What's new

Tutorial Basic Vlan guide for IP or MAC isolation from others on Lan

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

skeal

Part of the Furniture
I've searched and read lots on this topic, and now I must say I'm more confused than anything else. Can someone offer me advice, on how to stop two devices on my network from communicating with the other devices of my Lan. These devices require nothing else other than internet access and have Ethernet only connections. Any ideas, can iptables be used for this?
 
Seems not,, at least not without VLANS:

“Inter LAN connections are handled by the switch in your combination router/switch/AP. Therfore Iptables or other rules and scripts do not come into play. They only apply to LAN/WAN connections which are handled by the router section.

If devices connect to your router/switch/AP using Wifi have them connect to guest networks (six networks in a router with Merlin ) you can then isolate them by turning access intranet off. I'm not aware any way you can turn off access intranet off for the LAN ports other than setting up VLANS.”

https://www.snbforums.com/threads/h...e-lan-ip-to-another-lan-ip.40654/#post-341253
 
Two possible solutions depending on what else is on your LAN:
  1. Only LAN devices are two requiring isolation
    1. Cascade another NAT router off ASUS and use a different IP network for its downstream LAN
  2. Additional LAN devices besides two requiring isolation
    1. Add a VLAN device
 
However, what about using something like this to turn your ethernet-only device into a wireless device and then put it on a guest network with intranet access banned?

For about the same amount you can buy a smart switch and add multipleVLANs. The 8 Port model is available on Amazon for US$29.99. With 8 Ports you could have up to seven VLANs.
 
For about the same amount you can buy a smart switch and add multipleVLANs. The 8 Port model is available on Amazon for US$29.99. With 8 Ports you could have up to seven VLANs.
For what ever reason I had no idea a smart switch was this cheap..:oops::oops:

EDIT: Found a Tplink 5 port web managed switch for 44$ CDN on Amazon and was sure to click the link to get SNB a cut of the action.
 
Last edited:
I’m curios, what to devices do you not want talking to each other?
I have two Android devices that I do not trust. I don't mind them talking to each other, just not to any other devices.
 
Chuckle!
Shouldn’t this be appended to the ‘Alt-Conspiracies’ thread? ;)
I liked the 5 port so much I got an 8 port coming...LOL, there will be no conspiracies on my networks folks! ;):)
 
Another option. And one that doesn't require additional hardware.

Let's assume your primary local network is 192.168.1.0/24, and your primary router is assigned 192.168.1.1. You multihome the router w/ the 192.168.2.0/24 network and assign it 192.168.2.1. Now either statically configure those devices on the 192.168.2.x network (e.g., 192.168.2.100 and 192.168.2.101), or configure the DHCP server to return those same IPs (along w/ 192.168.2.1 as the gateway, etc.). Finally, you add firewall rules to block 192.168.2.0/24 from accessing 192.168.1.0/24.

IOW, each local IP network is still sharing the same physical ethernet segment, but they are invisible to each other because they are configured w/ different local IP networks. If you didn't block access via the firewall, then the router would simply route between them.
 
I know this sounds geeky but I'm loving playing with vlans it's great!
 
I know this sounds geeky but I'm loving playing with vlans it's great!

Looks to the left, looks to the right, looks all around.

Uhm, it looks like we're all a little geeky around here. :D

Let us know what you cook up with the 5 and 8 port switches and your newfound love (VLANs). :)
 
I'm back....

So my journey into VLAN land was a long one. (mostly waiting on switches to arrive as I ordered them as I found the need for them).

I bought 4 smart web managed switches made by TP-Link. 3x8 port (TL-SG108E) and 1x5 port (TL-SG105E). The 5 port was purchased by mistake but I kept it on account of it's all I needed for it's location and use. Each switch was no more than 45$ CDN on Amazon and SNBForums got the cut it deserves by clicking the Amazon link in the upper right of the @RMerlin forum page.

The aim of this project was to isolate everything on my network. I have no need for a windows network share system.

Learning things from scratch and being bull headed as I am, played a roll in how long it took to set this up. Really once I had the equipment it took minutes to setup.

As I was setting things up, I realized that I could replicate the VLAN setup I have in IPTV settings, on one of these switches.

Lots of research later (insert google foo) I found the answer, instead of a modem on my fibre to the home setup, I now have a VLAN configured switch, and no need for the VLAN settings I had in the IPTV settings in the LAN section of the router. My interface is now listed as eth0 not br1 anymore.

While I was setting up the VLAN's I found out about LAG (Link Aggregation), WAG (WAN Aggregation), I enabled both on the router, they work really well. Both LAG and WAG are based on 802.3ad. As a side note, you cannot setup "Dual WAN", once WAG is setup, it's one or the other. You will see a notice on the network map page saying "WAN Aggregation: !" In my case this is referring to the fact I don't have a 1 gig symmetrical connection. When setting up WAG and/or LAG the router sets up a virtual interface called "bondx" (x being the instance number for example: bond0 or bond1). This allows the router to see it as a combined interface. In this example bond0 is the LAG connection and bond1 is the WAG connection. The instance number not being important.

Learned that my ISP requires tagging on the port of the VLAN facing my ONT (Optical Network Terminal), without it the router will not receive a DHCP address.

So now I have 10 VLANs in all. 1 that serves the DHCP needs of my router. 2 separating the North end of my house from the South end. 3 setup on the South switch and 4 setup on the North switch.

So far I have a boost in performance, but that was expected though. Probably due to better QOS and network isolation and possibly IGMP snooping. Getting rid of my Actiontec V1000H router is a big plus as it was POS.

So now I have a snappy, fast booting, VPN power house of a router, and a great secure network. Video streaming (what I do most), is perfect so far. :D
 
Last edited:
So I can conclude that by reducing broadcast traffic on my home network, I have gained performance on each client. Video is especially good. Speed tests are quick and flat. I also use Bandwidth Limiter QOS and find, (No offence to FreshJR), that it more than meets my needs and I get just as good buffer bloat scores, even with a busy network. I must add, that it takes considerable time to get the balance right between devices, but once you do it's set and forget baby. Really happy with my home network now!! :D
 
......,separating the North end of my house from the South end. 3 setup on the South switch and 4 setup on the North switch. :D

Glad you’re sorted. I can’t pretend to understand it; perhaps when you get time and whilst it’s still fresh, you might append a set-up guide, that would flesh out the bones?

One question: is there a West Wing?
 
Glad you’re sorted. I can’t pretend to understand it; perhaps when you get time and whilst it’s still fresh, you might append a set-up guide, that would flesh out the bones?

One question: is there a West Wing?
Laughing my head off!! No West Wing. I actually live in a small house, I just like lots of equipment. Lol, I will type out a guide and post again while it is fresh. I will also include screen shots of the TP-Link switches, that may help as well. Thanks for your interest. Thanks for your jest, it made my morning, I'm still laughing. :D
 
I started down this path because I wanted to isolate 2 problem IoT devices that if attacked and compromised, may grant access in some way to the rest of my network.

This started me thinking about my network needs. I use Dropbox a lot and OneDrive both solve the issue of networking among computers on my network.

So in my case I started to think about isolation and what would need to be isolated from each other.

I used guest networks for the wifi devices. This works for my 2 google home devices and a chromecast-ultra. They have to be on the same guest network to work.

My principal internet use is video streaming. I tweak and tune for best streaming dependability. I want to isolate both of my Android media boxes. They can easily be hacked or hit with malware, according to the reading about Kodi and MobDro.

So setting up vlans with a graphical user interface is easy. TP-Link has web access or a windows configuration utility tools for configuration of vlans (Just a side note I do everything on Ubuntu using Chromium as a browser).

Here is the system information page of the webui for a TL-SG108E smart switch from Amazon.

SystemInfo.jpg

As you can see it gets an IP address from the router. When you initially plug in the switch it grabs an IP from the router via DHCP. The address of the switch can be set to static and any address used.

Lets jump to VLANs, here is the 802.1q vlan page where you can setup what you need. My configuration should point out a few obvious things.

Vlan802.1q.jpg


For basic vlanning to work the switch needs a default vlan so that without any configuration it will work as a plug and play switch. Each newly created vlan needs port1 (The up-link port in my case) added to each separate vlan to give the device internet access. The access granted by the gateway address. In the above configuration each newly created vlan is separate from the other and means those devices cannot communicate with each other, only with the router.

The next page designates the vlan id needed for the vlan to communicate outward. Kind of like a gateway. Each vlan has it's assigned port. PVID stands for Port Vlan ID, you are assigning the port to a vlan id.

802.1g-PVID-Setting.jpg


Just these settings and it will work. Consider that this is the North switch in my case. I also have a South switch. These two switches are in different areas of my house with a single ethernet line connecting them to each other through a switch directly connected to my router. AX88U.

So my topology is like this: Fiber to the home>>>>ONT (optical network terminal or where light becomes Ethernet)>>>>TL-SG105E-Smart Switch>>>>Router>>>>North and South Switches (Both TL-SG108E)>>>>client devices.

Next and I'm sorry to say no screen shots but I think by now you should have a sort of grasp of what I was doing. Next I needed to setup a vlan ahead of my router so it could get a DHCP address from my ISP. With Fibre to Ethernet taken care of, you don't require a modem only the vlanned switch to link up with my ISP's DHCP network. So for me it was to create a vlan with id of 1000 and tagging the port (in my case port1 as it is my up-link port) that faces the ONT as it's next hop device. The switch itself can have an IP but must not have a defined IPv4 IP address (It doesn't need it and could cause problems). You set the switch up by assigning it an static IP and subnet mask. I used 172.16.1.3 and 255.255.0.0 and left gateway blank, you access it by manually configuring your computer's network adapter with something like 172.16.1.2 and 255.255.0.0 and again no gateway, and connect direct to the switch with your cable. The ISP's network allows the switch and passes the IP to the router. And it all works. :D
 
Last edited:
This caused some problems. For instance, I couldn't communicate with the South switch when connected to the North switch, both ends are Ethernet. This is by design. I found that any device or vlan, could communicate, with any device on another vlan based on a separate switch, as long as the traffic was handled by the router, or setup on a common vlan, not separating North from South. This is no good, I have isolation needs all over the network. So the middle switch has two vlans thus separating North and South. You may ask how can I administer a switch I don't have access to any more. I use wifi. If you connect to the routers wifi (main wifi not guest) you are essentially traffic from the router so you have access to everything. (Kind of scary really and brings up thoughts of wifi hacking).
 
I started down this path because I wanted to isolate 2 problem IoT devices that if attacked and compromised, may grant access in some way to the rest of my network.

This started me thinking about my network needs. I use Dropbox a lot and OneDrive both solve the issue of networking among computers on my network.

So in my case I started to think about isolation and what would need to be isolated from each other.

I used guest networks for the wifi devices. This works for my 2 google home devices and a chromecast-ultra. They have to be on the same guest network to work.

My principal internet use is video streaming. I tweak and tune for best streaming dependability. I want to isolate both of my Android media boxes. They can easily be hacked or hit with malware, according to the reading about Kodi and MobDro.

So setting up vlans with a graphical user interface is easy. TP-Link has web access or a windows configuration utility tools for configuration of vlans (Just a side note I do everything on Ubuntu using Chromium as a browser).

Here is the system information page of the webui for a TL-SG108E smart switch from Amazon.

View attachment 17677
As you can see it gets an IP address from the router. When you initially plug in the switch it grabs an IP from the router via DHCP. The address of the switch can be set to static and any address used.

Lets jump to VLANs, here is the 802.1q vlan page where you can setup what you need. My configuration should point out a few obvious things.

View attachment 17678

For basic vlanning to work the switch needs a default vlan so that without any configuration it will work as a plug and play switch. Each newly created vlan needs port1 (The up-link port in my case) added to each separate vlan to give the device internet access. The access granted by the gateway address. In the above configuration each newly created vlan is separate from the other and means those devices cannot communicate with each other, only with the router.

The next page designates the vlan id needed for the vlan to communicate outward. Kind of like a gateway. Each vlan has it's assigned port. PVID stands for Port Vlan ID, you are assigning the port to a vlan id.

View attachment 17679

Just these settings and it will work. Consider that this is the North switch in my case. I also have a South switch. These two switches are in different areas of my house with a single ethernet line connecting them to each other through a switch directly connected to my router. AX88U.

So my topology is like this: Fiber to the home>>>>ONT (optical network terminal or where light becomes Ethernet)>>>>TL-SG105E-Smart Switch>>>>Router>>>>North and South Switches (Both TL-SG108E)>>>>client devices.

Next and I'm sorry to say no screen shots but I think by now you should have a sort of grasp of what I was doing. Next I needed to setup a vlan ahead of my router so it could get a DHCP address from my ISP. With Fibre to Ethernet taken care of, you don't require a modem only the vlanned switch to link up with my ISP's DHCP network. So for me it was to create a vlan with id of 1000 and tagging the port (in my case port1 as it is my up-link port) that faces the ONT as it's next hop device. The switch itself can have an IP but must not have a defined IPv4 IP address (It doesn't need it and could cause problems). You set the switch up by assigning it an static IP and subnet mask. I used 172.16.1.3 and 255.255.0.0 and left gateway blank, you access it by manually configuring your computer's network adapter with something like 172.16.1.2 and 255.255.0.0 and again no gateway, and connect direct to the switch with your cable. The ISP's network allows the switch and passes the IP to the router. And it all works. :D
Excellent write-up. Thank you. I’m intending to get one of those Pro switches just to understand it all better: it’s one thing reading about it, but quite another doing it for real and correcting one’s mistakes and misunderstandings.
 

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top