VLAN configuration GS1350-12HP

Hi @henkheijmink,

Setting up VLANs on your Zyxel GS1350-12HP is an excellent approach to isolate your guest WiFi network from your office network. Here's a step-by-step guide to achieve this:

Initial Solution: VLAN Configuration on GS1350-12HP

1. Plan your VLANs:

   • You'll need at least two VLANs: one for your office network (e.g., VLAN 1, which is often the default) and one for your guest WiFi (e.g., VLAN 10).
   • Each VLAN will require its own unique IP subnet. Since your current router acts as a DHCP server in a single subnet, you will need to configure your router to handle multiple IP subnets, one for each VLAN. A single DHCP server can provide IP addresses for multiple VLANs, but each VLAN needs its own distinct IP range. This is typically done through DHCP relay if the DHCP server is on a different subnet than the VLANs, or by configuring separate DHCP scopes on the router for each VLAN.

2. Configure VLANs on your GS1350-12HP switch:

   • Access the switch's web interface.
   • Go to the VLAN configuration section.
   • Create a new VLAN for guests: Create VLAN 10 (or your chosen guest VLAN ID).
   • Assign ports to VLANs:
     • Uplink Port (to your router): This port needs to be configured as a "trunk" port. It should be a tagged member of both VLAN 1 (office) and VLAN 10 (guest). This allows traffic from both VLANs to pass to and from your router, preserving their VLAN tags.
     • Ports for your WiFi Access Points: If your access points support VLAN tagging, configure the ports they connect to as tagged members of VLAN 10 (guest). The access points will then tag guest WiFi traffic with VLAN 10. You might also need to set the PVID (Port VLAN ID) of these ports to the office VLAN (e.g., 1) if the access point itself is managed on the office network.
     • Ports for Office Network Devices: Configure these ports as untagged members of VLAN 1. Their PVID should also be set to 1.
     • Forbidden Ports: For any ports not used by the office or guest network, you can set them as "Forbidden" for both VLANs to enhance security.

3. Configure your WiFi Access Points:

   • Within your access point settings, ensure that the guest WiFi SSID is configured to use VLAN 10. Many access points have options for "Intra-BSS traffic blocking" for guest networks, which will prevent guest devices from communicating with each other even within the same guest VLAN.

4. Configure your Router (DHCP Server):

   • Your router needs to be configured to support multiple VLANs and provide DHCP services for each. This involves creating virtual interfaces for each VLAN on the router's internal interface.
   • For VLAN 1 (office), your router will continue to provide IP addresses in its current subnet.
   • For VLAN 10 (guest), configure a new DHCP scope or pool with a different IP address range (e.g., 192.168.10.0/24) and assign it to the VLAN 10 interface on your router.
   • Ensure your router has appropriate firewall rules to prevent traffic from VLAN 10 (guest) from accessing VLAN 1 (office) while still allowing internet access for guests.

Information Collection Guide:

To provide more tailored assistance, please provide the following details:

• Router Model and Brand: This is crucial for understanding its VLAN and DHCP capabilities.
• Firmware Version of your GS1350-12HP: This can help identify specific configuration options.
• Network Topology Map: A simple diagram showing how your router, GS1350-12HP switch, and WiFi access points are connected, along with which ports are used.
• Screenshots of your current switch VLAN configuration (if any): This will help us understand your existing setup.