Hi,
not sure if I understood things right, because you mention 3 switches, but in what follows I can only see one switch (#3) with two routers?
I assume both routers do NAT?
Does the following figure depict things correctly?
.------. .--------. .--------.
(INTERNET)---+ 1st RT |--- VLAN 1 (192.168.0.0/24) ---| 2nd RT |--- VLAN 2 (192.168.2.0/24) ---|
`------´ `--------´ `--------´
If yes, any PC in VLAN 2 can probably ping any PC in VLAN 1 and the Internet, but a PC in VLAN 1 cannot ping any PC in VLAN 2?
If so, here is why: At layer 2 (Ethernet) of course VLAN 1 is separated from VLAN 2 (which you can check if you unplug the LAN or WAN port of the 2nd RT). But at layer 3 the 2nd RT routes (and NATs) form VLAN 2 to VLAN 1:
If you ping PC1 in VLAN 1 from PC2 in VLAN 2, the ping gets routed (because of the default gateway setting of PC2) to the 2nd RT which replaces the packet's source address (PC1's address) by its IP address at the WAN interface and then forwards the modified packet to to PC1. From the point of view of PC1 the ping comes from the 2nd router's WAN address, hence it replies to this address. The 2nd router receives the reply and because it had established a NAT session as a result of the initial ping it 'knows' that it has to replace the reply's destination address (its WAN interface address) by PC1's address and then forward the modified reply back to PC1.
Because this NAT mechanism only works in one direction you cannot ping PC2 from PC1.
But anyway, I think this is not what you want - you probably want devices become separated within two or more groups (each one forming a VLAN) within a single IP network, but all groups shall share some resources like printers or the Internet access via the 1st RT?
If so, you can solve this demand via so called "asymmetic VLANs", given that your switches support this feature.
So please tell if this is what you want and if so please tell what type of switch(es) you use (to see, if it supports asymmetric VLAN)
PT
