Summary
I am toying with a relatively small home LAN and I am baffled and idealess as to how to configure inter-VLAN routing on GS724Tv4. I suspect it's because of some oversight on my part or simply misunderstanding on how inter-VLAN routing is supposed to work so I would appreciate some insight.
Intent
I am trying to logically separate the small LAN into several VLANs (reasons: self-documentation, security, learn something new) and establish inter-VLAN routing thus avoiding router-on-a-stick scenario.
The VLANs correspond to areas such as "Wifi", "Storage", etc. so the idea is that a chosen VLAN where my workstation is (assume VLAN with ID 10) can access virtually all VLANs, but a client within any other VLAN could only see its own subnet and get access to internet, nothing else.
For internet accessibility, there is a router (pfSense sitting in a VM) but is irrelevant for this problem and won't be mentioning it further so as to reduce noise.
Setup
Extremely simple - just two clients, two ports and two VLANs. Operating system on both sides is Windows 7. All IPs are statically assigned. There is a single L3-capable switch sitting between the clients. There is no trunking configured (nor needed).
+---------------------------+--------------+------+------+-------------+---------------+-------------+
| Client | IP | VLAN | PVID | VLAN Member | VLAN SVI | Switch Port |
+---------------------------+--------------+------+------+-------------+---------------+-------------+
| Workstation (source) | 192.168.1.40 | 10 | 10 | 10 | 192.168.1.100 | P1 |
| Workstation (destination) | 192.168.2.40 | 20 | 20 | 20 | 192.168.2.100 | P2 |
+---------------------------+--------------+------+------+-------------+---------------+-------------+
My expectation is to be able to ping from Source to Destination. As an added bonus, Destination would be incapable of pinging Source.
Additionally:
- All ports are configured as untagged
- SVIs are not conflicting with existing IPs (how would I determine if they did?)
- IP routing is enabled on the router
- IP router discovery is disabled (SVIs are not advertised as gateways)
- Router ARP cache registers the device's IPs on their ports as well as SVIs
Results
- I can ping IP addresses within a particular subnet/VLAN
- I can access the internet (FWIW)
- I cannot ping across subnets (default gateway not explicitly configured on workstation NIC)
- I cannot ping across subnets (default gateway explicitly set to SVI's IP address on workstation NIC)
- I cannot ping across subnets (mapped a particular port to multiple VLANs - e.g.
port P1 -> VLAN member (10, 20)- this should be equivalent to VLAN trunking....and it was essentially rattling the cage, trying to provoke some change in behaviour)
Questions
I have watched scores of youtube videos (mostly Cisco), read through documentation on Netgear site and tens of articles/links - and I simply don't grok it.
As far as I have seen, after setting the SVIs on Cisco router, thing just works and it's the most enigmatic thing in this whole setup: where is the routing table? How does it know it should route traffic from subnet X to subnet Y? What happens when you have numerous VLANs, who gets to choose what goes where and, most importantly - how? How do you define ACLs for VLANs?
Should I manually define static routes? I don't think I've ever seen people configuring them in these videos. If I should define them - how should I do that? How do I say that traffic from SVI X should be routed to SVI Y? Netgear provides only two (relevant) fields per SVI row: IP address and Next Hop. If I fill the latter with e.g. SVI Y's IP, how can I expect internet access to work (I would imagine Next Hop would always be the Router's address).
I am sure I have more questions but you can see I am pretty confused here so I'll stop for now. I would be grateful for any advice you can give - theoretical or practical.
