Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[josephwit]

I am trying to set up 2 VLANs to isolate my wired internet-connected "Internet of Things (IOT) " devices (wi-fi thermostat, solar energy system, DVD players, etc) from my network of home computers, for improved security, while giving internet access to all of them.  I essentially need the wired a equivalent of my Router's wi-fi Guest Network but for wired devices.

I have a connection from one of my Asus RT-AC68U Router's ports (internet) to the DGS1210-10 switch. I have 4 devices for the IOT VLAN, and one for the Computers VLAN, to run though the switch. I can set up 2 VLANs and assign ports for the devices, but I don't see how to configure it so that BOTH VLANs get internet access.
I will learn more about VLANs gradually - but I am hoping someone can give me discreet configuration instructions so I can get my networks up without having to become an advanced expert first. THANK YOU!

[PacketTracer]

Hi,

I think the best solution fitting your needs is to use the "asymmetric VLAN" feature, that is fortunately supported by your switch. A good description can be found here.

You can adapt that description to your Switch as follows:

Default VLAN 1 is used as "shared VLAN" and the group of shared ports only contains a single port, namely the port, your router is connected to - say port 8. Add VLAN 2 (IOT-VLAN) and configure ports 1-4 and 8 to be untagged members of VLAN 2. Connect your IOT-Devices to ports 1-4.
Add VLAN 3 (Computers VLAN) and configure ports 5-8 to be untagged members of VLAN 2. Connect your computer to port 5. Ports 6 and 7 can be used for additional computers in the future.

Set PVID for ports 1-8 as follows: 2-2-2-2-3-3-3-1

Note: "Asymmetric VLAN" is a proprietary D-Link feature. It resembles what other vendors call "private VLAN" (standardized via RFC5517) where D-Link's shared VLAN (1 in your case) corresponds to PVLAN's primary VLAN and the other access VLANs (2, 3 in your case) correspond to PVLAN's secondary community VLANs (there is no analogon to PVLAN's isolated VLANs). If you want to learn about VLANs, asymmetric VLAN is definitely not a beginner's scenario ...

PT

<EDIT>
One important remark I forgot to mention: Per default the switch is managed via VLAN 1 - hence you have to connect your management PC to a switchport that doesn't change its VLAN 1 membership during configuration, that is port 8 (before being connected to the router) or ports 9 and 10 (which belong to VLAN 1 but are no shared ports, because in contrast to port 8 they don't become simultaneously members of VLANs 2 and 3).

In additon you may want to use ports 9 and 10 for your "Computers VLAN" 3 because of their higher bandwith. If so, I'd suggest you change the roles of ports 6,7 (leaving their configuration unchanged, using one of them to connect to the management PC) with ports 9,10 (assigning them to VLAN 3). In this case  the PVID for ports 1-10 should look as follows: 2-2-2-2-3-1-1-1-3-3. Connect your "Computer" to port 9 (or 10), where ports 5 and 10 (or 9) can be used for additional computers in the future.
</EDIT>

[FurryNutz]

Link>Welcome!

• What region are you located?

I am trying to set up 2 VLANs to isolate my wired internet-connected "Internet of Things (IOT) " devices (wi-fi thermostat, solar energy system, DVD players, etc) from my network of home computers, for improved security, while giving internet access to all of them.  I essentially need the wired a equivalent of my Router's wi-fi Guest Network but for wired devices.

I have a connection from one of my Asus RT-AC68U Router's ports (internet) to the DGS1210-10 switch. I have 4 devices for the IOT VLAN, and one for the Computers VLAN, to run though the switch. I can set up 2 VLANs and assign ports for the devices, but I don't see how to configure it so that BOTH VLANs get internet access.
I will learn more about VLANs gradually - but I am hoping someone can give me discreet configuration instructions so I can get my networks up without having to become an advanced expert first. THANK YOU!

[josephwit]

Thanks for detailed help, PacketTracer. I pretty much slaved through it and I think I came up with what you are saying, though of course my port numbers are different. To clarify - for the default VLAN 1, I have all of my connected devices as untagged members, giving all devices internet access, with only the physical port connected to my router being assigned that VLAN. My admin computer is on VLAN 2, but I did not lose admin access when assigning the computer's port to VLAN 2. VLAN 2 contains the computer, another computer, an NAS drive, and the router port as untagged members. The IOT VLAN has the IOT device ports and the router port as members. It seems to be working as intended - does this sound correct?

One additional complication is that I also have my router (Asus RT-AC68U) managing quite a few wi-fi devices, both computers and IOTs. I have an IOT guest network that is isolated from the main computer network - so the wireless IOTs don't see the other devices - but the router sees them, and the router is connected to the switch, so the computers plugged into the switch are not isolated from them. I am thinking I would need a separate gateway router, with no connected devices, plugging into the switch, and a second router, acting as an access point, plugged into another port on  the switch in order to complete isolate both wired and wireless IOTs from computers - true? No way to do with just the single router and single switch?

This is basically a home network, and I am doing this as a hobby to learn and for fun, as well as for security. I don't think I am first on the list to be hacked through my thermostat...  Thanks!

[PacketTracer]

Hi again,

My admin computer is on VLAN 2, but I did not lose admin access when assigning the computer's port to VLAN 2.

That's probably because with asymmetric VLAN all VLANs involved still belong to the same IP network, and given the switch management IP address lies within this network either, it should be reachable from any device, no matter which VLAN it belongs to, as long as the "Management LAN" feature is disabled. Maybe you should enable the Management VLAN and restrict management access to a specific VLAN.

It seems to be working as intended - does this sound correct?

Yes, the relevant things are, that the asymmetric VLAN feature is enabled, and that any shared port (in your case the router's port only) becomes an untagged member of any VLAN in use, while any "unshared" port must be an untagged member of a single "access VLAN" and the "shared VLAN". In addition the PVID of any "unshared" port must be set to its "Access VLAN", while the PVID of "shared Ports" must be set to the "shared VLAN". It looks like you did all these things in this way (see also this short and concise Introduction to Asymmetric VLANs). There is only one ambiguity when considering ports, that are untagged members of the shared VLAN only: Are they also shared ports or are they unshared ports where the "access VLAN" happens to be equal to the "shared VLAN"? I guess, the second choice is true - please check this for your devices that are connected to VLAN 1 ports - they should only be allowed to talk to each other and to the router, if my assumption is true.

One additional complication is that I also have my router (Asus RT-AC68U) managing quite a few wi-fi devices, both computers and IOTs. I have an IOT guest network that is isolated from the main computer network - so the wireless IOTs don't see the other devices - but the router sees them, and the router is connected to the switch, so the computers plugged into the switch are not isolated from them. I am thinking I would need a separate gateway router, with no connected devices, plugging into the switch, and a second router, acting as an access point, plugged into another port on  the switch in order to complete isolate both wired and wireless IOTs from computers - true? No way to do with just the single router and single switch?

Sorry, from your description I do not understand, what your router scenario really looks like - e.g. is your "guest network" wired or wireless or both?

In general, from the perspective of the router, a guest network should be an IP network different from the LAN IP network (with WIFI via using a different SSID that maps to the guest network, or in the wired case by providing a second Ethernet port (extensible via an unmanaged switch to connect several devices), that is physically or logically (e.g. via internal VLANs) separated from standard LAN ports); and the router should ensure, that no traffic is routed between guest an LAN network.

On the other hand, if you have wireless devices connected to your router's WIFI, and your router does not isolate those devices within a "guest network" as described above (that is, they get IP addresses from your LAN network), then those wireless devices are members of the "shared network" via the router, where the router forms a layer 2 bridge between the wifi devices under consideration and the wired link to your switch. Hence like the router, those wifi devices can talk to any device connected to your switch.

If this is unwanted, you could use a separate WIFI access point (AP) connected to an unshared switch port (e.g. member of the IOT-VLAN), and connect the wifi devices under consideration to this AP, using a new and unique SSID for it. This AP could be another router with WIFI support, where its WAN port (and its routing function) isn't used, but that is connected to the switch via a LAN port instead. Hence you would only use the additional router's layer 2 bridging function between wired and wireless (give that router a management address from your LAN network and switch off any DHCP server function - for management temporarily plug the AP or router to a VLAN 2 access port, hence it can be accessed from your management PC).

PT

[josephwit]

Asymmetric VLAN is definitely enabled. My wired IOT devices are connected to the smart switch (IOT VLAN). My Guest Network is wi-fi (only) IOT devices, and is as you describe in the second scenario - it has a different SSID from the main (computer) network, and is set within the router that the Guest Network is "isolated" from the main network - but the Guest devices are on the same IP subnet. When I log into the router and list the connected devices, I can't even tell which SSID the devices are logged onto.
 
So if my wi-fi Guest Network were hacked, there would be no access to my computers. At least that.

So attached is my actual config. https://we.tl/7TguCEPyiu

 I have 2 IOT VLANs - I just separated the 2 VOIP devices.

So why, from my PC on port 7, (assigned to VLAN 2) am I able to access a port 80 GUI from the IOT device on port 2 (VLAN 3)? (none of the other devices have web interfaces for me to try)? Why isn't the switch preventing this?

[PacketTracer]

Hi again,

from your last post's attach I derived the following condensed view of your configuration:

.--------+----+----+----+----+----+----+----+----+----+----+-------------.
|  Port  | 01 | 02 | 03 | 04 | 05 | 06 | 07 | 08 | 09 | 10 | VLAN Name   |
+--------+----+----+----+----+----+----+----+----+----+----+-------------+
|  VID 4 |    |    |    |  X |  X |  X |    |    |    |    | VOIP        |
+--------+----+----+----+----+----+----+----+----+----+----+-------------+
|  VID 3 |  X |  X |    |  X |    |    |    |    |    |    | IOT Devices |
+--------+----+----+----+----+----+----+----+----+----+----+-------------+
|  VID 2 |    |    |  X |  X |    |    |  X |  X |    |    | macnet1     |
+--------+----+----+----+----+----+----+----+----+----+----+-------------+
|  VID 1 |  X |  X |  X |  X |  X |  X |  X |  X |  X |  X | default     |
+--------+----+----+----+----+----+----+----+----+----+----+-------------+
|  PVID  |  3 |  3 |  2 |  1 |  4 |  4 |  2 |  2 |  1 |  1 |             |
`--------+----+----+----+----+----+----+----+----+----+----+-------------´
            |    |    |    |    |    |    |    |    |    |
            I    I    N    R    I    I    P    P    %    %
            O    O    A    O    O    O    C    C
            T    T    S    U    T    T    1    2
            1    1         T    2    2
            1    2         E    1    2
                           R

Here an 'X' means: The switch port denominated by the column's title is an untagged member of the VLAN denominated by the row's title.

This perfectly reflects the asymmetric VLAN descriptions and examples given elsewhere, where

• VLAN 1 (defaut) is the shared VLAN and port 4 alone spans the shared port group.
• VLAN 2 (macnet1) is the first access VLAN with ports 3,7,8 spanning the corresponding access port group (NAS, PC1, PC2)
• VLAN 3 (IOT Devices) is the second access VLAN with ports 1,2 spanning the corresponding access port group (IOT11, IOT12)
• VLAN 4 (VOIP) is the third access VLAN with ports 5,6 spanning the corresponding access port group (IOT21, IOT22)

So it should work in theory.

[Considering ports 9,10, my assumption is, that they are not shared ports but span a fourth access port group for the special case, where access VLAN = shared VLAN. To make those ports shared ports, they must also (like port 4) be configurred to be untagged members of VLANs 2-4.]

So why, from my PC on port 7, (assigned to VLAN 2) am I able to access a port 80 GUI from the IOT device on port 2 (VLAN 3)?

To be honest: I don't know what's wrong.

PT

[josephwit]

Wow! That was a lot more work than taking screen shots! lol Thank you so much for your time on this.

So I'm thinking in terms of what it would take (theoretically if not practically) to do it the right way - to get ALL the wireless AND wired IOT devices isolated from computers, on separate subnets. I still cannot tell exactly how my router's Guest (wi-fi) networks isolates from the main network, which ASUS calls "intranet" - I presume "intranet" is all of the wired connected wired devices (connected to router, there aren't any now) plus all wireless devices NOT on an isolated Guest Network.
 
Of course, one additional complication. I have a second router (same model) in WAP mode across my house - I don't get adequate wi-fi coverage without it. Both IOT and non-IOT wireless devices connect to it, and it is connected by Ethernet to the main router. The WAP is also set up with an isolated Guest Network for its wireless IOTs. (No wired devices at all - all wired IOTs connect to the switch)

I'm thinking as I type. Each router can output to only a single IP range/subnet, so I would need 2 routers at each end of my house, plus a gateway router in front of the switch, to achieve the goal? 5 routers??

I have read that it is possible to hack the ASUS RT-AC68 Router with command line config to set up internal VLAN support and isolate one of its 4 ethernet outs - but I don't think I'm ready for that. I also think ASUS more recent firmware has been made harder to modify. Over my head.

Still thinking about the apparent glitch with the switch routing. When I type the IP address of hardwired IOT device (port 1, VLAN 3) in my browser (from PC on port 7, VLAN 2), I get a sign-in  window for the device. The device and the PC are hardwired to the switch on different VLANs, so they should not communicate. The device is a Rainforest Eagle gateway that connects wirelessly to my smart electric meter outside, and sends the info to Rainforest cloud. The wireless communication is via Zigbee, which is a 2.4GHz protocol, I thought Zigbee was transparent to normal wi-fi, but maybe I am accessing the signon window through Zigbee somehow?

[PacketTracer]

Hi once more,

if I interprete your considerations correctly I'd conclude you think about an isolation of devices at the IP layer (L3) instead of the present isolation at layer 2. This is the more professional and flexible but also more expensive choice:

You'd need a VLAN capable firewall appliance (FW) (instead of your ASUS router), a VLAN capable switch and one or more WIFI access points (AP) that are capable to map several SSIDs to different VLANs. The FW should allow to define as many internal VLAN based IP interfaces as you need, one for the WAN interface and one per "internal" VLAN, where you define one VLAN per group of devices that you want to isolate from all other devices. You would setup firewall rules that block any routing between internal VLANs (each one forming a separate IP subnet), but allow forwarding (+ NAT) to the WAN interface from all internal VLANs for Internet use.

You would connect the FW to the switch via one Ethernet port (or a LAG for more bandwith if supported) and configure a VLAN trunk for that link, that consists of all internal VLANs. For wired devices you would define "access ports" (untagged members of exactly one VLAN), where the set of access ports configured for the same VLAN constitutes one isolation group (and an IP subnet) for a specific device class (computers and NAS or a specific subset of IOT devices). A multi-SSID/VLAN capable AP would allow to map several wireless isolation groups (one SSID per group) 1:1 to a set of VLANs, hence like the FW the AP must be wired to the switch via a VLAN trunk, that consists of this subset of VLANs. Another choice were to use (simple) single SSID-only APs conncected to "access port", where you would need one AP per SSID/VLAN/wireless isolation group.

Your last paragraph: Maybe the sign-in windows comes from the browser's cache? (So clear the cache and try again). Can you really sign in? Can you run Wireshark at your PC and analyze what happens from a packet trace (do you see a complete TCP handshake/connection setup between your PC's IP address and the IOT device's internal IP address?). Is the IOT device under consideration reachable from the Internet, that is via a port forwarding configured in your ASUS router? If so, how do you address the IOT device from your PC: Via an URL that resolves to the public IP address of your router? If so you would have a so called hairpinning communication from your PC to the IOT device "via the bank", that is your router.

PT

[josephwit]

OK, right.... thanks for a quick glance at the right way to do it - but not gonna happen any time soon...
I thought maybe I was getting the sign-in window through the device's internet portal - since I know I can log into that portal with a browser and read the device (connected on IOT VLAN) - but what I am typing in browser is local IP address of the device, so that doesn't make sense. Haven't tried actually logging in - the device ID and pw are on the bottom of the device, not easy to get to at the moment. Heck, doesn't matter...

Problem now is my network discovery has gone nuts. Not seeing networked computers (mac and NAS) on my 2 windows 10 machines. I can access their drives by IP. Not sure but seems like it started when I alternately connected my Mac to the IOT wireless network to test the isolation. Thought maybe the router blacklisted the MAC address when the Mac was on IOT and was supposed to be isolated, - and didn't release it properly. Playing with nbtstat and clearing every cache I can find... reset the switch to factory. Really don't want to reset the router to factory - complex config, and if I back up and restore the current settings, it will likely contain the same error... oh well...

But way off topic. Sorry. Thanks again for your help!!

[PacketTracer]

Hi,

maybe this and that may help solve your network discovery problems.

PT

[josephwit]

Thanks - but ya, I got all that. Its actually working at the moment. Seems to maybe have to do with which device is Master Browser at the moment. I'm seeing all devices now with my NAS (WD MyBookLive) as Master Browser. MB tends to change as devices get restarted. NAS usually stays on. We'll see.
nbtstat was showing that all devices were registered and resolved by broadcast - while they still weren't showing up in the Network window. All dependent services running. Who knows... not a unique problem I gather. Appreciate your help!

[FurryNutz]

Any progress on this?

[josephwit]

Working OK. All devices visible in Network browser (because NAS is Master Browser?). Actually bought an extra Asus RT-AC68U router to install and play with DD-WRT software which allows VLAN config - but more than I wanted to learn (fascinating though!). I am certainly more protected than the average user, and I don't really have any reason to stand out as a target, so its good enough

Joe

[FurryNutz]

Glad it's working. Enjoy.