Hi there, I’m testing a VLAN configuration on a RUTX50 and I want to get advice to check if its setup correctly. FW RUTX_R_00.07.06.6
I want to connect the router / ethernet port 4 via a trunk connection to a TP-Link TL-SG1016PE switch. The switch is set up with the corresponding VLANs.
I have added the VLANS on the Port based VLAN page, and set the physical ethernet port No.4 as tagged for each VLAN.
I have tested the configuration, by only selecting tagged for ethernet port 4 on one VLAN on the Port based VLAN page, This sent me the correct IP Address for the corresponding interface.
For each of your newly created LAN interfaces (VLAN10 …VLAN40), have you set the ‘Physical Settings > Interface’ to the corresponding VLAN interface. If so, is it the corresponding eth0.??, or did you set it something else?
I currently have the vlans isolated from each other, however I can still login to the router from any vlan. I believe I shouldn’t be able to. In order to connect tot the router, I should have to plug in to any other port than the vlan trunt port. or through the management vlan.
For an IoT network, I created a) port based VLAN 21, b) created a lan Interface called IoT and for testing c) created a WiFi SSID for IoT, ensuring it addressed just the IoT lan Interface. So now we get to the bits that deny access to the SSH CLI interface and the Web UI management interface.
With point 4, I don’t really know the effect of this but what it does do is take the Firewall Zone Forwardings for WAN, back to its original state of ‘Reject’
I then created a Firewall Traffic Rule to stop the unwanted management interface access via SSH or browser.
It seems to work OK, although I haven’t properly tested. I have to admit that my firewall and VLAN knowledge is very rudimentary but hopefully this has given you a steer to a possible avenue of investigation,
Hi Mike, sorry for the short answer earlier, I was stuck in work.
I found a post somewhere that said to change a setting in the firewall and it would prevent inter vlan traffic. It said to change to forward option to Reject.
It seems to work, but hasn’t isolated the vlans and the lan.
I don’t understand the firewall, so I will have to play around with it. But just a word of warning, its easy to lock yourself out of the router by changing the wrong settings. So its worth having a good working configuration saved as a user default configuration. You can then restore to this config, instead of having to factory default and loose your settings.
I found that using the UI to create Firewall Zones, automatically placed them in the lan zone. My assumption is that we want to isolate, hence I removed IoT from the lan zone - covered networks … my point 3. Therefore, the lan Zone and associated rules will only cover the lan segment of the network. Given your screen above, I reckon you’d have to removed those VLANs from the 'covered networks - this means we can now leave the lan zone able to access the router management interface (CLI and Browser based) and deny the vlans access to the management interface, by setting a rule for each individual firewall vlan zone … my points 5 & 6.
Likewise, the UI also automatically added my IoT to the wan interzone forwarding … this I also removed … see my point 4.
Hopefully Teltonika will jump on the thread and highlight the true path to enlightenment.
In the new window configure LAN network for your VLAN, I would suggest changing network 3rd octet to network VLAN ID for easier identification. Don’t forget to enable DHCP server
Save the configuration, this is how you configure port based VLAN for specific LAN. Now repeat this process for different Lans you will need, and don’t forget to assign VLAN to LAN interfaces in physical settings.
After completing configuration your Lan tab should look like this: