Community discussions

MikroTik App
 
DragonQ
just joined
Topic Author
Posts: 20
Joined: Tue Apr 13, 2021 1:44 pm

Isolate clients for only certain VLANs?

Tue Apr 13, 2021 4:08 pm

Hi, I'm considering buying a CRS328 switch and having looked through the really useful documentation I think I understand how to configure it for multiple VLANs. I can also see that it's possible to isolate certain ports to create "private VLANs" (i.e. all traffic from a certain port gets forwarded to router only). However, this would only work for access ports and not trunk ports. I am not sure how to configure it such that only certain VLANs have client isolation (i.e. all traffic on a certain VLAN gets forwarded to router only).

For example, let's say I have the following setup:
switch.png
  • VLANs should be isolated from each other; router handles inter-VLAN communication.
  • VLAN 1 is for trusted devices that need to be able to communicate via the switch without the router getting involved (e.g. 10GbE clients).
  • VLANs 2 & 3 are for untrusted devices who should not be able to communicate via the switch and all traffic on those VLANs should go to the router.
  • There are 3 "trunk" ports between the router and switch, one per VLAN. They're separate to maximise bandwidth but could be condensed into a single tagged port each end if necessary.
  • Each VLAN 2 & 3 access port can be easily isolated such that their traffic must go through the router (see link above).
  • The WiFi AP has 3 SSIDs, one for each VLAN. 1 is untagged ("native VLAN"), the other 2 are tagged.

Is it possible to ensure traffic on VLANs 2 & 3 from the WiFi APs always gets forwarded to the router (client isolation), but traffic on VLAN 1 from the WiFi APs gets forwarded to every VLAN 1 access port? If not then all WiFi traffic will need to go via the router, which is a bit disappointing.
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Isolate clients for only certain VLANs?

Wed Apr 14, 2021 4:09 pm

Is the CR328 switch going to also be a router, or is there an MT router between the switch and the internet??
First mistake is thinking you should use vlan1.
Do not!
IT is the default pvid vlan on bridges and should not be used to carry data etc......
Use vlan 99 or something else for manangment vlan and this is valid for both vlan filtering approach or SwOS approach.

Your sentence makes no sense!!
VLAN 1 is for trusted devices that need to be able to communicate via the switch without the router getting involved (e.g. 10GbE clients

A trusted device has no need to talk to the switch. The switch has no functionality other that passing traffic through it as per the rules setup by the admin.
One can be said is that you as the admin want to ensure that all devices are managed on the management vlan and get an IP on the management vlan

I also don't see the purpose of 3 trunk lines from router to switch, all you need is one.
Introducing more connections makes looping issues more possible. However I am not an expert in terms of what is better (ONE or THREE) for optimal throughput questions etc......
It can be done but one has to be more careful........ I hink!

The problem with VLAN is that you cannot easilly mix and match 802.1q vlans (tagging) and port vlans (isolation).
The thing is that tagged vlans can go to any port that is tagged or untagged for that port so having two ports with that traffic is the issue.
Again possibly doable but havent tried it.

DId you read this reference??? For bridge vlan filtering approach or are you going to use a different approach???
viewtopic.php?f=23&t=143620
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Isolate clients for only certain VLANs?

Wed Apr 14, 2021 5:03 pm

Here is an approach on the router. with different ports and a dedicated management vlan.
Note that the second ex. is the minimal change on the router to change this to one ethernet port.
Also, if one uses the home vlan as the management vlan, then you can delete all reference to vlan 99.
/Interface Bridge port
add bridge=bridge comment=defconf frame-types=\
    frame-types=admit only tagged frames ingress-filtering=yes interface=ether2
add bridge=bridge comment=defconf frame-types=\
    frame-types=admit only tagged frames ingress-filtering=yes interface=ether3
add bridge=bridge comment=defconf frame-types=\
    frame-types=admit only tagged frames ingress-filtering=yes interface=ether4
add bridge=bridge comment=defconf frame-types=\
    frame-types=admit only tagged frames ingress-filtering=yes interface=ether5
/Interface Bridge port
add bridge=bridge comment=defconf frame-types=\
    frame-types=admit only tagged frames ingress-filtering=yes interface=ether2
/interface bridge vlan
add bridge=bridge comment="Admin VLAN" tagged=bridge,ether2 vlan-ids=10,11,12,99
I would do the same thing on the switch \
In the case of separate ports per vlan, each would need a similar separate port on the switch.
The switch would also have a bridge.
All ports that are going to smart devices will need tagged designation on switch ports for
a. the vlan carrying data to that port
b. the mngmt vlan
All ports that are going to dumb devices, will only need pvid for that vlan and untagged designation on switch bridge
 
DragonQ
just joined
Topic Author
Posts: 20
Joined: Tue Apr 13, 2021 1:44 pm

Re: Isolate clients for only certain VLANs?

Wed Apr 14, 2021 8:52 pm

Is the CR328 switch going to also be a router, or is there an MT router between the switch and the internet??
First mistake is thinking you should use vlan1.
Do not!
IT is the default pvid vlan on bridges and should not be used to carry data etc......
Use vlan 99 or something else for manangment vlan and this is valid for both vlan filtering approach or SwOS approach.
The diagram makes it clear there is a separate router, i.e. the CRS328 is acting as a switch only. I understand the concern with using VLAN 1 but I was only using the numbers as examples, they could easily be 10, 20, 30.

Your sentence makes no sense!!
VLAN 1 is for trusted devices that need to be able to communicate via the switch without the router getting involved (e.g. 10GbE clients

A trusted device has no need to talk to the switch. The switch has no functionality other that passing traffic through it as per the rules setup by the admin.
One can be said is that you as the admin want to ensure that all devices are managed on the management vlan and get an IP on the management vlan
I get the feeling you didn't read my post very carefully. My sentence does make sense because I said "via the switch" not "to the switch".

The problem with VLAN is that you cannot easilly mix and match 802.1q vlans (tagging) and port vlans (isolation).
The thing is that tagged vlans can go to any port that is tagged or untagged for that port so having two ports with that traffic is the issue.
Again possibly doable but havent tried it.

DId you read this reference??? For bridge vlan filtering approach or are you going to use a different approach???
viewtopic.php?f=23&t=143620
Yes I was planning to use a single bridge following the example in the "Switch with a separate router (RoaS)" section of that post, and then follow the steps in the "Private VLAN" example here. All of that should be possible with the switch chip. However, it only works per-port, not per-VLAN.

Here is an approach on the router. with different ports and a dedicated management vlan.
Note that the second ex. is the minimal change on the router to change this to one ethernet port.
Also, if one uses the home vlan as the management vlan, then you can delete all reference to vlan 99.
/Interface Bridge port
add bridge=bridge comment=defconf frame-types=\
    frame-types=admit only tagged frames ingress-filtering=yes interface=ether2
add bridge=bridge comment=defconf frame-types=\
    frame-types=admit only tagged frames ingress-filtering=yes interface=ether3
add bridge=bridge comment=defconf frame-types=\
    frame-types=admit only tagged frames ingress-filtering=yes interface=ether4
add bridge=bridge comment=defconf frame-types=\
    frame-types=admit only tagged frames ingress-filtering=yes interface=ether5
/Interface Bridge port
add bridge=bridge comment=defconf frame-types=\
    frame-types=admit only tagged frames ingress-filtering=yes interface=ether2
/interface bridge vlan
add bridge=bridge comment="Admin VLAN" tagged=bridge,ether2 vlan-ids=10,11,12,99
I would do the same thing on the switch \
In the case of separate ports per vlan, each would need a similar separate port on the switch.
The switch would also have a bridge.
All ports that are going to smart devices will need tagged designation on switch ports for
a. the vlan carrying data to that port
b. the mngmt vlan
All ports that are going to dumb devices, will only need pvid for that vlan and untagged designation on switch bridge
You say this example is "on the router", does that mean using the CPU on the CRS328? I'd like to do everything using the switch chip and leave the routing to my separate router (which is an already configured EdgeRouter-X, which has just run out of ports). I would probably use SwOS if it didn't have poor fan control. I plan to use RouterOS so the fans stay at a sensible RPM.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Isolate clients for only certain VLANs?

Thu Apr 15, 2021 12:52 am

Okay I get it now.
The router in the picture is a Unifi or edge but not MT.
The switch you want to use for switching not routing and
the two options you have are
separate ports on router to separate ports on switch
OR
one port on router to one port on switch.

Yes I was configuring the router.
I can configure the switch but you have to decide which approach you want to do.
 
DragonQ
just joined
Topic Author
Posts: 20
Joined: Tue Apr 13, 2021 1:44 pm

Re: Isolate clients for only certain VLANs?

Thu Apr 15, 2021 12:22 pm

Okay I get it now.
The router in the picture is a Unifi or edge but not MT.
The switch you want to use for switching not routing and
the two options you have are
separate ports on router to separate ports on switch
OR
one port on router to one port on switch.

Yes I was configuring the router.
I can configure the switch but you have to decide which approach you want to do.
Yes that's right. I suppose having a single trunk between the router and switch will be fine for now, I'll just keep an eye on bandwidth to ensure that 1GbE link isn't being saturated by inter-VLAN traffic.

I think this might be simpler than I originally thought. Since the "forwarding-override" option can have multiple destination ports specified, I should be able to do the following:
  • Set access ports for VLAN 20/30 wired devices to forward traffic to the router trunk port(s);
  • Set trunk ports for WiFi APs to forward traffic to the router trunk port(s) and all VLAN 10 access ports and other WiFi AP trunks.
The VLAN separation should take care of the rest, so now WiFi devices will only be able to talk to the router, other WiFi devices, and wired devices on VLAN 10. In reality this only applies to devices on VLAN 10 because any devices on VLAN 20 or 30 can't talk to the VLAN 10 devices anyway and can't talk to each other due to being on "guest" networks. It'd look something like this I believe:

/interface bridge
add name=bridge1 vlan-filtering=yes

/interface bridge port
add interface=sfp1 bridge=bridge1 hw=yes pvid=10
add interface=sfp2 bridge=bridge1 hw=yes pvid=10
add interface=sfp3 bridge=bridge1 hw=yes pvid=10
add interface=sfp4 bridge=bridge1 hw=yes pvid=10
add interface=ether2 bridge=bridge1 hw=yes pvid=10
add interface=ether3 bridge=bridge1 hw=yes comment="Router trunk"
add interface=ether4 bridge=bridge1 hw=yes pvid=10
add interface=ether6 bridge=bridge1 hw=yes pvid=10
add interface=ether8 bridge=bridge1 hw=yes pvid=10
add interface=ether15 bridge=bridge1 hw=yes pvid=20
add interface=ether16 bridge=bridge1 hw=yes pvid=20
add interface=ether19 bridge=bridge1 hw=yes pvid=30
add interface=ether20 bridge=bridge1 hw=yes pvid=30
add interface=ether21 bridge=bridge1 hw=yes comment="WiFi AP 1 trunk"
add interface=ether23 bridge=bridge1 hw=yes comment="WiFi AP 2 trunk"

/interface bridge vlan

add bridge=bridge1 tagged=ether3 untagged=sfp1,sfp2,sfp3,sfp4,ether2,ether4,ether6,ether8,ether21,ether23 vlan-ids=10
add bridge=bridge1 tagged=ether3,ether21,ether23 untagged=ether15,ether16 vlan-ids=20
add bridge=bridge1 tagged=ether3,ether21,ether23 untagged=ether19,ether20 vlan-ids=30

/interface ethernet switch port-isolation
set ether15 forwarding-override=ether3
set ether16 forwarding-override=ether3
set ether19 forwarding-override=ether3
set ether20 forwarding-override=ether3
set ether21 forwarding-override=ether3, ether2, ether4, ether6, ether8, sfp1, sfp2, sfp3, sfp4, ether23
set ether23 forwarding-override=ether3, ether2, ether4, ether6, ether8, sfp1, sfp2, sfp3, sfp4, ether21
Does that look right? The only pitfall I can see is the following example:
  • Untrusted device A is connected to WiFi AP 1 using VLAN 20.
  • Untrusted device B is connected to WiFi AP 2 using VLAN 20.

Using the above settings, untrusted devices A and B will be able to communicate directly without traffic going via the router. There are 2 solutions I can think of:
  • Use totally separate VLAN IDs for each "untrusted" VLAN on each WiFi AP (e.g. WiFi AP 1 uses VLANs 20 & 30 for untrusted devices, whereas WiFi AP 2 uses VLANs 21 & 31). This would work but requires additional router rules for each WiFi AP, which would get messy.
  • Disable direct access between clients on different WiFi APs altogether. This means all traffic between trusted devices on WiFi AP 1 and WiFi AP 2 have to go via the router. Not ideal but less of an issue than for wired devices.

Any thoughts?
Last edited by DragonQ on Thu Apr 15, 2021 3:29 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Isolate clients for only certain VLANs?

Thu Apr 15, 2021 2:50 pm

Nope, way to confusing and complex for me and with use of vlan1,
Hopefully someone else will assist.
 
DragonQ
just joined
Topic Author
Posts: 20
Joined: Tue Apr 13, 2021 1:44 pm

Re: Isolate clients for only certain VLANs?

Thu Apr 15, 2021 3:10 pm

Nope, way to confusing and complex for me and with use of vlan1,
Hopefully someone else will assist.
I don't see how the concept of a private VLAN i.e. isolated clients is too complex, maybe it just is for a Mikrotik switch?

I've added a 0 to the end of the VLAN numbers to hopefully make you happy.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Isolate clients for only certain VLANs?

Thu Apr 15, 2021 5:19 pm

(1) Missing tagging the bridge!!!!
interface bridge vlan
add bridge=bridge1 tagged=ether3 untagged=sfp1,sfp2,sfp3,sfp4,ether2,ether4,ether6,ether8,ether21,ether23 vlan-ids=10
add bridge=bridge1 tagged=ether3,ether21,ether23 untagged=ether15,ether16 vlan-ids=20
add bridge=bridge1 tagged=ether3,ether21,ether23 untagged=ether19,ether20 vlan-ids=30

(2) Ether23 has no business on this rule...... They would have to have been PVID on the bridge ports for this to be true but you showed them as trunk ports???
add bridge=bridge1 tagged=ether3 untagged=sfp1,sfp2,sfp3,sfp4,ether2,ether4,ether6,ether8,ether21,ether23 vlan-ids=10

(3) Dont know what this crap is about but I would not do it, as all you want can be accomplished by saner methods.
/interface ethernet switch port-isolation
set ether15 forwarding-override=ether3
set ether16 forwarding-override=ether3
set ether19 forwarding-override=ether3
set ether20 forwarding-override=ether3
set ether21 forwarding-override=ether3, ether2, ether4, ether6, ether8, sfp1, sfp2, sfp3, sfp4, ether23
set ether23 forwarding-override=ether3, ether2, ether4, ether6, ether8, sfp1, sfp2, sfp3, sfp4, ether21


(4) Yes, why would you put untrusted users/ devices and trusted users/devices on the same VLAN or subnet, its plain mind boggling.
Create a separate vlan for untrusted users/devices. For WIFI appliances simply create a separate SSID and security profile to separate trusted users/devices and untrusted users/devices and associate the untrusted vlan(s) with those SSIDs etc.

For example in my home I have a guest VLAN setup. I have several AP in the house, on two of them I have one vlan for guest users, in teh basement apartment I provided a different guest vlan for the tenants, separate from guest vlan.
Its not messy,
Its create vlan interface is bridge
Its create ip address, ip pool, dhcp server, dhcp-server network
Add vlan to interface list members (so they get internet and DNS access).
Done
Change bridge port settings as required
Change bridge vlan settins as required..
make Wifi changes on wifi devices as required.
In terms of firewall rules, if you have the drop rule at the end of the forward chain, all traffic between vlans is automatically dropped.
 
DragonQ
just joined
Topic Author
Posts: 20
Joined: Tue Apr 13, 2021 1:44 pm

Re: Isolate clients for only certain VLANs?

Thu Apr 15, 2021 5:41 pm

(1) Missing tagging the bridge!!!!
interface bridge vlan
add bridge=bridge1 tagged=ether3 untagged=sfp1,sfp2,sfp3,sfp4,ether2,ether4,ether6,ether8,ether21,ether23 vlan-ids=10
add bridge=bridge1 tagged=ether3,ether21,ether23 untagged=ether15,ether16 vlan-ids=20
add bridge=bridge1 tagged=ether3,ether21,ether23 untagged=ether19,ether20 vlan-ids=30
Yes, my knowledge is limited here. Tagging the bridge and giving it an IP allows the unit to be managed, is that correct? According to the help guides, something like this would work for managing via VLAN 30:
/interface bridge vlan
add bridge=bridge1 tagged=ether3 untagged=sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4,ether2,ether4,ether6,ether8,ether21,ether23 vlan-ids=10
add bridge=bridge1 tagged=ether3,ether21,ether23 untagged=ether15,ether16 vlan-ids=20
add bridge=bridge1 tagged=bridge1,ether3,ether21,ether23 untagged=ether19,ether20 vlan-ids=30

/interface vlan
add interface=bridge1 name=MGMT vlan-id=30
/ip address
add address=192.168.3.1/24 interface=MGMT
(2) Ether23 has no business on this rule...... They would have to have been PVID on the bridge ports for this to be true but you showed them as trunk ports???
add bridge=bridge1 tagged=ether3 untagged=sfp1,sfp2,sfp3,sfp4,ether2,ether4,ether6,ether8,ether21,ether23 vlan-ids=10
You're right, I forgot to add PVID for these ports in the bridge port config. They are "hybrid" trunk ports with multiple tagged VLANs and a "native" (i.e. untagged) VLAN. I am not sure if it's possible for the WiFI APs I have to be configured without a native VLAN (UniFi AP AC Lite).
(3) Dont know what this crap is about but I would not do it, as all you want can be accomplished by saner methods.
Such as??? The method you describe as "crap" is from the Mikrotik help guide. You're telling me it's easy and not messy but you're not telling me how to do it.
(4) Yes, why would you put untrusted users/ devices and trusted users/devices on the same VLAN or subnet, its plain mind boggling.
Create a separate vlan for untrusted users/devices. For WIFI appliances simply create a separate SSID and security profile to separate trusted users/devices and untrusted users/devices and associate the untrusted vlan(s) with those SSIDs etc.
Where have I said that I've put untrusted and trusted devices on the same VLAN or subnet?? What you describe is exactly what I'm doing! VLAN 20 and 30 are for untrusted devices, VLAN 10 is for trusted. Separate SSIDs exist for each VLAN. I really don't think you're understanding what I'm saying despite me trying to be very explicit.
For example in my home I have a guest VLAN setup. I have several AP in the house, on two of them I have one vlan for guest users, in teh basement apartment I provided a different guest vlan for the tenants, separate from guest vlan.
Its not messy,
Its create vlan interface is bridge
Its create ip address, ip pool, dhcp server, dhcp-server network
Add vlan to interface list members (so they get internet and DNS access).
Done
This sounds like you're routing using the Mikrotik device though, which I don't want to do because the performance will be poor. I want to use the switch chip and my existing router will do L3 stuff. How do you stop untrusted "guest" devices on your two house APs talking to each other? If they're on the SAME AP then the AP deals with that but what if they're on DIFFERENT APs?
Change bridge port settings as required
Change bridge vlan settins as required..
make Wifi changes on wifi devices as required.
In terms of firewall rules, if you have the drop rule at the end of the forward chain, all traffic between vlans is automatically dropped.
Again, this assumes the router and switch are a single device. My router rules are all correct for separating VLANs etc. but that doesn't help if the switch is going to allow devices to talk to each other regardless. Yes, stopping devices on DIFFERENT VLANs talking is easy but I am trying to stop devices ON THE SAME VLAN talking to each other via the switch.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Isolate clients for only certain VLANs?

Thu Apr 15, 2021 7:02 pm

I do care about untrusted devices talking to other.
I use as many vlans as I need to separate out some devices or users from others.

Hybrid ports are fine and I think thats how the unif works for some strange reason it expects the management vlan to come to it as untagged data.
So lets say your management vlan is 99 and clearly all devices (smart) should have an IP via the management vlan. (The unifi is half smart LOL).

Scenario: MT device acting as a Switch
Ether2 goes to unif mgmt vlan is 99, vlans are needed for guest wlan vlan-20 and iotvlan vlan-30 (and I suppose the unif has the ability to also provide a wlan if required for the management traffic?)
Ether3 is an uplink port from router
Ether4 is going to an un-managed switch for entertainment vlan40
Ether5 is to an MT access point (needs vlans 99,20,30,40)

Bridge port
ether2 (admit all frames), pvid=99 {hybrid port}
ether3 admit only tagged frames ingress filtering=yes, {trunk port}
ether4 admit only priority and untagged framed ingress filtering=yes pvid=40 {access port}
ether5 admit only tagged frames ingress filtering=yes {trunk port}

Bridge vlan
tagged=bridge,ether3,ether5 untagged=eth2 vlan-id=99
tagged=bridge,eth2,ether3,ether5 vlan-ids=20,30
tagged=bridge,eth3,ether5 untagged=ether4 vlan-id=40
 
DragonQ
just joined
Topic Author
Posts: 20
Joined: Tue Apr 13, 2021 1:44 pm

Re: Isolate clients for only certain VLANs?

Thu Apr 15, 2021 7:42 pm

I do care about untrusted devices talking to other.
I use as many vlans as I need to separate out some devices or users from others.
Ah OK. That does make sense. I assume the easiest way to do this is to have the AP use a single SSID + VLAN for untrusted devices, then wired devices use a different VLAN each?
Hybrid ports are fine and I think thats how the unif works for some strange reason it expects the management vlan to come to it as untagged data.
So lets say your management vlan is 99 and clearly all devices (smart) should have an IP via the management vlan. (The unifi is half smart LOL).
Yep, although you can actually put the UniFi AP's management interface on any of the VLANs it's configured to use.
Scenario: MT device acting as a Switch
Ether2 goes to unif mgmt vlan is 99, vlans are needed for guest wlan vlan-20 and iotvlan vlan-30 (and I suppose the unif has the ability to also provide a wlan if required for the management traffic?)
Ether3 is an uplink port from router
Ether4 is going to an un-managed switch for entertainment vlan40
Ether5 is to an MT access point (needs vlans 99,20,30,40)

Bridge port
ether2 (admit all frames), pvid=99 {hybrid port}
ether3 admit only tagged frames ingress filtering=yes, {trunk port}
ether4 admit only priority and untagged framed ingress filtering=yes pvid=40 {access port}
ether5 admit only tagged frames ingress filtering=yes {trunk port}

Bridge vlan
tagged=bridge,ether3,ether5 untagged=eth2 vlan-id=99
tagged=bridge,eth2,ether3,ether5 vlan-ids=20,30
tagged=bridge,eth3,ether5 untagged=ether4 vlan-id=40
That makes sense but unless I'm missing something, this configuration means a "guest" device (VLAN 20) on the UniFi AP can ping a "guest" device (VLAN 20) on the MT AP?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Isolate clients for only certain VLANs?

Thu Apr 15, 2021 8:05 pm

Correct, use vlans to separate users as required. Be it wired users to wireless users as a demarcation line (logic).

In terms of the vlan20 on two different APs correct, in this case what you are saying is you have guestsA and guestsB because you want to treat them as unsafe from each other LOL.
In my house thats a too bad scenario, as long as you dont get on my home network, use of my guest network is at your own risk LOL, although they still need a wifi password to gain access.
However as I stated I have two vlans for guests, one for the main house available on two APs, and one for guests in the basement on a third AP, two different vlans.

As for the unifi, thats news to me, I have heard that it needs hybrid and the management interface coming untagged.
IF that is not the case then you dont need hybrid to the unifi AP.
Just treat it as normal trunk port with only vlan tagged frames allowed, ingress-filtering=yes and no pvid settings for example!
 
DragonQ
just joined
Topic Author
Posts: 20
Joined: Tue Apr 13, 2021 1:44 pm

Re: Isolate clients for only certain VLANs?

Thu Apr 15, 2021 9:03 pm

I suppose I chose the wrong example there. I don't care much about guest devices talking to each other, I care more about untrusted IoT devices talking to each other.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Isolate clients for only certain VLANs?

Thu Apr 15, 2021 9:19 pm

In that case create vlans as desired. I have a solar vlan, a hvac vlan, a media vlan, several isolated single user vlans, 2 diff guest vlans, and many more................
 
DragonQ
just joined
Topic Author
Posts: 20
Joined: Tue Apr 13, 2021 1:44 pm

Re: Isolate clients for only certain VLANs?

Thu Apr 15, 2021 11:52 pm

Yes that would work, I mentioned it in a post before. But to me that sounds more complicated than setting up a private VLAN. Having to set up and maintain subnets, DHCP, DNS, firewall rules, etc. for a dozen VLANs sounds much more annoying.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Isolate clients for only certain VLANs?

Fri Apr 16, 2021 1:45 am

Up to you. I know what I do works. If you can get it to work the way you think it should be done fantastic, dont let me stop you LOL!!
 
DragonQ
just joined
Topic Author
Posts: 20
Joined: Tue Apr 13, 2021 1:44 pm

Re: Isolate clients for only certain VLANs?

Sat Apr 17, 2021 10:30 am

Up to you. I know what I do works. If you can get it to work the way you think it should be done fantastic, dont let me stop you LOL!!
I've had a look at the relevant parts of the EdgeRouter-X GUI for setting up additional VLANs to see how much work it'd be both to set up and to maintain in the future. The bit I was most worried about was the firewall rules but it turns out that's fine because each ruleset can apply to multiple virtual interfaces (i.e. VLANs). I'd still need to add new virtual interfaces and add those VIDs to the trunk ports but that's a one-time job so not a problem. DHCP would need setting up for each assuming the devices actually use DHCP but again that's a one-time job so not too bad.

I'll have a look at this approach as it may work out to be easier to maintain. Thanks for the tips.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Isolate clients for only certain VLANs?

Sat Apr 17, 2021 1:10 pm

For MT routers, setting the last rule in the forward firewall filter chain, to drop all, basically blocks all vlan to vlan traffic at layer 3.
Then one only needs to make the necessary allow allowed traffic rules before the last rule.
vlan to internet
access to shared devices
admin access to all vlans

The use of interface groups too can be helpful as one can add them to the main list of WAN and LAN , add the interface members.......
VLAN_External ( aka with internet access)
VLAN_Internal (without internet).

Then making firewall rules is quite simple
add action=allow chain=forward comment="allow internet access" in-interface-list=VLAN_External out-interface-list=WAN

Who is online

Users browsing this forum: Amazon [Bot], gogle, madstupid, patrikg and 96 guests