Dear members of the Forum, I have a technical question regarding the "Vigor 2866ax" router and I hope you can help me (for full disclosure, I am a complet newbie in networking).

For security purposes, how can I stop VLans that are on the same subnet (LAN5 for example) from communicating with each other?

a) When the VLans are on different subnets, for example, I can disable Inter-Lan routing thus creating isolation.
b) For Wireless Lans, I can use the "isolate member" option. I can assign a different unique VLan to each SSID and then enable the "isolate member" option to prevent different clients connected to the same SSID (therefore same VLan, in this case) from communicating with each other.
c) But how can I prevent clients connected to different VLans that are on the same subnet (for example LAN 5) from communicating with each other?
Can this be achieved? Do I need to set up a special firewall rule?
Or is it pointless perhaps because "same-subnet/VLan traffic" will always be allowed, maybe because it will never be sent to the default gateway and, therefore, cannot be filtered by the firewall?

Hope yhis question makes sense.
Thank you for your help.

RobRoger37 wrote:
c) But how can I prevent clients connected to different VLans that are on the same subnet (for example LAN 5) from communicating with each other?
Can this be achieved? Do I need to set up a special firewall rule?
Or is it pointless perhaps because "same-subnet/VLan traffic" will always be allowed, maybe because it will never be sent to the default gateway and, therefore, cannot be filtered by the firewall?

Your questions make perfect sense .

This is Draytek's take: https://www.draytek.co.uk/information/our-technology/vlans

Under Port Based VLANs, this shows two groups of PCs that cannot communicate with one another: That is a port based VLAN - the physical port is isolated or common to a group.

I'm assuming you've tried a scenario similar to this and found that the devices aren't actually isolated :?: ...

The problem is, that if the two VLANs share the same subnet, they're probably going to (or, at least, could) find one another via their Default Gateway - i.e. the Draytek Vigor. (As you note, they're probably the 'wrong side' of the Draytek firewall, so it can't intervene).

I've never actually tested Draytek's scenario; but just assumed it was 'problematic'. I have always used different subnets for each VLAN. (Where the devices support it, I've used VLAN tags, as well).

RobRoger37 wrote:
c) But how can I prevent clients connected to different VLans that are on the same subnet (for example LAN 5) from communicating with each other?

DISCLOSURE: I am a retired software guy not a networking professional so this may not be the best way of doing it.

If you have a set of addresses on the same subnet that you do not want to talk to each other, the you could create data filter rules to prevent it. If it is a range of addresses then you could do it with at most two rules. If it a series of discrete addresses then you could create an IP group from IP Objects that encapsulated those addresses. Go to firewall > filter set up . edit filter set > edit filter rule and experiment. I have not done this myself but that's where I would start looking. My network is designed on the basis that comms is permitted within the subnet with a few isolated rules to prevent comms where necessary

Why do you need to forbid intra subnet comms?

First of all: thank you very much for your answers. I really appreciate the time and consideration that you have put into your responses.

My intention would be to segment and isolate traffic to improve the security of the network (ie. if somebody manages to infect a device connected to the network, they would not be able to move laterally and get to the rest of the connected devices).

The Vigor 2866 easily allows me:
1- to restric communication between subnets. There is an option to enable/disable it. From the manual: "Inter-LAN Routing: Check the box to link two or more different subnets (LAN and LAN)".
2- to restric communication amongs clients connected to the same VLan (for wireless Lans). From the manual: "enabling the Isolate Member configuration will forbid the wireless clients associated to the same SSID from connecting to each other". I can therefore assign a different VLan to each SSID and all clients connected to the same SSID/VLan won't be able to communicate with each other.
I'm obviously trusting that the above options would actually do what the manufacturer says.

Now, the Vigor2866ax supports 8 Lans/subnets, 15 VLans and 8 SSIDs, therefore some VLans may have to share the same Lan/subnet.
Let's say: I have a Lan/subnet (Lan 2) with IP range 192.168.2.0/24. I then have two VLans that belong to Lan 2: VLan 1 (linked to SSID 1 - wireless) and VLan 2 (linked to SSID 2 - wireless). How can I prevent a client connected to SSDI 1 (VLan 1) from communicating with a client connected to SSDI 2 (Vlan 2)?
It seems odd that I can easily prevent two clients connect to the same SSID from communicating with each other (enabling the Isolate Member configuration) but cannot prevent this for two clients connected to different SSIDs (unless they are on different Lan/subnets).

With the Vigor I can divide a Lan/subnet into 2 different VLans (no problem), but I don't think I can furtherly assign a specific smaller group of IP addresses to each one of said VLans. If I understand correctly, the IP addresses of the Lan/subnet (Lan 2 in the example) are automatically/randomly assigned by DHCP (within the range 192.168.2.0/24 in the example), therefore I don't think I can create "IP based" data filter rules to prevent VLan 1 from communicating with VLan 2 (let's call it "same-subnet/VLan" traffic).
Should I perhaps assign a fixed IP-address to each device connected to the two VLans (ie. linking IP-addresses to MAC addresses of the devices) and then use Firewall rules to prevent communication? I don't know if it makes sense, but in any case it sounds as if it would not be very practical. And would the firewall actually filter this "same-subnet/VLan" traffic?

The Vigor allows me to assign a Tag to every VLan. Would assigning a different tag to each of said VLans prevent "same-subnet/VLan" traffic?

RobRoger37 wrote:
The Vigor allows me to assign a Tag to every VLan. Would assigning a different tag to each of said VLans prevent "same-subnet/VLan" traffic?

No it won't, not without additional firewall rules. For example, I reserve the LAN3 subnet for my media server traffic. I have a separate SSID for wifi media server traffic which my blur ray, fire stick, TV, Humax, etc connect to. This SSID is associated to a tagged VLAN which is associated with the LAN3 subnet. The subnet also allocated to a port VLAN to which a media server is connected. Traffic flows perfectly between the devices and the the media server. You would need data filter rules to prevent these data flows. I can't find a way of doing this with VLAN IDs. Wpuld be interested in knowing if there is a way of doing it.

talkingcats wrote:
I have a separate SSID for wifi media server traffic which my blur ray, fire stick, TV, Humax, etc connect to. This SSID is associated to a tagged VLAN which is associated with the LAN3 subnet. The subnet also allocated to a port VLAN to which a media server is connected.

I have something very similar (put in place when I had a Virgin Media Tivo ... which was connected to my LAN and to Virgin Media's network ... which got me thinking :shock: )

The main downside, is that Media-type things tend to use broadcasts (DLNA), as do TV control apps, Sky-Go clients etc - which means I'm forever having to switch my mobile phone from one SSID to the other (since these broadcasts don't travel between VLANs).

I have the same issue with my segregated I.O.T. LAN; all the control apps. have to go via the cloud, to find the devices. You'd think there'd be some general-purpose proxy, that could overcome this limitation; but I'm yet to find one.