1 Reply Latest reply on Dec 11, 2017 7:52 AM by virtualsa

    Adtran 4430 Firewall and Routing of VLAN Issues

    jhaab New Member

      I am looking for some guidance on my router setup that I am having issues getting the local interfaces to get past the public interface. Below is a sample of what I am trying to accomplish and have show my current config. I also have the applicable ports on the Adtran Layer 2 switch.

       

       

      • I have a DHCP Scope for most VLAN's as called out on config
      • VLAN2 is Private VLAN and can communicate with VLAN1, VLAN4 and VLAN5
      • VLAN4 is IP Camera VLAN and can communicate to VLAN2 and have Internet access
      • VLAN5 is VOIP VLAN and can communicate with VLAN2
      • VLAN7 is GUEST VLAN and can only get out to the Internet
      • VLAN8 is Home Automation VLAN and can only get out to the Internet
      • VLAN9 is A/V VLAN and can only get out to the Internet
      • VLAN10 is FLIGHT RADAR VLAN and can only get out to the Internet.

       

       

       

       

       

       

      !
      !
      ! ADTRAN, Inc. OS version R13.1.0.HA
      ! Boot ROM version 17.04.01.00
      ! Platform: NetVanta 4430, part number 1700630E1
      ! Serial number LBADTN1305AE280
      !
      !
      hostname "Router"
      enable password **********
      !
      !
      clock timezone -6-Central-Time
      !
      ip subnet-zero
      ip classless
      ip default-gateway 69.174.173.1
      ip routing
      ipv6 unicast-routing
      !
      !
      name-server 208.38.252.3 184.170.172.131
      !
      !
      auto-config
      !
      event-history on
      no logging forwarding
      no logging email
      !
      no service password-encryption
      !
      username "admin" password "******"
      !
      ip policy-timeout tcp echo 60
      !
      ip firewall
      no ip firewall alg msn
      no ip firewall alg mszone
      no ip firewall alg h323
      !
      !
      !
      !
      !
      !
      !
      !
      !
      !
      no dot11ap access-point-control
      !
      !
      !
      !
      !
      !
      ip dhcp excluded-address 10.10.1.1 10.10.1.20
      ip dhcp excluded-address 10.10.2.1 10.10.2.20
      ip dhcp excluded-address 10.10.4.1 10.10.4.20
      ip dhcp excluded-address 10.10.5.1 10.10.5.20
      ip dhcp excluded-address 10.10.7.1 10.10.7.20
      ip dhcp excluded-address 10.10.8.1 10.10.8.20
      ip dhcp excluded-address 10.10.9.1 10.10.9.20
      ip dhcp excluded-address 10.10.10.1 10.10.10.20
      !
      ip dhcp pool "Management DHCP"
        network 10.10.1.0 255.255.255.0
        dns-server 208.38.252.3
        default-router 10.10.1.1
      !
      ip dhcp pool "Private Data DHCP"
        network 10.10.2.0 255.255.255.0
        dns-server 208.38.252.3
        default-router 10.10.2.1
      !
      ip dhcp pool "IP Camera DHCP Pool"
        network 10.10.4.0 255.255.255.0
        dns-server 208.38.252.3
        default-router 10.10.4.1
      !
      ip dhcp pool "VOIP DHCP Pool"
        network 10.10.5.0 255.255.255.0
        dns-server 208.38.252.3
        default-router 10.10.5.1
      !
      ip dhcp pool "Guest DHCP Pool"
        network 10.10.7.0 255.255.255.0
        dns-server 208.38.252.3
        default-router 10.10.7.1
      !
      ip dhcp pool "Home Automation DHCP Pool"
        network 10.10.8.0 255.255.255.0
        dns-server 208.38.252.3
        default-router 10.10.8.1
      !
      ip dhcp pool "A/V DHCP Pool"
        network 10.10.9.0 255.255.255.0
        dns-server 208.38.252.3
        default-router 10.10.9.1
      !
      ip dhcp pool "Flight Radar DHCP Pool"
        network 10.10.10.0 255.255.255.0
        dns-server 208.38.252.3
        default-router 10.10.10.1
      !
      !
      !
      !
      !
      !
      !
      !
      !
      !
      !
      !
      !
      no ethernet cfm
      !
      interface eth 0/1
        ip address  10.10.200.1  255.255.255.0
        no awcp
        no shutdown
      !
      !
      !
      interface gigabit-eth 0/1
        description Private LAN
        encapsulation 802.1q
        no shutdown
      !
      !
      interface gigabit-eth 0/1.1
        description Mgmt VLAN
        vlan-id 1 native
        ip address  10.10.1.1  255.255.255.0
        ip mtu 1500
        ip access-policy MGMT
        no shutdown
      !
      interface gigabit-eth 0/1.2
        description Private Data VLAN
        vlan-id 2
        ip address  10.10.2.1  255.255.255.0
        ip mtu 1500
        ip access-policy PRIVATE
        no shutdown
      !
      interface gigabit-eth 0/1.4
        description IP Cameras
        vlan-id 4
        ip address  10.10.4.1  255.255.255.0
        ip mtu 1500
        ip access-policy IP CAMERAS
        no shutdown
      !
      interface gigabit-eth 0/1.5
        description VOIP
        vlan-id 5
        ip address  10.10.5.1  255.255.255.0
        ip mtu 1500
        ip access-policy VOIP
        no shutdown
      !
      interface gigabit-eth 0/1.7
        description Guest Wireless
        vlan-id 7
        ip address  10.10.7.1  255.255.255.0
        ip mtu 1500
        ip access-policy GUEST
        no shutdown
      !
      interface gigabit-eth 0/1.8
        description Home Automation
        vlan-id 8
        ip address  10.10.8.1  255.255.255.0
        ip mtu 1500
        ip access-policy HOME AUTOMATION
        no shutdown
      !
      interface gigabit-eth 0/1.9
        description A/V
        vlan-id 9
        ip address  10.10.9.1  255.255.255.0
        ip mtu 1500
        ip access-policy A/V
        no shutdown
      !
      interface gigabit-eth 0/1.10
        description Flight Radar
        vlan-id 10
        ip address  10.10.10.1  255.255.255.0
        ip mtu 1500
        ip access-policy FLIGHT RADAR
        no shutdown
      !
      interface gigabit-eth 0/2
        description MetroNet Internet
        ip address  69.174.173.33  255.255.255.192
        ip mtu 1500
        ip access-policy PUBLIC
        no shutdown
      !
      !
      !
      !
      interface t1 3/1
        shutdown
      !
      interface t1 3/2
        shutdown
      !
      interface t1 3/3
        shutdown
      !
      interface t1 3/4
        shutdown
      !
      interface t1 3/5
        shutdown
      !
      interface t1 3/6
        shutdown
      !
      interface t1 3/7
        shutdown
      !
      interface t1 3/8
        shutdown
      !
      !
      !
      router rip
        version 2
      !
      !
      !
      !
      !
      ip access-list standard WIZARD-ICS
        remark Internet Connection Sharing
        permit any log
      !
      ip access-list extended SELF
        remark Traffic to NetVanta
        permit ip any any log
      !
      ip access-list extended VLAN1-VLAN2
        remark Management to Private
        permit ip 10.10.1.0 0.0.0.255  10.10.2.0 0.0.0.255   
        permit ip 10.10.2.0 0.0.0.255  10.10.1.0 0.0.0.255   
      !
      ip access-list extended VLAN2-VLAN4
        remark PRIVATE to IP CAMERAS
        permit ip 10.10.2.0 0.0.0.255  10.10.4.0 0.0.0.255   
        permit ip 10.10.4.0 0.0.0.255  10.10.2.0 0.0.0.255   
      !
      ip access-list extended VLAN2-VLAN5
        remark PRIVATE to IP VOIP
        permit ip 10.10.2.0 0.0.0.255  10.10.5.0 0.0.0.255   
        permit ip 10.10.5.0 0.0.0.255  10.10.2.0 0.0.0.255   
      !
      !
      !
      !
      ip policy-class A/V
        allow list SELF self
        nat source list WIZARD-ICS interface gigabit-ethernet 0/2 overload
      !
      ip policy-class Flight Radar
        allow list SELF self
        nat source list web-acl-6 interface gigabit-ethernet 0/2 overload

      !
      ip policy-class GUEST
        allow list SELF self
        nat source list WIZARD-ICS interface gigabit-ethernet 0/2 overload
      !
      ip policy-class HOME AUTOMATION
        allow list SELF self
        nat source list WIZARD-ICS interface gigabit-ethernet 0/2 overload

      !
      ip policy-class IP CAMERAS
        allow list SELF self
        allow list VLAN2-VLAN4
        nat source list WIZARD-ICS interface gigabit-ethernet 0/2 overload
      !
      ip policy-class MGMT
        allow list SELF self
        allow list VLAN1-VLAN2
      !
      ip policy-class PRIVATE
        allow list SELF self
        allow list VLAN1-VLAN2
        allow list VLAN2-VLAN4
        nat source list WIZARD-ICS interface gigabit-ethernet 0/2 overload
      !
      ip policy-class VOIP
        allow list SELF self
        allow list VLAN2-VLAN5
      !
      ip policy-class PUBLIC
        ! Implicit discard
      !

      !
      !
      !
      no tftp server
      no tftp server overwrite
      http server 8080
      http secure-server 8081
      no snmp agent
      no ip ftp server
      ip ftp server default-filesystem flash
      no ip scp server
      no ip sntp server
      !
      !
      !
      !
      !
      !
      !
      !
      sip udp 5060
      sip tcp 5060
      !
      !
      !
      !
      !
      !
      !
      !
      !
      !
      !
      !
      !
      !
      !
      !
      !
      !
      !
      !
      line con 0
        login
      !
      line telnet 0 4
        login
        password adtran
        no shutdown
      line ssh 0 4
        login local-userlist
        no shutdown
      !
      !
      !
      !
      !
      end