Forums

Home Forums General Configuration Help with best topology scenario and adding IoT VLAN

Help with best topology scenario and adding IoT VLAN

Tagged: 

Viewing 14 posts - 1 through 14 (of 14 total)
  • Author
    Posts
  • November 24, 2024 at 9:25 am #6476
    just_a_goat2
    Participant

    I’ve successfully configured the PW-AX1800 with basic services including profiles in Access Control and now I would like to try a more advanced configuration. Current setup has LAN 1 – web server in DMZ. LAN 2 connected to a Access Point with Wifi in bridge mode and LAN 3 connected to a Cisco SG200 smart switch. Wifi has a single SSID for both 2.4 and 5 bands and a separate SSID (limited to 2.4 ghz… just because I can 😉 for guests. The AP is in the basement and the PW-AX1800 on the 2nd floor (still trying to improve coverage but that is for later).

    Everything is working well but is the current topology best practice or should I change how things are connected?

    Next, I would like to add an IoT VLAN that doesn’t have access to the Internet. It would be Wifi 2.4 ghz and a Hubitat Hub (C8).

    How should I configure the IoT VLAN? Do I need to create another dedicated SSID in order to limit it to 2.4 ghz? Create a new Wifi with X1? Ideally I would prefer that only the Home Hub and my laptop have direct access to the IoT network (both have static IP’s). Every other users have to use the Home app/iOS to control the devices.

    November 26, 2024 at 4:33 am #6480
    support
    Keymaster

    Yeah you can create a 2.4GHz SSID with X1 for IoT. If you connect your laptop to LAN and IoT on X1, then you need to enable LAN to X1 communications (i.e., check the box with source LAN and destination X1, which is on by default).

    You can use Access Control to block Internet access for devices. Just create a profile with “White List” URL filtering but enter no domains in the white list box.

    November 27, 2024 at 1:21 am #6481
    just_a_goat2
    Participant

    Is there a way to maybe add the VLAN to a profile? If not, is this something that could be added in the future? It would negate the need to add 100+ devices to the profile.

    If not, could I install another AP dedicated to IoT, connect it to the CISCO switch (Layer 2) on LAN 3 and create a rule on the switch to allow devices on the LAN to access devices on the AP yet block access from AP to the LAN and internet.

    November 27, 2024 at 2:12 am #6482
    just_a_goat2
    Participant

    I just found a post from someone else asking to add VLAN to Profiles. Support posted that it would be confusing to us. So how about adding a VLAN WAN option? That way you could turn on which VLAN can be reached from WAN and which VLAN can connect to WAN.

    November 27, 2024 at 6:22 pm #6483
    support
    Keymaster

    @just_a_goat2 That’s a good suggestion! We’ll see if it can be done.

    As a workaround, you can configure the IoT VLAN to go through a VPN but don’t actually create the VPN connection. That’ll effectively block any outbound traffic from IoT.

    November 29, 2024 at 1:05 am #6492
    just_a_goat2
    Participant

    Dang, I thought I had it but it was just a ruse ;-). I addded a device to X1 and tried to connect to it from the laptop on LAN but it wasn’t working. So I connected my laptop to X1 and I was able to connect to it. I tried to connect to the router at 10.x.x.1 and I was able to login to the console. Tried to connect to the laptop’s IP from another computer on the LAN but it wouldn’t connect, ping, nothing.

    In order to troubleshoot, I set X1 to plain settings (removed the VPN), then opened the connection to the LAN

    ______LAN____Guest____X1
    LAN____X_______X______X_____
    Guest__-_______X______-_____
    X1_____X_______-______X_____

    If I understand the logic of the UI, I should be able to connect to devices on LAN from X1 and X1 devices from LAN and both should be able to access the Internet. However, that is not what I get.

    Only devices on the LAN has Internet access, it can’t connect/ping devices on X1 and devices on X1 can only connect to devices on X1 and not Internet.

    This seems like there is a NAT problem but I can’t see where I can set rules to allow traffic between the VLANs (I assume that this is done with the UI).

    What am I missing?

    Also, is it possible to have the same IP Range between specific VLANs but not all ie DHCP across the VLANs.It’s not required but would simplify some device configurations.

    November 30, 2024 at 4:30 pm #6497
    just_a_goat2
    Participant

    I got the ping partially working, forgot to turn off the security “Block Ping”. However, I can ping from LAN to X1 but not X1 to LAN. ´\O/`

    December 1, 2024 at 2:23 am #6499
    support
    Keymaster

    If you checked the box on row LAN and column X1, the you should be able to ping a device on X1 from a device on LAN. Vice versa for X1 and LAN.

    “Block Ping” is for ping blocking from the WAN.

    What response did you get when you ping LAN from X1?

    December 1, 2024 at 3:56 pm #6500
    just_a_goat2
    Participant

    Request timeout for icmp_seq 3
    ping: sendto: No route to host
    Request timeout for icmp_seq 4
    ping: sendto: Host is down

    December 3, 2024 at 3:13 am #6505
    support
    Keymaster

    That’s not the message from the router blocking ping across VLANs. The latter looks like: “From 10.159.157.1 icmp_seq=1 Destination Port Unreachable”.

    How are the devices connected on the X1 and LAN networks? Does the destination host block ping?

    December 16, 2024 at 3:02 am #6524
    just_a_goat2
    Participant

    Sorry for the delay in responding, I switched my service to Fibre and it took a while for things to settle down.

    As part of that process, I reset the router to default and re-established all the settings and low and behold… it’s working. I can now ping between the VLANs as expected, using the VPN with no profile does block the internet although I still think it should be an option in the Network Tab VLAN grid 😉

    Next Step:
    I have a Hubitat hub that I use for some of the IoT radio based devices. I would like it to be part of the IoT VLAN. If I understand correctly, I have to connect it to the LAN 1 port and use the dropdown menu for Port 1 (Network tab) to select X1. This should add all the devices from the Hubitat hub to the X1 VLAN and they won’t have access to the Internet, correct?

    December 17, 2024 at 2:16 am #6525
    support
    Keymaster

    If you connect the Hubitat hub to a port assigned to X1, then all devices connected to the Hubitat will be on the router’s X1 network.

    December 17, 2024 at 3:56 pm #6526
    just_a_goat2
    Participant

    I have a 1.5gb service, the PW-AX1800 only has 1 gb ports, can I connect multiple ports from the Fibre router (bridge mode) to the PW to provide full access?

    December 18, 2024 at 12:34 am #6528
    just_a_goat2
    Participant

    As it turns out I can’t, the Fibre router turns off all ports except LAN port 1 (1GB) when in Bridge mode, so no possibility of multiple trunks. What is worse, why are they not using the 2.5 GB port?

    Even if it was using it, it wouldn’t help me as the PW-AX1800 is limited to 1 Gb as well. I’ll be downgrading to 1 Gb service as soon as it’s available.

    • This reply was modified 4 months, 1 week ago by just_a_goat2.
  • Author
    Posts
Viewing 14 posts - 1 through 14 (of 14 total)

You must be logged in to reply to this topic.

©2024 bigXi LLC