Backstory: Client of mine was moving locations, and of course wanted to save money by ordering the Internet circuit themselves. 100mbps fiber circuit lands from AT&T and I get there to “hook everything up,” fully expecting a shiny ISP router your typical usable IP handoff. Lo and behold there is no ISP supplied router – turns out they didn’t know that the plus service from AT&T included a router, and the regular, unmanaged service which they ordered called for a customer supplied router. (surprise!) It needed to work in 72 hours and I had to find a quick solution that would make them happy, keep me sane and be secure.
By sheer coincidence, I purchased a Netgear GS748Tv5 switch for their new office. With a little experimentation and VLAN ninja fu I was able to make the switch a full blown layer 3 router replacing the need for something from the ISP (again in this case AT&T). In the following tutorial I’m going to show you how to make a 24 or 48 port Netgear smart switch an ISP router. Feel free to substitute AT&T in this tutorial with just about any ISP’s name, but my example is based on a live AT&T setup I did.
In the examples below we are using a dummy AT&T and LAN configuration. So for a moment pretend that these are the IPs the ISP has handed you and that 10.10.1.0 / 255.255.255.0 is your LAN.
AT&T Datalink IP for your router: 188.8.131.52 / 255.255.255.252
AT&T Datalink IP for the AT&T gateway: 184.108.40.206
AT&T Provided WAN IP for your “router”: 220.127.116.11 / 255.255.255.240
AT&T Provided first usable IP: 18.104.22.168 (your firewall would have this address or one in the usable range)
VLAN for Datalink: 99
VLAN for WAN: 98
Our dummy LAN subnet: 10.10.1.0 / 255.255.255.0
Step 1 – Logon to the admin interface of your Netgear smart switch.
Step 2 – Let’s start by running the VLAN wizard to create two VLANs, one for the datalink connection, the other for your WAN side where you will be connecting a firewall. In our case we had a HA pair of Sonicwalls (we actually assigned TWO ports to the #98 VLAN, but let’s not let that confuse you), but it could be any firewall, even a SOHO grade Asus or something.
Click Routing from the top menu, then VLAN. This should drop you right into the VLAN wizard. If not click it on the left hand side menu.Create the AT&T datalink VLAN, #99. Assign it 22.214.171.124, and assign a port to it. In this example we will use port 1 and set it to “untagged”
Note the VLAN can be fiber port 47-48 if you are using a GBIC – if using fiber to crossconnect to AT&T the dedicated GBIC ports at 49-50 don’t work for whatever reason. I believe this is due to the auto-sensing on the Netgear.
Click Apply to save this. Port 1 is where you will plug in your AT&T handoff.
Next create your WAN VLAN, #98. Assign it 126.96.36.199 the customer router IP supplied by AT&T. In this example we will use port 2 and again set it to untagged.
Click Apply to save. Port 2 is where you will plug your firewall’s WAN into.
Step 3 – We’ve got the VLANs created and the ports assigned to their respective VLANs. Based on the above example, plug your AT&T connection to port 1, and your firewall’s WAN port into port 2. Next we will setup the routing.
Click Routing on the top menu, and the Routing Table sub menu. This is where we will add our routes. Start by adding a static route for our AT&T datalink connection. You will be adding a network here, so decrement the AT&T datalink gateway’s IP by one and add it like so:
Click Add.Next we will add our static WAN route, again take the AT&T YOUR router IP and decrement by one and add it like so:
Lastly, we need to add the default route towards the AT&T datalink side of things:
Select the checkbox and you should be placed into default route. Enter the AT&T Datalink gateway here to route all traffic towards AT&T:
When complete the routing table should look like this. You will have working Internet at this point. But you aren’t quite done yet.
Step 4 – Now we need to lock down the administration interface so the switch’s web interface can’t be accessed from the WAN. This is optional but highly recommended!
Click on Security, Access, Access Control.Create an Access Profile Configuration by selecting that option on the left menu. You can name it whatever you like, in the example below we call it “security”. For now deactivate the profile.
Click Apply to save.
Now select Access Rule Configuration on the left. Create six rules to allow access to your switch from the LAN, but deny from any other sources.
Rule 1: Permit, HTTP, 10.10.1.1 (your LAN subnet here), 255.255.255.0, Priority 1
Rule 2: Permit, Secure HTTP(SSL), 10.10.1.1 (your LAN subnet here), 255.255.255.0, Priority 2
Rule 3: Permit, SNMP, 10.10.1.1 (your LAN subnet here), 255.255.255.0, Priority 3
Rule 4: Deny, HTTP, Priority 4
Rule 5: Deny, Secure HTTP(SSL), Priority 5
Rule 6: Deny, SNMP, Priority 6
When complete the access rules should look like:
Now go back to the Access Profile Configuration, activate the security profile and click Apply.
You should be able to access the web and SNMP interfaces of the switch from your LAN, but not from the Internet. Note I had troubles with the security profile deactivating across a reboot if I used a name with a space in it, combined with the source IP address ending with zero. Use my example for it to stick across reboots. I have no idea which combination of either the name or the address fixed it… but my example works for sure.
That’s it! You’ve just created an ISP router out of a Netgear smart switch. If you are not getting the speed you think you should have, make sure to check the duplex and auto negotiation settings on the switch ports to both the ISP and your router. Sonicwalls are notorious for strange problems here.
If I saved your bacon and you used this solution with success or not, please let me know in the comments section.