• November 22, 2019, 12:04:34 AM
  • Welcome, Guest
Please login or register.

Login with username, password and session length
Advanced search  

News:

This Forum Beta is ONLY for registered owners of D-Link products in the USA for which we have created boards at this time.

Author Topic: DGS-1100 - VLAN internet access only  (Read 484 times)

Winter2OO1

  • Level 1 Member
  • *
  • Posts: 4
DGS-1100 - VLAN internet access only
« on: September 17, 2019, 06:55:34 PM »

Hi,
I have a DGS-1000 and a router DIR-880L.  Would it be possible to setup a VLAN to only allow access to the internet and do not allow to access to any devices on my network.

This is how I currently setup (U: Untagged, T: Tagged, NM: Not Member)
VID 1 - Port 1T, 2U, 3U, 4U, 5NM, 6NM, 7NM, 8NM
VID 2 - Port 1T, 2NM, 3NM, 4NM, 5U, 6U, 7U, 8U

PVID
    Port 1 = 1
    Port 2 = 1
    Port 3 = 1
    Port 4 = 1
    Port 5 = 2
    Port 6 = 2
    Port 7 = 2
    Port 8 = 2

Traffic Segmentation: Disabled

Router connects to Port 1. 

If I connect to port 2,3,4 I can access the internet and also can see all my devices on my network. 
If I connect to port 5,6,7,8, I do not have the access to the internet and do not see any of my devices on my network.

I want to modify VID2 so that I can access to the internet only. 

Thanks!
« Last Edit: September 17, 2019, 07:33:32 PM by Winter2OO1 »
Logged

Winter2OO1

  • Level 1 Member
  • *
  • Posts: 4
Re: DGS-1100 - VLAN internet access only
« Reply #1 on: September 19, 2019, 07:45:50 PM »

so I change to Port-Based VLAN and it works almost to the way I want.

VLAN Index 1: Port 1,2,3,4
VLAN Index 2; Port 1,5,6,7,8

Router is connected to Port 1.

Computers in VLAN 1 can't see computers in VLAN 2.  This is what I want;  However, both VLANs can see all my devices on the Router.  I don't want VLANs to access to any devices on my router.

How to prevent traffic from VLANs to traverse the trunk?

Thank you!
Logged

PacketTracer

  • Level 4 Member
  • ****
  • Posts: 432
Re: DGS-1100 - VLAN internet access only
« Reply #2 on: September 20, 2019, 03:36:30 PM »

Hi,

not really sure what exactly you want - but I guess you want to subdivide all devices connected to the DGS-switch into two or more groups (where any group might consist of only a single device as a special case), where
  • any device within a given group can talk to any other device within that same group (if any, that is groups containing at least two devices) and to the internet via the router
  • any device within a given group cannot talk to any device within another group

I guess you want to form two groups A an B consisting of the devices connected to switch ports 2,3,4 for group A and 5,6,7,8 for group B, both groups featuring the characteristics described above for the general case?

Or do you perhaps want to form 5 groups A(2,3,4), B(5), C(6), D(7) and E[8], where devices within "single member" groups B to E, that is devices connected to ports 5 to 8, are isolated and can only talk to the internet?

Whatever your choice for a special subdivision into groups might be - you can achieve the desired communication behaviour by using "asymmetric" VLANs.

For example for the first scenario with groups A(2,3,4) and B(5,6,7,8) within your switch:

  • Go to "L2 Features > VLAN > Asymmetric VLAN" and enable "Asymmetric VLAN state"
  • Besides VID 1, which exists by default, add two other VLANs using VID 2 and VID 3
  • Set Port 1 (which connects to the router) to be an untagged member of VID 1, VID 2 and VID3. Set the port's PVID to 1.
  • Set each Port 2,3 and 4 to be an untagged member of VID 1 and VID 2. Set each port's PVID to 2
  • Set each Port 5,6 ,7 and 8 to be an untagged member of VID 1 and VID 3. Set each port's PVID to 3

Any other solution based on VLANs probably won't work because I assume that the LAN ports of your DIR router aren't capable to deal with VLANs.

And unfortunately you can't prevent any device connected to the DGS-switch (no matter what asymmetric VLAN group it belongs to) to "see" (that is connect and communicate to) any device that is connected to a router LAN port, because your router most probably doesn't provide the feature to isolate those devices within a configurable DMZ network and to define firewall rules to restrict access to them.

If you had more than 8 ports available at your DGS-switch you could unplug all devices from the router and connect them to the DGS-switch instead. Then you could define additional asymmetric VLAN groups for those devices and configure your switch for any communicaton scheme you want, that is permission or denial of communication between any pair of devices connected to the switch and between any device and the internet.

PT

« Last Edit: September 20, 2019, 04:03:03 PM by PacketTracer »
Logged

Winter2OO1

  • Level 1 Member
  • *
  • Posts: 4
Re: DGS-1100 - VLAN internet access only
« Reply #3 on: September 20, 2019, 04:36:31 PM »

Thanks PacketTracer!  What you described is correct.

- I want to form two groups A(2,3,4) and B(5,6,7,8)
- Any device within a given group can talk to any other device within that same group and also to the internet via the router
- Any device within a given group cannot talk to any device within another group.
- All devices in group A and B can't talk to any device that is connected to my LAN router.
- Device on my LAN router can talk to all devices in group A and B.

Based on your information, look like it's not possible.  I could unplug all devices from my router and connect them to the DGS-switch as you suggested...but I also have devices connects wireless to my router and I don't want devices in Group A or B to see my wireless devices.  I guess I'm out of luck.



Logged

PacketTracer

  • Level 4 Member
  • ****
  • Posts: 432
Re: DGS-1100 - VLAN internet access only
« Reply #4 on: September 21, 2019, 03:01:51 AM »

Hi again,

let's call any devices connected to your router group C with the two subdivisions C1 for devices connected via wire and C2 for wireless devices.

Then there is some contradiction when you say according to the last two bullets:  A+B must not talk to C, but C may talk to A+B!
This is not a symmetric communication relationship. It could mean that you want to allow C to initiate connections to A or B (which can then send replies back to C) but not vice versa. For doing this you would typically need some firewall functionality between C and A/B.

But apart from this, what choices do you have (now assuming you meant "C must not talk to A+B", that is your last bullet was a typo)?

  • As I said, devices of group C1 could be plugged to your DGS switch. If ports are missing, you can extend the switch by a second one and connect both via a VLAN trunk.
  • For wireless clients C2 look at your router if it supports some "guest wifi" which means the router allows those guests to connect to the internet but prevents them to access the LAN.
  • Alternatively you could disable WiFi at your router and connect your wireless clients via a new Access Point (AP) connected to the (extended) switch platform. For the port the AP is connected to, you simply define another asymmetric VLAN group. Or you provide a new router without WiFi for Internet access and degrade your present router to function like an AP (that is it just forms a bridge between WiFi and LAN).

With an AP instead of WiFi via Router and two coupled switches your scenario would resemble another one described here. Compared to your scenario you would need an additional asymmetric VLAN, because you have 3 groups that have to be isolated from each other.

All choices discussed so far depend on isolation mechanisms within layer 2 of the network stack (that is Ethernet/WiFi and use of asymmetric VLANs). Alternatively you could establish isolation at layer 3 of the network stack (that is the IP layer) by using different IP networks for any group A, B and C and some firewall that routes and filters between A, B, C and the Internet. For wired connections within each network you could use your switch this time with standard (non asymmetric) VLANs where each VLAN represents one IP network.

PT
« Last Edit: September 21, 2019, 03:37:00 AM by PacketTracer »
Logged

Winter2OO1

  • Level 1 Member
  • *
  • Posts: 4
Re: DGS-1100 - VLAN internet access only
« Reply #5 on: September 21, 2019, 05:57:17 PM »

Thanks again PacketTracer! The reason I want A+B not to talk to C, but C can talk to A+B because

Group A: Smart TVs
Group B: Network Attached Storage
Group C: Tablets, Laptops etc...(router LAN ports and wireless)

I want C to 'see' A and B so I can continue to cast screen to TV or save/retrieve files to/from my NAS.  I do not want  Smart TVs or NAS to access my laptops.






Logged

PacketTracer

  • Level 4 Member
  • ****
  • Posts: 432
Re: DGS-1100 - VLAN internet access only
« Reply #6 on: September 21, 2019, 11:48:18 PM »

Hi again,

I think you are close to the probably single option left:

Quote
A+B must not talk to C, but C may talk to A+B! This is not a symmetric communication relationship. It could mean that you want to allow C to initiate connections to A or B (which can then send replies back to C) but not vice versa. For doing this you would typically need some firewall functionality between C and A/B.

Quote
All choices discussed so far depend on isolation mechanisms within layer 2 of the network stack (that is Ethernet/WiFi and use of asymmetric VLANs). Alternatively you could establish isolation at layer 3 of the network stack (that is the IP layer) by using different IP networks for any group A, B and C and some firewall that routes and filters between A, B, C and the Internet. For wired connections within each network you could use your switch this time with standard (non asymmetric) VLANs where each VLAN represents one IP network

PT
« Last Edit: September 22, 2019, 02:50:26 AM by PacketTracer »
Logged