Hi I am running the SG 300 in Layer 3 mode

I have set the default gateway for the 2 VLAN as follows

VLAN 10 - includes VM 1,2 and 3  as - 192.168.1.250  - This is the LAN ip of the firewall VM3

VLAN 20 - includes VM 3 as -192.168.0.12 and the gateway for the firewall VM as 192.168.0.1 - which is the ISP router ip address

The firewall VM is a layer 3 firewall

Hi, that looks good to me.

If VM-1 / VM-2 need to traverse to the other subnet, they will reach the gateway which is VM-3/firewall.

I assume:

- Routing in Firewall is enabled

- Firewal ports has been opened in the Firewall

- ISP is internet and there is a device that does NAT after VM-3 Firewall, else you would need to configure NAT (SNAT) on the VM-3 firewall so VM-1/VM-3 can access the Internet.

I can get my VM's connect to the internet while having the VLAN's removed and making the physical switch in L2 mode. However when i enable VLAN's for VM's in Esxi  (VST) and make the physical switch ports as trunk ports to allow VLAN 20 on vswitch1 and the port where my isp router is connected, i dont seem to connect to the internet. I am not sure what i am missing

With VLAN enabled:

1. try to do a traceroute from the VMs and see where the traceroute stops.

2. from VM, test ping to firewall inside interface and outside interface

3. from firewall, test ping to VM

4. from firewall, test ping to ISP inside interface & Internet e.g. 8.8.8.8

5. Try to add VLAN 10 on the SG300 port interface gigabitethernet4 attached to vmnic1

     !

     interface gigabitethernet4

     description HOST-1-VSWITCH-1

     switchport trunk allowed vlan add 10,20

     !

Hello

With VLAN enabled:

1. try to do a traceroute from the VMs and see where the traceroute stops - tracert to 8.8.8.8 stops on firewall outside interface with the result destination host unreachable

2. from VM, test ping to firewall inside interface and outside interface - get a reponse for both firewall inside and outside interface

3. from firewall, test ping to VM - get a reply from the vm's

4. from firewall, test ping to ISP inside interface & Internet e.g. 8.8.8.8 - 100% packet loss to both isp inside interface and 8.8.8.8

5. Try to add VLAN 10 on the SG300 port interface gigabitethernet4 attached to vmnic1 - have done and no still no response

Based on your testing results, the issue seems to be the VM3 firewall connection to the outside - from firewall to ISP inside interface & Internet 8.8.8.8

The firewall is able to reach the internal VMs which they are on the same subnet, but not to the outside or VLAN 20.

Could you verify that VM3 firewall outside NIC is attached to the PortGroup WAN on vSwitch1 and not Production/VM Network?

Hi yes my firewall called HOME in the pic is attached to portgroup belonging to VLAN 20. What i think is traffic exiting Port 4 on the physical switch does not seem to reach Port 2 on the physical switch. I have made sure port 4 and 2 are in trunk mode to allow vlan 20 to outside.

also i have a route for 192.168.0.0 from 192.168.0.12 which is my firewall wan interface

Thank you. All lan clients in VLAN 10 now use the firewll VM in vlan 20 to connect to the internet.

Glad if it works now.

Please note that if you have multiple ESXi hosts (let say in the future) you would need to have VLAN 10 on the GE 4 trunk port

If you have multiple ESXi hosts, VM to VM inside VLAN 10 will traverse through the SG300 physical switch and you need VLAN 10 in the SG300 and the trunk port connected to ESXi hosts vSwitch1 vmnic1