I'm (still) trying to properly configure VLANs on a level 3 switch (Netgear GS516TP).
Basic scenario: there are three VLANs: VLAN 10, 11, and 12, with respectively three ports, and three machines.
- 10.0.10.5, connected to port g10 and belonging to VLAN 10.
- 10.0.11.5, connected to port g11 and belonging to VLAN 11.
- 10.0.12.5, connected to port g12 and belonging to VLAN 12.
VLAN 10 has untagged ports g10, g11, and g12.
VLAN 11 has untagged ports g10 and g11. Similarly, VLAN 12 has untagged ports g10 and g12.
The goal is to be able for machines belonging to VLAN 11 and VLAN 12 to communicate with the machines in VLAN 10. However, a machine from VLAN 11 should know nothing about machines in VLAN 12 (and the other way around).
While all three machines are using the netmask 255.255.0.0, the routing configuration is set like this:
Now, the problem. When I send a TCP or UDP packet from 10.0.10.5 to 10.0.11.5 (for instance by doing nc -n 10.0.11.5 100), I can see this packet in Wireshark running on the machine which belongs to VLAN 12. It doesn't work the other way around, though, i.e. a packet sent from 10.0.11.5 is not visible in VLAN 12.
What should I do in order for the packets targeting machines from VLAN 11 to never reach the ports belonging to VLAN 12?
By default every port only uses L2 info to decide how to process packets (L2 == MAC == bridge). That decision doesn't respect L3, i.e. it doesn't know IP ranges of VLANs.
The IP address that you assigned to VLANs (visible on your last screenshot) does not "catch" packets by itself. You need to set your servers up to actually send packets there to that "internal bridge-router interface"; normally, this is done by adding a route table entry on a server:
Only such packets destined to that "internal bridge-router interface" will move to another VLAN.
In my example, step by step:
ping 10.0.11.5(It's just how any packet forwarding works on Ethernet - nothing specific to Netgear.)
Probably, you don't need a port to be in multiple VLANs (I didn't actually check).
Also, set Routing -> IP -> Routing Mode = Yes
Netgear Support: What is VLAN Routing
You can't do it like that, you need either special VLAN features (port isolation or such), or you need to do it with a router.
What happens here, is that as a packet (well, Ethernet frame) enters a port, it gets its VLAN id from that port's PVID. Then it is sent out from the other ports that are also on that same VLAN. (Except that a switch would of course only forward it to one particular port, if it has a port for the destination MAC stored for that particular VLAN. It might not, since all the ports are on different VLANs, so the destinations are not to be found in the VLANs the frames are sent from.)
This means, that everything sent to the switch via port 10, can appear on port 11 and 12, but anything sent via port 11 or 12 can only go to port 10.
What port isolation / protected ports / similar features would do, is that they block the forwarding of frames within a single VLAN, with the exception of some special ports. With that sort of feature, you'd put all the ports in one single VLAN, and mark port 10 as special, so it could send/receive traffic to/from 11 and 12. But the feature would isolate 11 and 12 from each other.
The other option is to bring both VLAN 11 and VLAN 12 to the machine on port 10 as tagged VLANs. Then, on that machine, you can make distinct IP interfaces for the VLANs, letting it communicate with both. Without routing set up on the machine, 11 and 12 can't communicate with each other. The machine would still need to VLAN-aware, of course.
Of course, if the Netgear itself can act as a router between VLANs, then that also works. You'll just need to set up VLANs for each machine, arrange the routing and add filtering (firewall) between 11 and 12.