GS1200-8HP v2 - Internet access for all, but users on port7 to be isolated from the rest
Hello,
I am struggling heavily, please help me ... I read all posts, tried a lot, I have no problem to blow up the whole configuration, but impossible to solve my problem:
My configuration:
Port8: stupid internet provider box assuring internet access for everybody, not knowing anything about vlans, address 192.168.1.1, DHCP server 192.168.1.10-100
Port7: Guesthouse - simple TP-Link router, address 192.168.2.1, DHCP server 92.168.2.10-100
Port1-6: Main house: Zyxel access points, IoT stuff, ....
My wish:
everybody (port 1-7) should have internet access,
Guesthouse port 7 should be isolated from the rest,
Main house ports 1-6 should see each other
Here just one of the (non-working, port 7 doesn't have internet access) configurations I tried:
any help would be highly appreciated,
Thanks in advance,
Danieldulot
Best Answers
-
Hello,
Thank's a lot for the time you spent for me … so, in other words, it's just impossible with my configuration. At minimum I learnt 2 things:
- a switch with vlan-ababilities doesn't make any sense in a network where other components don't have the vlan-abability
- when they sell you a switch with 'port isolation' in the publicity, verify two times, if the integration is useful and allows also to group ports or is just an 'all or nothing' like in the GS1200
Thank you again,
Danieldulot
0 -
Hello @danielson81
For port isolation, GS1200 offers basic setup to meet generic usages. For more advanced options to setup this particular network, we would recommend to use GS1900 series.
However, back to VLAN, indeed the entire network needs be considered when VLAN designed is to be planned. So unfortunately, both routers and STB do need to support VLAN to do the job.
Zyxel Nami
0
Zyxel Employee
All Replies
-
Hello @Danieldulot
We've reviewed your VLAN settings and would like to offer some clarifications and ask for additional information to better assist you:
- PVID and VLAN Configuration:
It appears you have set PVID 1 for port 1 and PVID 20 for ports 2-6, while also configuring these ports as untagged for VLANs 1 and 20, respectively. This configuration could potentially lead to issues, as outgoing traffic may not reach its intended destination correctly. Typically, a port should be configured with only one untagged VLAN. - ISP Modem:
Port8: stupid internet provider box assuring internet access for everybody, not knowing anything about vlans, address
⇒ Did you mean that your ISP modem can’t configure VLAN interfaces and doesn’t have the capability to handle VLAN packets? This information is crucial because if the modem is not VLAN-aware, it will not understand VLAN-tagged traffic (VLAN 20, VLAN 30) from port 8 of Switch.
- Is the TP-Link router a WiFi home router? Please provide us with the model name. It will help us understand its features and limitations before we provide the suggestion.
Zyxel Nami
0 - PVID and VLAN Configuration:
-
Hello,
so glad you try try to help me, here the answers to your points:
internet provider box and vlan:There is absolutely nothing about vlans in its user interface. I think internally it can handle it in some way, since you can also connect their TV decoder on a specified port, there is also normal phone input. People who want to replace this box by a normal router discuss on internet, that internet traffic/TV data/phone data comes in from the provider just with different vlan-tags ... but the provider itself (Bouygues France) is not at all helping. So, to be on the safe side, I supposed It cannot handle vlans from the client-side.
TP-Link Router for Guest-house:
It's a simple quite old TL-WR841N . Between Main house and Guest-house there is just a normal phone line, the data transmission is assured by two Zyxel P871M modems (which by the way work very well). If helpful, the router could also be configured with a different subnet mask and address-range or as access-point.
Vlan with vid 1:
Do I need this management vlan in my configuration, since there is no remote management at all?
Thank you in advance for your precious help,
Danieldulot0 -
Hello @Danieldulot
In your network setup, utilizing VLANs on the switch is a great feature for network segmentation. However, the functionality of other components like your router and modem is also critical. As per your setup, since both the router and the modem don’t support VLAN interfaces and your modem doesn’t handle VLAN packets, achieving your network isolation goals becomes challenging.
The TP-Link Router is unable to access the internet because your ISP modem doesn't handle VLAN-tagged packets. Consequently, when packets are going from the router to the modem via port 8 that is set as tagged VLAN 30, they get dropped. Altering port 8 to untagged VLAN 30 isn't a viable solution either. This is because the PVID for port 8 is set to 1, meaning any untagged incoming packets will be assigned to VLAN 1 and may not reach the router.
To achieve your requirement, you'll need to deploy a router/gateway that supports VLAN interfaces between the switch and the ISP modem. This router would manage VLAN-tagged traffic effectively, forwarding it to your switch, which is already configured for VLAN.
Vlan with vid 1: Do I need this management vlan in my configuration, since there is no remote management at all?
⇒ The management VLAN is primarily used for accessing the device's web GUI. If you wish to remove VLAN 1 and change the management VLAN to your existing VLAN such as VLAN 20 or VLAN 30, this can be easily done through the Device Setting page, as demonstrated in the screenshot below.
Zyxel Nami
0 -
Hello,
Thank's a lot for the time you spent for me … so, in other words, it's just impossible with my configuration. At minimum I learnt 2 things:
- a switch with vlan-ababilities doesn't make any sense in a network where other components don't have the vlan-abability
- when they sell you a switch with 'port isolation' in the publicity, verify two times, if the integration is useful and allows also to group ports or is just an 'all or nothing' like in the GS1200
Thank you again,
Danieldulot
0 -
Hello @danielson81
For port isolation, GS1200 offers basic setup to meet generic usages. For more advanced options to setup this particular network, we would recommend to use GS1900 series.
However, back to VLAN, indeed the entire network needs be considered when VLAN designed is to be planned. So unfortunately, both routers and STB do need to support VLAN to do the job.
Zyxel Nami
0
Categories
- All Categories
- 397 Beta Program
- 2.1K Nebula
- 117 Nebula Ideas
- 81 Nebula Status and Incidents
- 5.2K Security
- 93 USG FLEX H Series
- 247 Security Ideas
- 1.3K Switch
- 69 Switch Ideas
- 921 WirelessLAN
- 35 WLAN Ideas
- 5.9K Consumer Product
- 211 Service & License
- 337 News and Release
- 71 Security Advisories
- 21 Education Center
- 5 [Campaign] Zyxel Network Detective
- 2K FAQ
- 938 Nebula FAQ
- 425 Security FAQ
- 238 Switch FAQ
- 210 WirelessLAN FAQ
- 47 Consumer Product FAQ
- 139 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 72 About Community
- 62 Security Highlight
