Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

subnets or vlan - is this possible?


  • Please log in to reply
7 replies to this topic

#1 JoshNelson

JoshNelson

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:58 PM

Posted 06 November 2017 - 12:25 AM

I have a number of devices on my network and would like to isolate them by type....and I'm not quite sure how to go about it or if it's even possible. Most of the devices connect via wireless (netgear orbi RBR50 - router and 1 satellite) though a couple connect via wired connection (on a port on the main orbi router).
 
So - I have a few groups of various types of equipment connecting to my network. They are:
 
1. office equipment (work pcs, printer, etc)
2. entertainment (ps4, firetv, etc)
3. IoT devices (canary security cameras, random raspberry pi homebrew projects)
4. Guest devices (phones, tablets, etc)
 
All of these groups need internet access but none of them really need to access devices in the other groups. What I was trying (and failing) to do is create vlans for each group, and have separate dhcp scopes/subnets for each group (office being 192.168.1.xxx, entertainment being 192.168.2.xxx, etc). 
 
I have the following equipment available to me:
 
1. netgear orbi rbr50 (router and 1 satellite) latest firmware 2.0.0.74 (btw - when is this going to be patched to address the wpa2 issues?)
2. a couple netgear N600 WNDR3700 routers (though I would not want to use the wireless radios on these and would want everything to use the orbi). One of these I have installed open-wrt on, the other is running the regular netgear firmware.
3. TP-Link TL-5G108E managed switch
 
So - my question is can I accomplish separate subnets and network isolation (vlans?) for each of these groups using the equipment that I have taking into consideration that 98% of them will connect wirelessly via the netgear orbi.


BC AdBot (Login to Remove)

 


m

#2 toofarnorth

toofarnorth

  • Members
  • 341 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:58 PM

Posted 06 November 2017 - 06:49 AM

Hello

I downloaded the Orbi RBR50 manual and it seems it doesn't support VLAN tagging of different SSID's.

It is not on the DD-WRT list of supported hardware either.

This means that you are limited to regular users and guest users differentiation on the Wifi network.


Hth!

 

tfn
 



#3 JoshNelson

JoshNelson
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:58 PM

Posted 06 November 2017 - 09:44 AM

openwrt supports vlans as does the tp-link switch.  The orbi would be used in AP mode.



#4 toofarnorth

toofarnorth

  • Members
  • 341 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:58 PM

Posted 06 November 2017 - 10:40 AM

The issue is that the Orbi wont add a VLAN tag to each SSID, so even if the other components support VLAN it won't work :(

tfn



#5 JoshNelson

JoshNelson
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:58 PM

Posted 06 November 2017 - 10:42 AM

even if its just used as an ap? 



#6 toofarnorth

toofarnorth

  • Members
  • 341 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:58 PM

Posted 06 November 2017 - 11:12 AM

The manual says nothing about adding VLAN tags to SSID's.
Posts on Netgears forum that are made recently talks about the lack of this feature.

That still doesn't mean they could have added it with firmware updates made after writing the manual/forum posts.

Log in to the Orbi and check if you have anything VLAN related under SSID settings.

If not you will be limited to guest / non guest separation
And I suspect that will only work if you run the device as a router.

Been struggling with the same thing on a linksys WRT-AC1900. At least that one could install DD-WRT on it so I could add the feature.


tfn



#7 toofarnorth

toofarnorth

  • Members
  • 341 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:58 PM

Posted 06 November 2017 - 11:39 AM

This image gives a representation of what needs to be happening in the AP's.

Each SSID will have to mark the traffic with a VLAN tag so that the device that receives this traffic knows what to do with it.

If it can't tag each SSID then there is no way for the later device to differentiate between them, meaning that it wont be able to isolate them.

 

Hth!

 

tfn

Attached Files



#8 JoshNelson

JoshNelson
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:58 PM

Posted 06 November 2017 - 11:44 AM

well, then I guess I really have no choice but to use the "guest" network or decide I can live with things the way they are.  I was hoping to avoid that but it doesn't look like I really have any other options.

 

and I won't hold my breath on a future firmware update - they've yet to patch the wpa2 vulnerabilities.  

 

thx.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users