VLANs not working


I had set up a Nethserver Firewall/Gateway, on a Dell PowerEdge T110 II.
It has 3 physicals NICs em1, p1pi and p1p2 like this:
Phisycal interface em1: RED
Physical p1p1: BLUE, DHCP distribuing - lan0
vlan p1p1:1 GREEN,, lan1
vlan p1p1:2, GREEN,, lan3
Physical p1p2: GREEN,, lan2

The firewall accept all from lan1 to lan 2, and lan2 to lan 1

All green are in trusted network.

All clients conected on physicals network work can connect to internet ( lan0, lan3 )
All clients on vlan can’t connect…

From a client on lan2, I can’t ping anything on lan1.
A client o lan 1 can’t ping nothing,…neither the gateway :cold_sweat:

It’s seem vlans not work? what’s wrong? Is something missing?

When setting a vlan, i.e p1p1:1
Gateway ( is it correct? Or it must be the physical adress ?

The purpose of a vlan is to have a separate dedicated network, even when “piggy backing” on a physical network. VLAN’s cannot see other networks without explicit direction. You will need to create static routes informing your vlan’s how to connect to the physical network and vice versa.

1 Like

Thank you @islipfd19, to indicate the direction… To give me the light :grinning:
But I have one doubt yet:

How to properly do this?

  1. when creating the vlan:
    Ipadress :
    Gateway: ( putting the phisical adress here )


  1. Creating the vlan like I did and
    In static route
    Network adresss
    Network mask:
    Router adress: ( putting the physical adress here )

And finally… How to the vice-versa? :grin:

This link should help you.

1 Like

The second way seem cleaner.

Thank you,

I will try next monday

I had create these static routes: via via via via

I had create firewall object for each GREEN lan
And create rules for accept any services from Lan1 to lan2 and lan2 to lan1.

After a reboot,
I was able to ping from lan1 to lan 2
I was able to ping from lan2 to lan1.

Each station on lan1 was able to go to internet, ( vlans are ok )

But a station from lan1 was unable to see a share on the server on lan2 !?!?
Why? Any service are accepted.

I continue my workaround. I have a behavior about vlan I can’t reproduce ( or hardly reproduce)

When Installing NethServer on a CentOS, and configuring wan, lan and vlan with the webgui with the precedent configuration.
The server, on the physical green lan can access internet.
The station on the green vlan can access internet, but can’t access the other green.

When instialing Centos, configuring wan, lan and vlan, and after installing Nethserver and configuring the firewall… The station on vlan can access the server on lan…

Partial conclusion: When configuring the vlan with Nethserver, the vlan not work as expected.

My problem is, when I configure the server at home, my notebook as a station on a vlan, and my Mac to simulate the server… It’s work.
When I take the server, and reconfigure each interface for the real situation ( only change lan and vlan range) it break the lan…It’s not work !!!

Partial conclusion: It look like configuring ( or reconfiguring) the lan on the webgui, t’s break something.

Is someone use Nethserver as gateway with vlan can give me more orientation?

My next plan is to try to make the blue lan as virtual lan, and make the two lan as physical lan, because actually, I’m not sure it’s a lan ( and lan) issue or a shorewall issue with the color rules :neutral_face:

Is someone can give me an orientation, an idea, to try to isolate the issue?

Just curious: why you introduce VLAN’s when all clients need to be able to see eachother? Is it because there are different locations?

The server is in a local separate from the hotel reception.
Worst, with telephony, we are not able to have one more cable, no place to do it.

For this reason, we must use one cable for two lan.

It could be really easier and secure to separate the two lan … But it’s simply impossible actually

Edit: Typography correction… The fisrt answer was made from an iphone :smirk:

Hello everyone,
I need your help in a matter regarding VLAN on nethserver. Taking this topic, I had the same problem, my cliente machines can’t ping my virtual lans.

My question is, how can I setup VLANs in order for my clientes to communicate only with their VLAN, and the internet.
For example:

Computer on classroom 51 can only communicate with VLAN51, the internet and other orange VLANs.
Is this possible?

Of course, computers on classroom 21, should only be able to communicate with VLAN21, internet and other orange interfaces.

The administrative interface should reach every VLAN/Interface.

My current setup is:

eth0 - RED - DHCP
eth1 - GREEN -
eth1.51 - GREEN - (VLAN)
eth1.21 - GREEN - (VLAN)
eth1.80 - ORANGE - (VLAN)

But even if I have a computer in the same network as classroom 51 with the IP address, the PC can’t ping the IP address, and doesn’t go to the internet, and I don’t know what to do now.

Any advice?
Thanks in advance.

@Jim @islipfd19 @Hunv @dnutan can you help this guy out?

Can you list all of your firewall rules?

Hi James,

My current firewall rules are as follows

There aren’t many, just for some specific services. And these are not even mandatory.

The picture I posted in my previous post, was only on my test environment, because my “real” firewall will have many more VLANs:

For the time being, we have many Aliases, but each Alias you see in this picture, will be an individual VLAN.

“em1” and “p1p1” are two administrative interfaces.
“em4” is our DMZ for our website and Moodle.
“em3” is for wireless guests

and “em2” is connected to our classrooms.
I created VLAN 99 to do a few tests in our production environment.

I hope this information helps,
Thank you.

Try adding a rule for the segment to talk to the vlan IP in your example of your issue in the first post.

1 Like