Security difference between unchecking diagonal vs separate VLANs

[Rocket88]

I intend to extend my network by using moca ethernet to a second access point in my home. Since this secondary access point is not a pcWRT device (at least not for now) I understand I will only be extending one VLAN to the second WiFi access point.

Originally my plan was to use separate VLANS for my IOT devices and my Guest network.

It appears that as long as I go to Settings/Network VLAN section and uncheck the diagonal box for Guest to Guest I should have the same degree of protection.

-Am I correct? Or possibly this gives Layer3 isolation but no Layer 2 isolation?

I am very pleased with this purchase, but it requires careful consideration and setup so I may be asking a number of questions. Thanks for the product and the support.

[support]

Unchecking the diagonal box prohibits communication between devices connected to the same VLAN (e.g. Guest). It turns on Wireless Client Isolation for WiFi and blocks communication to/from devices connected the VLAN via Ethernet.

On the other hand, VLAN separation could block communication across VLANs but give you the option to allow communication between devices on the same VLAN.

[bambina]

i have read the posts many times and played around many times yet i still fail to properly understand the VLAN / PORT section listed under; SETTINGS – NETWORK – VLAN and i would really love much help please.

Firstly please help me understand, what exactly is meant by LAN ?

Secondly;
I want to use all VLANS & Ports as follows;
LAN = i dont know what this means in this instance, i understand what it stands for though.
GUEST = I want to grant 1 SSID Broadcast only & keep Sandboxed from everything else.
X1 = I want to grant a VLAN SSID Broadcast + Port1 yet keep Sandboxed from everything else.
X2 = I want to grant a VLAN SSID Broadcast + Port2 yet keep Sandboxed from everything else.
X3 = I want to grant a VLAN SSID Broadcast yet keep Sandboxed from everything else.
—————
I can do all the SSID Broadcasting VLANS easy but just cant get my head around the Tagging of ports or what to tick where in the Columns and rows for it all to work correctly. I have listed what i think i need to do below & if someone could kindly confirm or correct me that would be amazing please?
————–
PORT1 = Tagged to X1
PORT2 = Tagged to X2
PORT3 =
LAN GUEST X1 X2 X3
LAN / / / / / i am confused as to why all are ticked on LAN?
GUEST /
X1 /
X2 /
X3 /

[bambina]

Please also note that when i tried to tag a port whilst plugged into the port on Ethernet then that port stopped working on the router until i untagged it and i noticed that on the router hub settings it showed the Port as tagged to LAN even though i kept changing it to X1 it just keeps flicking back to LAN after saved, is this a known glitch maybe?

[support]

First of all, do not tag any ports unless you’re connecting another router (with a tagged port) to the ports you’re tagging.

There are 5 preconfigured VLANs on the router, they are named: “LAN”, “Guest”, “X1”, “X2”, and “X3”. By default, “LAN” has the highest privilege and it can initiate communication to any other VLAN (thus all boxes with source “LAN” are ticked). And, only devices connected to “LAN” can log in the router management console.

In your case, assign Port 1 to X1, assign Port 2 to X2, leave Port 3 on LAN. Only computer connected to Port 3 can log in the router. No tagging!

Create SSIDs for Guest, X1, X2, X3 as you need, but you have to keep the SSIDs for LAN as they cannot be deleted. You can have up to 4 SSIDs per band, so you can’t run all SSIDs on both bands.

[Rocket88]

Just a bit of terminology for you. Lets assume the case of an Ethernet switch that supports VLANs (virtual LANS).

Lets assume that it supports 20 ports and you wish to run 5 completely separate networks. In that case you could/would configure 5 VLANs and each VLAN has 4 ports (just an example, the number of ports could be different for each VLAN). In effect you actually now have 5 ethernet switches!

To keep things clean the devices on each of these would have IP addresses assigned to them with differing subnets. If the device NEVER need to communicate across VLANs you don’t have to do this, but if they do it is necessary.. SO in that case you also have 5 separate IP networks, each on its own virtual switch.

But what if you want some or all devices to be able to talk to each other? IN that case you need a router and that gets intimidating quickly.

If the switch has “Layer3” capabilities that means it has a router built in. So in that case you can can use the router to route traffic across networks, just like on the Internet proper.

If you want to keep this simple, and avoid learning about the details of routing (or even VLANs) you buy a pcWRT router! You will notice that your pcWRT router is assigning completely different IP addresses on the different VLANs (LAN, Guest, X1, X2,a and X3). So you don’t need to do that. A bit mysterious if you don’t have this background info.

Then the routing is configured using those check boxes. All very simple. I understand the 1000 foot view, but don’t have the time or interest to learn about routing. I am very pleased to have it all with an EZ button like here!

It would be even simpler if there were a user manual, but with the search function on the forums here you can general find the answer. Or ask the question and generally get a prompt answer.

[bambina]

Thanks for that.
1. So just to be clear, if i want all VLANS sandboxed from each other then im i correct in saying that only 1 tick is needed per VLAN such as X1 ticked for X1 and X2 ticked for only X2 etc and obviously just select the port you want with which VLAN?

2. As LAN is the Sudo then how do i make secure Port3 as surly someone using VLAN X2 (Port2) could simply just connect an ethernet cable to Port3 & gain access to the LAN (sudo) Hub interface?

[support]

1. If you want all VLANs to be isolated from each other, then only the diagonal boxes should be checked (i.e., source LAN -> destination LAN, etc.). If you further want client isolation, i.e., no cross talk between devices on the same VLAN, then you should uncheck the diagonal box too.

2. It’s preconfigured such that devices on LAN can access devices on other VLANs, but you can untick the boxes from LAN to other destinations so that LAN cannot access other VLANs either. By default settings, only devices connected to LAN can manage the router. If you are concerned that someone can gain LAN privilege by connecting to Port 3, then you can assign Port 3 to Guest (for example).

[Author]

Posts