Tutorial Basic Vlan guide for IP or MAC isolation from others on Lan

[martinr]

I started down this path because I wanted to isolate 2 problem IoT devices that if attacked and compromised, may grant access in some way to the rest of my network.

This started me thinking about my network needs. I use Dropbox a lot and OneDrive both solve the issue of networking among computers on my network.

So in my case I started to think about isolation and what would need to be isolated from each other.

I used guest networks for the wifi devices. This works for my 2 google home devices and a chromecast-ultra. They have to be on the same guest network to work.

My principal internet use is video streaming. I tweak and tune for best streaming dependability. I want to isolate both of my Android media boxes. They can easily be hacked or hit with malware, according to the reading about Kodi and MobDro.

So setting up vlans with a graphical user interface is easy. TP-Link has web access or a windows configuration utility tools for configuration of vlans (Just a side note I do everything on Ubuntu using Chromium as a browser).

Here is the system information page of the webui for a TL-SG108E smart switch from Amazon.

View attachment 17677
As you can see it gets an IP address from the router. When you initially plug in the switch it grabs an IP from the router via DHCP. The address of the switch can be set to static and any address used.

Lets jump to VLANs, here is the 802.1q vlan page where you can setup what you need. My configuration should point out a few obvious things.

View attachment 17678

For basic vlanning to work the switch needs a default vlan so that without any configuration it will work as a plug and play switch. Each newly created vlan needs port1 (The up-link port in my case) added to each separate vlan to give the device internet access. The access granted by the gateway address. In the above configuration each newly created vlan is separate from the other and means those devices cannot communicate with each other, only with the router.

The next page designates the vlan id needed for the vlan to communicate outward. Kind of like a gateway. Each vlan has it's assigned port. PVID stands for Port Vlan ID, you are assigning the port to a vlan id.

View attachment 17679

Just these settings and it will work. Consider that this is the North switch in my case. I also have a South switch. These two switches are in different areas of my house with a single ethernet line connecting them to each other through a switch directly connected to my router. AX88U.

So my topology is like this: Fiber to the home>>>>ONT (optical network terminal or where light becomes Ethernet)>>>>TL-SG105E-Smart Switch>>>>Router>>>>North and South Switches (Both TL-SG108E)>>>>client devices.

Next and I'm sorry to say no screen shots but I think by now you should have a sort of grasp of what I was doing. Next I needed to setup a vlan ahead of my router so it could get a DHCP address from my ISP. With Fibre to Ethernet taken care of, you don't require a modem only the vlanned switch to link up with my ISP's DHCP network. So for me it was to create a vlan with id of 1000 and tagging the port (in my case port1 as it is my up-link port) that faces the ONT as it's next hop device. The switch itself can have an IP but must not have a defined IPv4 IP address (It doesn't need it and could cause problems). You set the switch up by assigning it an static IP and subnet mask. I used 172.16.1.3 and 255.255.0.0 and left gateway blank, you access it by manually configuring your computer's network adapter with something like 172.16.1.2 and 255.255.0.0 and again no gateway, and connect direct to the switch with your cable. The ISP's network allows the switch and passes the IP to the router. And it all works.

So the final paragraph explains the role of the 5-port switch between the router and the ONT.

“Next I needed to setup a vlan ahead of my router so it could get a DHCP address from my ISP.”

So the 5-port switch is, in this respect only, behaving as a modem would in a conventional setup? How else could you get your public IP address assigned had you not used the switch?

 

[skeal]

So the 5-port switch is, in this respect only, behaving as a modem would in a conventional setup; how else could you get your public IP address assigned had you not used the switch?

Yes, the switch actually passes the IP to the router. The modem in bridge mode should accomplish this, however in my case no gold, the modem doesn't show tagging, or doesn't have the capability to show tagging, on the port linked to the ONT. Alternatively, you can setup IPTV settings (On the router), to do the same as the configured switch, but, the settings get loaded so late in the boot up, that it could cause race conditions with scripts and stuff. All this work to get a DHCP address from my ISP on my router. I can't do the gaming I want with the router having a private IP, it has to be public.

 

[martinr]

Yes, the switch actually passes the IP to the router. The modem in bridge mode should accomplish this, however in my case no gold, the modem doesn't show tagging, or doesn't have the capability to show tagging, on the port linked to the ONT. Alternatively, you can setup IPTV settings (On the router), to do the same as the configured switch, but, the settings get loaded so late in the boot up, that it could cause race conditions with scripts and stuff. All this work to get a DHCP address from my ISP on my router. I can't do the gaming I want with the router having a private IP, it has to be public.

What? You’ve got time for gaming with all this networking experimentation? I can see this topic being a source of frequent referral in future. Many thanks for your detailed explanations.

 

[ATLga]

I linked to this old thread recently and just now went back to play around with this a bit and check it.
Using a tplink tlsg105e switch (firmware Feb 2023) and ax86u router.
Setup one vlan on port 5 (ax86u is port 1 same as op).
VLAN id "5" / VLAN Name "five" / Member ports 1,5 / Untagged ports 1,5
PVID settings Port 5 = 5

Plugged a laptop in port 5. Internet works, nothing unusual.
Testing for the vlan separation on this laptop I could see all the devices on the network. Could ping devices on the network. Fail.

Using a laptop not plugged into the switch, I could see the vlan port 5 laptop and was able to ping it. Fail.

OP says: "In the above configuration each newly created vlan is separate from the other and means those devices cannot communicate with each other, only with the router."

I don't see that being the case and wonder if it's the ax86u that's the issue?

Also, maybe the vlan is working but only for devices that are actually plugged into the switch, they are separated from each port. But what about the rest of the network that isn't using the switch, wifi devices, etc. Looks like everything is able to see each other just fine with no vlan separation.

 

[drinkingbird]

I linked to this old thread recently and just now went back to play around with this a bit and check it.
Using a tplink tlsg105e switch (firmware Feb 2023) and ax86u router.
Setup one vlan on port 5 (ax86u is port 1 same as op).
VLAN id "5" / VLAN Name "five" / Member ports 1,5 / Untagged ports 1,5
PVID settings Port 5 = 5

Plugged a laptop in port 5. Internet works, nothing unusual.
Testing for the vlan separation on this laptop I could see all the devices on the network. Could ping devices on the network. Fail.

Using a laptop not plugged into the switch, I could see the vlan port 5 laptop and was able to ping it. Fail.

OP says: "In the above configuration each newly created vlan is separate from the other and means those devices cannot communicate with each other, only with the router."

I don't see that being the case and wonder if it's the ax86u that's the issue?

Also, maybe the vlan is working but only for devices that are actually plugged into the switch, they are separated from each port. But what about the rest of the network that isn't using the switch, wifi devices, etc. Looks like everything is able to see each other just fine with no vlan separation.

By having both ports untagged you aren't accomplishing anything. No different than using VLAN 1. The Asus has no way of knowing the difference. If you plug something into one of the other ports on the switch (which are in VLAN 1) it won't be able to see the device on VLAN 5. Of course it also won't be able to access the internet either since your uplink is VLAN 5 now.

If you want multiple vlans all with access to the internet you need to use the new built in guest vlans (501 and 502, along with 1 for main LAN) after enabling guest wireless 1 with intranet disabled, or run a script to create your own vlans, subnets, DHCP pools, etc which is quite complex. In either case the uplink to the Asus must be tagged on all vlans except 1.

 

[ATLga]

By having both ports untagged you aren't accomplishing anything. No different than using VLAN 1. The Asus has no way of knowing the difference. If you plug something into one of the other ports on the switch (which are in VLAN 1) it won't be able to see the device on VLAN 5. Of course it also won't be able to access the internet either since your uplink is VLAN 5 now.

If you want multiple vlans all with access to the internet you need to use the new built in guest vlans (501 and 502, along with 1 for main LAN) after enabling guest wireless 1 with intranet disabled, or run a script to create your own vlans, subnets, DHCP pools, etc which is quite complex. In either case the uplink to the Asus must be tagged on all vlans except 1.

Yep, but I followed the directions and screenshots OP posted. I did a bit of further digging and the TPlink manual also suggests setting up in this fashion which makes no sense. Also, port 1 (uplink) has to be tagged to each one you set up (op mentioned this in one of his replies).
And no, not looking for multiple vlan setups. Just testing out the method in this thread.

Thanks for confirming.

 

[drinkingbird]

Yep, but I followed the directions and screenshots OP posted. I did a bit of further digging and the TPlink manual also suggests setting up in this fashion which makes no sense. Also, port 1 (uplink) has to be tagged to each one you set up (op mentioned this in one of his replies).
And no, not looking for multiple vlan setups. Just testing out the method in this thread.

Thanks for confirming.

Vlans on the switch only affect the switch. Your router has to match if you want those devices to have internet access. There aren't many use cases for isolated vlans with no internet, but there are some, and that is all you can do without having a VLAN aware router with dot1q tagging connected, or a layer 3 switch.

 

[ATLga]

Vlans on the switch only affect the switch. Your router has to match if you want those devices to have internet access. There aren't many use cases for isolated vlans with no internet, but there are some, and that is all you can do without having a VLAN aware router with dot1q tagging connected, or a layer 3 switch.

Pretty much what I thought and had thought about layer 3 switch as well.

 

[drinkingbird]

Pretty much what I thought and had thought about layer 3 switch as well.

You said in another thread you're running 388 so why not enable guest 1 with intranet disabled and make use of the prebuilt asus vlan 501 and 502. That will accomplish what you want, 3 isolated networks (VLAN 1, 501, 502). Uplink to the Asus on the TP Link should have pvid 1 with 1 untagged and 501 and 502 tagged. Then put other ports into 1, 501, or 502 untagged (and same for pvid) and you're good to go. Some Asus with the second 5ghz radio will also have 503.

Use VLAN 1 for trusted devices.

 

[ATLga]

You said in another thread you're running 388 so why not enable guest 1 with intranet disabled and make use of the prebuilt asus vlan 501 and 502. That will accomplish what you want, 3 isolated networks (VLAN 1, 501, 502). Uplink to the Asus on the TP Link should have pvid 1 with 1 untagged and 501 and 502 tagged. Then put other ports into 501 or 502 untagged (and same for pvid) and you're good to go.

I'm really just tinkering around with this switch thing. I had stumbled on this old thread when I was looking for some other information and thought I'd give it a try since I have a TPlink switch here along with a box full of netgear switches. Wanted to confirm that I wasn't crazy when I didn't get the same result as mentioned by the OP in 2019. That's all really. If I do get bored again, may look at a layer 3 switch and play around with it. I think I have one in the box somewhere. Appreciate your replies.

 

[ATLga]

You said in another thread you're running 388 so why not enable guest 1 with intranet disabled and make use of the prebuilt asus vlan 501 and 502. That will accomplish what you want, 3 isolated networks (VLAN 1, 501, 502). Uplink to the Asus on the TP Link should have pvid 1 with 1 untagged and 501 and 502 tagged. Then put other ports into 1, 501, or 502 untagged (and same for pvid) and you're good to go. Some Asus with the second 5ghz radio will also have 503.

Use VLAN 1 for trusted devices.

@drinkingbird
I'm going to play around with this tomorrow on my tplink switch and just wanted to confirm a couple of things.
So 501 & 502 are enabled with the Guest #1. 501 is 2.4 & 502 is 5.0.
Do you need to enable both? If you only enable #1 2.4, you'll only see 501. Same with #1 5.0, you'll only see 502. Enabling one of those won't make both (501 & 502) appear. Any pro's or con's to doing one or both?

 

[drinkingbird]

@drinkingbird
I'm going to play around with this tomorrow on my tplink switch and just wanted to confirm a couple of things.
So 501 & 502 are enabled with the Guest #1. 501 is 2.4 & 502 is 5.0.

Correct but note you must set "access intranet" to disabled to get them created. Once you've configured and applied the settings, reboot the router as I've noticed that not all configs are in place until after the reboot.

Do you need to enable both? If you only enable #1 2.4, you'll only see 501. Same with #1 5.0, you'll only see 502. Enabling one of those won't make both (501 & 502) appear.

Correct, you can enable one or the other and only have one of the VLANs (the corresponding one) created.

Any pro's or con's to doing one or both?

Just flexibility - having two isolated VLANs lets you divide stuff up. I've always had trusted and different levels of "semi trusted" networks, so I use 501 for IOTs and my outdoor AP's Guest SSID (which I let some neighbors use) and 502 for my wired semi-trusted stuff (i.e. work laptop) and people who visit etc. My outdoor AP also has IP filtering in it which I use as a second layer of protection on that "higher risk" guest SSID.

If I need to fix someone's PC or hook up one of my spares for playing around with something, I decide which one it goes in by setting that switch port to 501 or 502 depending on my level of trust of the machine etc.

I've also customized my IPTABLES and EBTABLES rules to allow guests to discover my printer and print to it, and add some additional isolation/blocking that asus doesn't have by default. Mostly all of this comes from having had a true router, firewall (with 8 zones) and switch setup previously and trying to mimic that somewhat on a much reduced footprint. I've actually considered adding even more VLANs to the Asus to have a few more zones but decided it is overkill. If I'm working on a machine that I suspect may have a virus or something, it does not get connected at all, and if I'm concerned that something I'm toying with may "phone home" I can connect a spare router in between and block stuff there.

 

[ATLga]

Correct but note you must set "access intranet" to disabled to get them created. Once you've configured and applied the settings, reboot the router as I've noticed that not all configs are in place until after the reboot.


Correct, you can enable one or the other and only have one of the VLANs (the corresponding one) created.



Just flexibility - having two isolated VLANs lets you divide stuff up. I've always had trusted and different levels of "semi trusted" networks, so I use 501 for IOTs and my outdoor AP's Guest SSID (which I let some neighbors use) and 502 for my wired semi-trusted stuff (i.e. work laptop) and people who visit etc. My outdoor AP also has IP filtering in it which I use as a second layer of protection on that "higher risk" guest SSID.

If I need to fix someone's PC or hook up one of my spares for playing around with something, I decide which one it goes in by setting that switch port to 501 or 502 depending on my level of trust of the machine etc.

I've also customized my IPTABLES and EBTABLES rules to allow guests to discover my printer and print to it, and add some additional isolation/blocking that asus doesn't have by default. Mostly all of this comes from having had a true router, firewall (with 8 zones) and switch setup previously and trying to mimic that somewhat on a much reduced footprint. I've actually considered adding even more VLANs to the Asus to have a few more zones but decided it is overkill. If I'm working on a machine that I suspect may have a virus or something, it does not get connected at all, and if I'm concerned that something I'm toying with may "phone home" I can connect a spare router in between and block stuff there.

Great info. Yes, access intranet to disabled (in the guest settings) is defaulted to that on setup. That would stay off in my situation, that's the point of the guest network hahaha.
Odd question, but is there any weird behind the scenes behavior for 501/502 if you enable both bands with same SSID and PW.
Appreciate the info.

 

[drinkingbird]

Great info. Yes, access intranet to disabled (in the guest settings) is defaulted to that on setup. That would stay off in my situation, that's the point of the guest network hahaha.
Odd question, but is there any weird behind the scenes behavior for 501/502 if you enable both bands with same SSID and PW.
Appreciate the info.

Nope the SSID and PW should have no impact on the VLANs, firewall rules, AP isolation, etc. From the router's perspective they are separate, regardless of authentication settings.

 

[Jumpstarter]

You said in another thread you're running 388 so why not enable guest 1 with intranet disabled and make use of the prebuilt asus vlan 501 and 502. That will accomplish what you want, 3 isolated networks (VLAN 1, 501, 502). Uplink to the Asus on the TP Link should have pvid 1 with 1 untagged and 501 and 502 tagged. Then put other ports into 1, 501, or 502 untagged (and same for pvid) and you're good to go. Some Asus with the second 5ghz radio will also have 503.

Use VLAN 1 for trusted devices.

Do you know how to get the VID:501 VID:502 to populate when using Asus router as AP? I have a main router which I can tag networks with 501 or 502, but I am using Asus router in AP mode. I was wondering how these tags can be used with Asus Guest network from here.

 

[heysoundude]

I'm taking a bit of a dive into this stuff, and I'm curious abour the WAN Aggregation that's mentioned...which router(s) supports that?