On 12.07.2017 22:43, O. Hartmann wrote:
> Now the FUN PART:
> 
> From any host in any VLAN I'm able to ping hosts on the wild internet via 
> their IP, on
> VLAN 1000 there is a DNS running, so I'm also able to resolv names like 
> google.com or
> FreeBSD.org. But I can NOT(!) access any host via http/www or ssh. 

You have not specified where is the NAT configured and its settings is
matters.

VLANs work on the layer2, they do not used for IP routing. Each received
packet loses its layer2 header before it gets taken by IP stack. If an
IP packet should be routed, the IP stack determines outgoing interface
and new ethernet header with VLAN header from this interface is prepended.

What I would do in your place:
1. Check the correctness of the switch settings.
  - on the router use tcpdump on each vlan interface and
    also directly on igb1. Use -e argument to see ethernet header.
    Try ping router's IP address from each vlan, you should see tagged
    packet on igb1 and untagged on corresponding vlan interface.

2. Check the correctness of the routing settings for each used node.
  - to be able establish connection from one vlan to another, both nodes
    must have a route to each other.

3. Check the NAT settings.
  - to be able to connect to the Internet from your addresses, you must
    use NAT. If you don't have NAT, but it somehow works, this means
    that some device does the translation for you, but it's
    configuration does not meet to your requirements. And probably you
    need to translate prefixes configured for your vlans independently.

-- 
WBR, Andrey V. Elsukov

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to