This is the third in a series of posts about downgrading from a Windows domain-based network structure to a workgroup-based one. The series starts here.
I tried to implement the alternative that I chose in this post (multiple subnets). I created a new port on the firewall, at 10.0.0.1, subnet mask 255.255.240.0. I gave it LAN rules, and allowed it to be routed to the other LAN subnet and vice versa. Then I changed the IP address of one of the workstations to 10.0.0.3/20 and opened a browser.
Then I tried to ping the firewall.
I tried again with another workstation. Same thing. I tried to ping 10.0.0.1 from the old subnet. That worked; the firewall was routing properly in that direction.
I’m using managed switches. Is it possible that they are blocking the layer-2 traffic? I went down to the server room and plugged a laptop with IP address 10.0.0.3/20 straight into the firewall.
That worked great. Ping the firewall: check. Ping computers on the old subnet: check. Browse the Internet: check.
Then I plugged the laptop directly into the top-level switch, only one hop from the firewall. No dice.
Have I accidentally set up a layer-3 VLAN? Time to do some thinking…