

Cyril

 

 

 

 

tbh in a small business I'd expect better than an ASA. ASA's are about the worst firewalls on the market (compared to Checkpoint/Fortigate/Sophos/PAN/Sonicwall), especially for SMB. SMB are in need of decent security more than ever.


6311 posts

Uber Geek
+1 received by user: 292

Trusted
Subscriber

  Reply # 2058260 18-Jul-2018 10:45
Send private message quote this post

Hi, yes agreed, 80% of our firewall fleet is Fortigate and Juniper, we only use ASA in situations where their is other client requirements, otherwise I see them as over priced and over hype.

 

Cyril




132 posts

Master Geek
+1 received by user: 2


  Reply # 2058313 18-Jul-2018 12:37
Send private message quote this post

I primarily used the ASA because it was laying around I needed an IPSec VPN for remote access. That's really all it's doing other than basic firewall functions and internet access!

 

You were spot on with the T1600G as a switch to meet our budget. Do you have any suggestions for a particular Mikrotek model (or other) that has:

 

  • VPN functionality (must work with iPhone)
  • Static routing (all interfaces)
  • VLAN support for connecting directly to Spark Fiber/ONT
  • DHCP Server (with support for multiple subnets a big plus)
  • QoS nice to have? We're moving phones to 2Talk.

That is all the ASA will be doing in the new environment. I'd welcome suggestions please.

 

 

 

Edit: typos


27050 posts

Uber Geek
+1 received by user: 6503

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 2058329 18-Jul-2018 13:28
Send private message quote this post

sfrasernz:

 

I primarily used the ASA because it was laying around I needed an IPSec VPN for remote access. That's really all it's doing other than basic firewall functions and internet access!

 

You were spot on with the T1600G as a switch to meet our budget. Do you have any suggestions for a particular Mikrotek model (or other) that has:

 

  • VPN functionality (must work with iPhone)
  • Static routing (all interfaces)
  • VLAN support for connecting directly to Spark Fiber/ONT
  • DHCP Server (with support for multiple subnets a big plus)
  • QoS nice to have? We're moving phones to 2Talk.

That is all the ASA will be doing in the new environment. I'd welcome suggestions please.

 

 

 

Edit: typos

 

 

Every Mikrotik router has all of that functionality - it just comes down to whether you spend $40 on one or $4000 on one as clearly the performance will differ significantly.

 

 


6311 posts

Uber Geek
+1 received by user: 292

Trusted
Subscriber

  Reply # 2058364 18-Jul-2018 15:10
Send private message quote this post

Hi, as Steve says, Mikrotik does all that standing on its head, as for a suitable device, probably a RB3011 is best suited, assuming you want a rack mount, if a smaller profile is requied a Hex S will do most SME requirements, dont be put off by its demur size, its well en-dowered.

 

The edge routers are probably also well worth looking at, the EdgeRouter 4 possibly being suitable, Michael did a review recently, maybe ask him if you have any questions as to its abilities.

 

Cyril

 

 

 

 

 

 


 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.