RUTX50 VLAN config

Teltonika Networks
1

Hi there, I’m testing a VLAN configuration on a RUTX50 and I want to get advice to check if its setup correctly. FW RUTX_R_00.07.06.6

I want to connect the router / ethernet port 4 via a trunk connection to a TP-Link TL-SG1016PE switch. The switch is set up with the corresponding VLANs.

I have added the VLANS on the Port based VLAN page, and set the physical ethernet port No.4 as tagged for each VLAN.

RUTX50_VLAN_Config_1_
RUTX50_VLAN_Config_1_1536×616 50.8 KB

I have added the VLANS on the Interfaced based VLAN page, and set them to their corresponding interface.

RUTX50_VLAN_Config_2_
RUTX50_VLAN_Config_2_1541×742 39.4 KB

I have setup an interface for each VLAN, with different IP Address for each interface.

RUTX50_VLAN_Config_3_
RUTX50_VLAN_Config_3_1536×729 76.5 KB

  1. Is the configuration correct?

  2. I have tested the configuration, by only selecting tagged for ethernet port 4 on one VLAN on the Port based VLAN page, This sent me the correct IP Address for the corresponding interface.

    RUTX50_VLAN_Config_4_
    RUTX50_VLAN_Config_4_1516×670 52.1 KB

  3. I tested it with the Switch connected, and my pc got the correct IP Address from ports connected to the specific VLANs.

However I can ping each other VLAN from any VLAN. How can I isolated the VLAN’s?

Any help would be greatly appreciated.

Regards Padraic.

1 Like
2

Any advice here would be greatly appreciated. Regards Padraic.

4

I’m very interested in this as well, as I have yet to set up VLANs (my first time).

Given that Padraic has already:

  • created separate LAN interfaces
  • created port based VLANs
  • created interface based VLANs

Are the next steps:

  • create a Firewall zone and forwards for each new LAN interface?
  • in the original lan firewall zone, remove the newly created LAN interfaces, if the UI setup has placed them there?
  • are any traffic rules required, other than denying SSH, HTTP & HTTPS ‘to device’, for each new fw zone created for the VLAN subnet (if required)?
  • anything else, specifically around isolation and changes required to fw zone config and rules?

My assumptions above may be totally incorrect and it would be great to get some guidance / instruction on this. I’m basing some of my assumptions on my interpretation of this article https://wiki.teltonika-networks.com/view/VLAN_Inter-Zone_accessibility_control_configuration_example although it doesn’t explicitly deal with isolation instructions.

Also is there anything to note about how VLANs interact with a Wireguard tunnel?

Are there any performance considerations that might steer our thoughts as to how many Interfaces, Zones, VLANs are active?

Padraic … hopefully someone will give us some advice but if you get this working, please can you feed back to me … many thanks Mike

5

Hi Padraic,

For each of your newly created LAN interfaces (VLAN10 …VLAN40), have you set the ‘Physical Settings > Interface’ to the corresponding VLAN interface. If so, is it the corresponding eth0.??, or did you set it something else?

Just asking, for when I set this up?

Thx, Mike

6

Hi Mike, yes in the physical settings, I set each vlan to its corresponding interface, eth0.1 etc.

I have deleted step two from my initial set up as it was not needed.

RUTX50_VLAN_Config_2_
RUTX50_VLAN_Config_2_1541×742 39.4 KB

I currently have the vlans isolated from each other, however I can still login to the router from any vlan. I believe I shouldn’t be able to. In order to connect tot the router, I should have to plug in to any other port than the vlan trunt port. or through the management vlan.

Regards Padraic.

7

Excellent, so based upon bits of the post at How to set up a guest WiFi network on RUTX - Teltonika Networks Wiki with regards to blocking off SSH and WebUI access to the router, I set up the following as a limited test to see if it works.

  1. For an IoT network, I created a) port based VLAN 21, b) created a lan Interface called IoT and for testing c) created a WiFi SSID for IoT, ensuring it addressed just the IoT lan Interface. So now we get to the bits that deny access to the SSH CLI interface and the Web UI management interface.

  2. I created a Firewall Zone called IoT

    Create new 'IoT Firewall Zone - General Settings'
    Create new 'IoT Firewall Zone - General Settings'1204×714 49.5 KB

  3. I removed IoT from the lan Firewall Zone - covered networks

    Remove 'IoT LAN interface' from 'lan Firewall Zone'
    Remove 'IoT LAN interface' from 'lan Firewall Zone'1488×595 41.3 KB

  4. I removed IoT from the WAN Firewall Zone - allow forward to destination zones

    Remove 'IoT LAN interface' from 'WAN Firewall Zone - Inter-Zone Forwarding'
    Remove 'IoT LAN interface' from 'WAN Firewall Zone - Inter-Zone Forwarding'1222×724 60.3 KB

    With point 4, I don’t really know the effect of this but what it does do is take the Firewall Zone Forwardings for WAN, back to its original state of ‘Reject’
    image

  5. I then created a Firewall Traffic Rule to stop the unwanted management interface access via SSH or browser.

    Add new 'IoT Firewall Zone Traffic Rule'
    Add new 'IoT Firewall Zone Traffic Rule'1504×345 38.7 KB

  6. Lastly I amended the rule above to the settings below

    Amend new traffic rule
    Amend new traffic rule1163×748 85.2 KB

It seems to work OK, although I haven’t properly tested. I have to admit that my firewall and VLAN knowledge is very rudimentary but hopefully this has given you a steer to a possible avenue of investigation,

Have a good Easter … Mike

8

Can you let me know how you achieved the isolation up to this point … be handy to help me when I set things up.

9

Hi Mike, sorry for the short answer earlier, I was stuck in work.
I found a post somewhere that said to change a setting in the firewall and it would prevent inter vlan traffic. It said to change to forward option to Reject.

RUTX50_VLAN_Config_5_
RUTX50_VLAN_Config_5_1500×593 28.9 KB

It seems to work, but hasn’t isolated the vlans and the lan.
I don’t understand the firewall, so I will have to play around with it. But just a word of warning, its easy to lock yourself out of the router by changing the wrong settings. So its worth having a good working configuration saved as a user default configuration. You can then restore to this config, instead of having to factory default and loose your settings.

Have a good Easter you too. Regards Padraic.

10

I found that using the UI to create Firewall Zones, automatically placed them in the lan zone. My assumption is that we want to isolate, hence I removed IoT from the lan zone - covered networks … my point 3. Therefore, the lan Zone and associated rules will only cover the lan segment of the network. Given your screen above, I reckon you’d have to removed those VLANs from the 'covered networks - this means we can now leave the lan zone able to access the router management interface (CLI and Browser based) and deny the vlans access to the management interface, by setting a rule for each individual firewall vlan zone … my points 5 & 6.

Likewise, the UI also automatically added my IoT to the wan interzone forwarding … this I also removed … see my point 4.

Hopefully Teltonika will jump on the thread and highlight the true path to enlightenment.

11

Hi Mike, @Marijus can you offer any advice on this topic?

Regards Padraic

12

This topic was automatically closed after 15 days. New replies are no longer allowed.

13

Hello,

Thank you for providing detailed information about your configuration.

Regarding Port based and interface based configuration, I would not suggest using both features at the same time, it might not work.

I provide you with configuration example for Port based VLANS . I will break down example in 3 steps how to configure.

  1. Create port based VLAN with different VLAN ID’s and set their type to tagged.
    Open Web UI Network → VLAN → Port based → Port based VLAN

image
image975×393 59.4 KB

  1. Create new LAN networks depending on the number of VLANS you want to have, in your case it’s 4 LAN networks.

Open Web UI Network → LAN → LAN interfaces, create new instance

image
image973×206 19.4 KB

In the new window configure LAN network for your VLAN, I would suggest changing network 3rd octet to network VLAN ID for easier identification. Don’t forget to enable DHCP server

image
image973×467 32.7 KB

Open Physical settings tab and select VLAN interface you want to assign to this LAN.

image
image975×384 34.5 KB

Save the configuration, this is how you configure port based VLAN for specific LAN. Now repeat this process for different Lans you will need, and don’t forget to assign VLAN to LAN interfaces in physical settings.

After completing configuration your Lan tab should look like this:

image
image975×424 70.2 KB

  1. Now open network connection options on one of your end/local devices and set tags that you configured on Teltonika devices in network properties

image

image
image452×580 102 KB

image
image523×553 112 KB

Renew your local device address and you should have address assigned that is related to your vlan id.

image
image973×808 123 KB

Main thing to take a note you have to confirm if your switch supports dot1q port based vlans.

Hope this configuration example will help you to solve your issue.

Best regards,

Eimantas