I recently bought a Vigor 2862 to form the central router in my home network and act as an internet gateway over VDSL for a segmented home network.
My intention is to set up two separate VLANs to isolate our growing collection of Internet Of Things (IOT) devices from the home network which contains our laptops, PCs and NAS.

I have setup VLAN1 as my secured home network subnet on port 1, and have a Netgear Orbi RBR40 wifi mesh router connected to it to provide whole house wi-fi coverage for the secured home network. This consists of a basestation router, and a wireless satellite. The basestation and satellite are connected via a dedicated 5 Ghz backhaul connection. The satellite has a 4 port ethernet hub, to which our home NAS is connected. Essentially this is the network that all trusted devices, such as our laptops, PCs, iPads and iPhones will be connected to.

I have setup VLAN2 as my IOT network subnet on port 2. I have configured my older Netgear DGND4000 router to act as a wireless AP for the IOT network. Essentially, all connected devices will be able to access the internet through this network, but by default should not have access to the secured home network.

Here in is the issue, IOT devices fall into two categories:

A) Internet connection only.
B) Internet and local network access.

For IOT devices that communicate through the web via an app (such as Ring Doorbell), as long as both VLAN 1 and VLAN2 have access to the internet, they should function as normal. For devices that operate some functions across the local network, there is a need for them to able to communicate across subnets. I am aware that I can allow intra-LAN communication between subnets by selecting the appropriate tick box on VLAN configuration page. However, this would by default allow all devices in both subnets to communicate, which defeats the whole point of setting it up in the first place. What I want to be able to do is selectively allow certain devices to communicate across subnets, BUT NOT ALL OF THEM, AND I WOULD PREFER INTRA-LAN COMMUNICATION TO BE BLOCKED BY DEFAULT.

I have tried setting up firewall rules to allow certain IP ranges on the VLAN2 subnet to communicate with the VLAN1 subnet, but this does not work and all traffic on the VLAN1 is isolated from VLAN2. If I enabled intra-LAN communication for VLAN1 and VLAN2, it allows all IPs to communicate across the subnets, and I cannot seem to define a firewall rule to block all IPs other than a specified selective few.

Would anyone be able to provide guidance on how to configure the firewall to allow selective intra-VLAN communication on the basis of IP ranges?

Or indeed, if there is a better way of doing what I am trying to achieve, then I'd love to hear it.
I have heard about VLAN tagging as an alternative to VLAN by port, but I do not think it is possible to do it in this case as the Netgear routers that I have acting as Wireless APs don't have the ability to do it.

Thanks in advance.

What I did was: Create Bind2IP entries for all devices on the I.O.T. LAN - so they have fixed IP addresses you can identify in firewall rules. I also created 'Objects' that match these, so they're easier to identify in said rules. I created objects for the LANS while I was about it.

Then, I created a Filter Set, whose first rule was "I.O.T. -> Trusted LAN" = "Block If No Further Match". After that, it was just a matter of adding "allow" rules for the tiny amount of traffic that was valid. For added paranoia, I ticked the "[ ] Syslog" button for all these rules.

The thing I haven't managed to crack, is dealing with those devices that fall somewhere in between. For example, the Sony TV's DLNA client can't access my DLNA server, if it's on another LAN but it needs access to the Internet. So do I put it on my trusted LAN and hope it's trustworthy? ... or do I isolate it and lose functionality. (For the moment, I have an awkward clunky solution involving switching its network from WiFi to Ethernet - depending on what it's doing).

You can't really do anything with VLAN 'tagging' unless you add more hardware. The Vigor won't automatically add the Tag on ingress - in the way that cheap switches can?!? - and I bet that none of your I.O.T. devices will let you configure a VLAN tag manually.

Thanks very much for the tips.

I think we have been thinking along the same lines, which is good.

The issue I have encountered is with the firewall. I have successfully managed to setup firewall rules which selectively block traffic from the either VLAN to the WAN, to confirm that I am at least in some way understanding how to setup rules. However, if I make these rules LAN --> LAN, for some reason they do not seem to work. The only option that seems to control the VLAN subnet communication is the INTRA-LAN setting. I cannot seem to influence the behaviour of traffic between the subnets using the firewall, which LAN --> LAN rules seems to suggest. I must be missing something. Any tips?

I have tested the firewall settings by connecting to the IOT wireless AP, giving my laptop an IP in the IOT subnet, and then attempting to configure firewall rules to control connectivity to the TRUSTED HOME network. I have done either by pinging 192.168.0.1 (the gateway on the TRUSTED HOME network), or trying to access the router admin pages via the same IP. This page is accessible on the IOT VLAN by going to gateway IP of 192.168.2.1. When I have intra-LAN connectivity between VLAN1 and VLAN2 enabled, I can see the router config page at 192.168.0.1 whilst having a IOT IP address in the subnet 192.168.2.0. If it disable the intra-LAN routing on the LAN settings page, then I can only access the router admin page on the same subnet as I have IP, and I cannot ping the other subnet either. As I said before, I have not managed to derive firewall rules to overrule the INTRA-LAN settings.

What am I missing here, any ideas?

Any help would be gratefully appreciated.

ecm200 wrote: I have tested the firewall settings by connecting to the IOT wireless AP, giving my laptop an IP in the IOT subnet, and then attempting to configure firewall rules to control connectivity to the TRUSTED HOME network. I have done either by pinging 192.168.0.1 (the gateway on the TRUSTED HOME network), or trying to access the router admin pages via the same IP. This page is accessible on the IOT VLAN by going to gateway IP of 192.168.2.1. When I have intra-LAN connectivity between VLAN1 and VLAN2 enabled, I can see the router config page at 192.168.0.1 whilst having a IOT IP address in the subnet 192.168.2.0. If it disable the intra-LAN routing on the LAN settings page, then I can only access the router admin page on the same subnet as I have IP, and I cannot ping the other subnet either. .

I think you've just been unlucky in your choice of test targets...

The Router seems to treat itself as a special case, both for ICMP and access to the Management Page. On the 2860 (and the 2862, I believe), at "System Maintenance >> Management" there is a tab called "LAN Access Setup" which is where you can tailor access - rather than it using a Firewall rule. I presume that all LANs have access by default.

I’ll check it out.

Probably best to connect a device to the trusted network and then try and log that rather than the router?

ecm200 wrote: Probably best to connect a device to the trusted network and then try and log that rather than the router?

In the absence of setting up something special to test connectivity to, Remote Desktop and File/Print Sharing are probably quick and easy targets. Also, if you have WiFi-enabled printer, it's probably got a GUI you can try and access.