Hi,

I have a Vigor 2862 installed, configured with a number of separate LAN subnets (untagged VLANs).

In particular, I have a subnet for the main LAN (10.0.1.0/24) and a subnet for the IP phone system (10.0.20.0/24) which are presently isolated internally (Inter-LAN routing disabled) and also configured to use separate public IP addresses.

I would like the two subnets to remain isolated but would like one of the servers (on 10.0.1.231) to be able to access an IP PBX (on 10.0.20.201) for management purposes.

I've studied the firewall rules and routing options but I can't seem to find how to achieve this.

Any assistance would be greatly appreciated.

Many thanks in advance.

I think you will have to enable the Inter-LAN Routing and then set Firewall Rules to limit access to the one Server/PBX.

Out of idle curiosity, how come you're using "10.x.y.z" with a 24 bit subnet mask, rather than the default "192.168.x.y" ?

hornbyp wrote: I think you will have to enable the Inter-LAN Routing and then set Firewall Rules to limit access to the one Server/PBX.

Thanks. That's what I did in the end. I was hoping there might have been a more elegant solution. From a technical/logical perspective it just seems better to precisely define the routing rather than open up all routes just to block them again using the firewall.

hornbyp wrote: Out of idle curiosity, how come you're using "10.x.y.z" with a 24 bit subnet mask, rather than the default "192.168.x.y" ?

For a number of reasons really ...

A 192.168.0.0/16 class C network is not only more limiting for larger businesses, it's considered somewhat 'domestic', used by almost every cheap home ISP-supplied router out there. And while I wouldn't use a Vigor 2862 as the main router/firewall in larger enterprise environments, they're a suitable choice for secondary or smaller business networks. So for compatibility and scalability I always prefer to use a 10.0.0.0/8 class A network. Additionally, since most home networks do use a 192.168.x.0/24 subnet, you're much less likely to encounter a clash of subnets when setting up VPN connections for home workers.

As for using a 24 bit mask with a class A (8 bit mask) network, it's a common misconception that an 8 bit mask is required: https://en.wikipedia.org/wiki/Private_network#Private_IPv4_addresses

Although the standard for class A and class B networks specify 8- and 12-bit masks respectively, it is common to subdivide these and assign other masks internally, resulting in a number of smaller subnets (e.g. 10.0.0.0/24, with room for thousands of 256-host subnets).

In larger enterprise networks, it's very useful to be able to create lots of smaller subnets to better organise and divide networks into segments. Personally I like to use the second byte (10.x.0.0) as my own unique customer identifier, and the third byte (10.0.x.0) to define branches within the same organisation and various distinct subnets (eg LAN, CCTV, VoIP, etc). And, since the underlying network is class A, using smaller network masks (along with the relevant routing/firewall rules) makes it simple to route traffic between whole groups of subnets for branch-to-branch networking. This is also useful for IT support and maintenance work when you may need to establish a VPN connection with a number of branches (or even customers) at the same time. So, in other words, 10.x.x.x/8 equates to all organisations and subnets, 10.x.x.x/16 equates to the entire network of a single organisation (including branches) and 10.x.x.x/24 equates to a single subnet within a single organisation/branch.

Thanks for the insight - I will read and inwardly digest

I think what you could do, if you don't want to activate interLAN routing, is set up a NAT entry from the WAN corresponding to your IP subnet (as you say you have dedicated IPs but maybe that is one WAN actually?) with then a port forwarding. From your main subnet, you should then be able to access the PBX using that NATted address, without activating interLAN routing

But the best in my opinion is just to activate the interLAN routing and set up firewall rules to deny everything except this particular traffic