EX3301-T0 Isolating LAN ports from each other

Hello,

This is an old thread, but since no one answered and I have a very similar problem with my EX3301-T0, I thought I'd bump it.

Similarly to LD0035, I have some devices connected to one LAN port and others using the WiFi, and I want to isolate these two groups from each other. I have created a separate interface grouping that only includes the LAN port in question, and devices connected to that LAN port now get allocated IP addresses in a different subnet. So far so good. However, devices in the two subnets can still communicate normally with each other. I thought one purpose of interface groupings was to isolate different devices from each other. In fact, the web-based configurator for the EX3301-T0 specifies that "Devices in different groups cannot communicate with each other directly."

In addition to having different interface groupings and different subnets, is it necessary to manually configure ACL rules to block any traffic between the two subnets? I have tried configuring such rules but can't get it to work either.

Hello and thank you for the friendly welcome @tonygibbs16 !

After reading your post, I tried the following setup: I have a separate TP-Link access point connected to LAN1 and a computer directly connected by cable to LAN2. Each of the two LAN ports is configured to be in a separate interface grouping, so that the computer gets an IP address in a different subnet from any device connected to the WiFi provided by the access point. I have also configured the two LAN ports to use different VLAN IDs.

With this configuration, I am still able to ping devices on the WiFi from my computer, which is not what I wanted.

I tried using ACLs to restrict the traffic between the two interface groupings, but even when I'm using the exact IP addresses of the devices in question (in fact, the devices are discovered by the EX3301-T0), I cannot get it to work. Could the problem be that the only directions that I can choose from in my ACL rules are "WAN to LAN", "LAN to WAN", "WAN to ROUTER", and "LAN to ROUTER"? Intuitively, I would need to use something like "LAN to LAN" for my use case, but perhaps I'm not understanding this very well.

You wrote that if I still didn't have separation after configuring interface groupings and VLANs, it would probably be down to routing tables. Could routes somehow be set up so that no traffic is routed between the two subnets? I'm sorry if my question seems ignorant.

Best regards,

digital_marmot

You are welcome @digital_marmot

Your question is not ignorant in my opinion. Hosts in different VLANs should be able to be separated in general from each other, because each VLAN is a different subnets and the routing between subnets only done by a L3 routing function with a routing table.

It might be worth seeing if the latest firmware behaves differently…

* 5.50(ABVY.4.2)C0 is available to download at https://www.zyxel.com/uk/en-gb/support/download?model=ex3301-t0

* However, there does not appear to be anything in the release notes to say that something has changed…

However, it might be that the EX3301-T0 will not do what you are looking to do…

• A firewall or a different model of router might give the isolation that you are seeking.

Kind regards,

Tony