SOLVED
Hello,
I could understand that you are tyring to configure the AP to assign IP address from DHCP server . Refer below exampl and modify based on your requirment.
1. Enable DHCP Server Globally
dhcp-server enable
2. Now create your pool.
dhcp-server pool "user-pool"
default-router "192.168.1.1"
dns-server "8.8.4.4,8.8.8.8"
lease 00:12:00
network 192.168.1.0 255.255.255.0
range 192.168.1.10 192.168.1.20
exit
3. Then enable it under the VLAN context
vlan 10
name "Guest Wireless"
ip address 192.168.0.1 255.255.254.0
dhcp-server
exit
Also, refer below Aruba 2930 configuration guide for your reference.
https://h20628.www2.hp.com/km-ext/kmcsdirect/emr_na-a00055700en_us-2.pdf
I work for HPE
Hi!
If your Aruba 2930F is performing IPv4 routing (and it is doing that looking at your posted running configuration...you have the ip routing enabled) then the:
ip default-gateway 192.168.1.1
is basically useless.
Instead (hope it's not a typo) the Route of Last Resort (0/0 via your Next Hop Gateway, your Router for the Internet access):
ip route 0.0.0.0 0.0.0.0 192.16.1.1
is wrong.
It should be:
ip route 0.0.0.0 0.0.0.0 192.168.1.1
instead.
Also, your Router MUST know how to get back the traffic to your VLAN 100, 200 and 300 subnets (it already know its own local VLAN 1 subnet since its LAN interface IS on that VLAN)...this means you should configure static routes on your Router/Firewall to reach those three internal subnets...something like:
- destination 192.168.10.0/24 via gateway 192.168.1.29
- destination 192.168.20.0/24 via gateway 192.168.1.29
- destination 192.168.30.0/24 via gateway 192.168.1.29
otherwise any host residing on VLAN 100, 200 or 300 will be just able to reach SVI addresses of all four defined VLANs (192.168.1.29, 192.168.10.1, 192.168.20.1 and 192.168.30.1) plus all the other reacheable internal hosts on those subnets (plus VLAN 1) BUT nothing more...nothing external to your network (managed by your Next Hop Gateway for all remote networks, Internet included, your Router)...I guess that an host on VLAN 1 can actually ping the Router 192.168.1.1 but the same isn't true from any other host residing on VLAN 100, 200 or 300...that's because your Router is lacking of the static routes necessary to get the traffic back to hosts on those VLANs.
Edit: if I were you I will also rearrange the beginning addresses of both VLAN 200 and 300's DHCP ranges...that's to exclude each SVI address (192.168.20.1 and 192.168.30.1) from the range itself...I would start from .2 address or above, as done on VLAN 10.
I'm not an HPE Employee
hello @parnassus
I did what you suggested and added the static routes and removed the "ip default-gateway" option, currently I can ping all my 3 vlans and my router at 192.168.1.1 but I am still not able to access any devices or the internet.
again my running-config:
; JL258A Configuration Editor; Created on release #WC.16.10.0005
; Ver #14:27.6f.f8.1d.9b.3f.bf.bb.ef.7c.59.fc.6b.fb.9f.fc.ff.ff.37.ef:04
hostname "Aruba-2930F-8G-PoEP-2SFPP"
module 1 type jl258a
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip routing
snmp-server community "public" unrestricted
vlan 1
name "DEFAULT_VLAN"
no untagged 1,3,7-8
untagged 2,4-6,9-10
ip address 192.168.1.29 255.255.255.0
exit
vlan 100
name "Wireless_Vlan"
untagged 7-8
ip address 192.168.10.1 255.255.255.0
dhcp-server
exit
vlan 200
name "Computers"
untagged 1
ip address 192.168.20.1 255.255.255.0
dhcp-server
exit
vlan 300
name "SynologyNAS"
untagged 3
ip address 192.168.30.1 255.255.255.0
dhcp-server
exit
allow-unsupported-transceiver
dhcp-server pool "Wireless"
default-router "192.168.10.1"
dns-server "62.179.104.196,213.46.228.196"
network 192.168.10.0 255.255.255.0
range 192.168.10.1 192.168.10.254
exit
dhcp-server pool "Computers"
default-router "192.168.20.1"
dns-server "62.179.104.196,213.46.228.196"
network 192.168.20.0 255.255.255.0
range 192.168.20.1 192.168.20.254
exit
dhcp-server pool "SynologyNAS"
default-router "192.168.30.1"
dns-server "62.179.104.196,213.46.228.196"
network 192.168.30.0 255.255.255.0
range 192.168.30.1 192.168.30.254
exit
dhcp-server enable
show ip route
IP Route Entries
Destination Gateway VLAN Type Sub-Type Metric Dist.
------------------ --------------- ---- --------- ---------- ---------- -----
0.0.0.0/0 192.168.1.1 1 static 1 1
127.0.0.0/8 reject static 0 0
127.0.0.1/32 lo0 connected 1 0
192.168.1.0/24 DEFAULT_VLAN 1 connected 1 0
192.168.10.0/24 Wireless_Vlan 100 connected 1 0
192.168.20.0/24 Computers 200 connected 1 0
192.168.30.0/24 SynologyNAS 300 connected 1 0
static routes:
@bruzski wrote: currently I can ping all my 3 vlans and my router at 192.168.1.1 but I am still not able to access any devices or the internet.
OK, that's better than before.
So now we need to address your latest issue (reach the outside networks, the Internet): we need to isolate the issue and to do that we need to understand how you're testing...thus...how are you testing? specify on which host (ip address, subnet mask, default gateway and dns servers) are you initiating the connections to Internet and provide logs seen from your Router/Firewall (we suppose your host is at least reaching the Router/Firewall thanks to the Route of Last Resort 0/0 via 192.168.1.1 and the Router/Firewall knows how to get it back to the host...so the Router/Firewall must logs something interesting for us to diagnose).
One good thing to do is: use a Host with static IP addressing on VLAN 1 (let me say...a free IP Address on 192.168.1.0/24 subnet and 192.168.1.29 as Default Gateway, use public DNS such as Google DNS, OpenDNS or CloudFlare DNS). Do the test and collect data. Repeat by changing static IP addressing from VLAN 1 to VLAN 100, 200 and 300 and repeat for each change. Collect data. Summarize.
Retry also with DHCP provided IP addressing (just to be sure DHCP Server parameters for the pool, on each VLAN, are OK).
Other question: is your Router/Firewall actually configured to permit hosts of VLAN 1, 100, 200 and 300 subnets to reach the outside networks (the Internet)?
I'm not an HPE Employee
I did some tests from my pc with a free static ip as suggested, after these changing I couln't ping anything anymore, also the logs from my router or switch do not provide any information.
on answering your last question, is my router properly configured to permit hosts of VLAN 1, 100, 200 and 300? is there a way I can check this? I'm using a Nighthawk X4R7500 router, strange thing is, i can ping my router from 192.168.20.1 but unable to access it or log into, as if something is blocking me from accessing it.
here are my tracert logs though they don't provide any info... I'm scratching my head now!
pc connected to vlan 200, no internet or any connection to devices or outside world
pc connected to vlan 1, internet connection to outside world, also connection to all my devices
at the moment I don't have a clue what is going on, simply put.. maybe my router is not suitable??
edit:
in this article I read about the lack of NAT capabilities on the netgear router, could this be my problem?
hi @parnassus
after intensive research I found out that indeed the firmware of my router lacks proper static routing routines , I installed DD-WRT image, setup the routing routines en selected the "Masquerade Route" option everything works perfectly
scrreendump of the DD-WRT settings.
Hi @bruzski, I'm happy you finally found your way and having a working environment you like...but I feel I need to clarify one more thing and close this thread with the message below.
Seeing that you marked your last post [*] as the solution for the whole thread is incorrect [**]:
Firstly, because the problem with your router/firewall only emerged due to the fact that you implemented the scenario for which you asked for help initially, scenario that was explained to you (this scenario required a configuration of your router/firewall not even so special...indeed, I would say, that it is a normal configuration and that is often encountered): therefore changing the router/firewall (Model A with model B) is not the real solution to your initial request.
Secondly, because your router/firewall should have already worked, if the scenario that was proposed to you and that you were taught to implement on the Aruba 2930F would have worked since the very first attempt with a time saving for everyone .
What you have indicated as a solution is not really the solution to your initial problem (solution that was already given to you) - that is pretty clear - and therefore it can't also be the solution of this whole thread.
You have to be honest about this (and if "honest" is a too strong word...please use "precise" instead), especially because in doing so you mislead other users who will read this thread in the future by jumping immediately to the post indicated as its solution. Wrong. Your latest post is just your positive conclusion, the solution was given before. You solved another (device related) issue, not the initial one.
This is not a reproach or a rant, only you have to be precise.
[*] If in the end you discovered that your router/firewall prevented the successful outcome of the proposed scenario, it is because it is garbage, in fact - at least in the prosumer/corporate contexts - a router/firewall that does not correctly manage IPv4 routing, VLAN and NAT features together is practically trash.
[**] generally I'm observing this behaviour (marking randomly a post as THE solution for a long whole thread) more and more often and that is sad.
I'm not an HPE Employee