DrayTek UK Users' Community Forum
Help, Advice and Solutions from DrayTek Users
VLAN Configuration
- cosmarchy
- Topic Author
- Offline
- Junior Member
Less
More
- Posts: 33
- Thank you received: 0
13 Aug 2023 12:48 #102760
by cosmarchy
Replied by cosmarchy on topic Re: VLAN Configuration
Hi,
The only reluctance is my habit of being used to 192.168.1.x. Slightly lazy of me but it's just a habit I've been used to!! It would be handy to be able to change the Smart Hub but not really essential.
I'll give the VLAN a look to try and get this sorted...
The only reluctance is my habit of being used to 192.168.1.x. Slightly lazy of me but it's just a habit I've been used to!! It would be handy to be able to change the Smart Hub but not really essential.
I'll give the VLAN a look to try and get this sorted...
Please Log in or Create an account to join the conversation.
- HodgesanDY
- Offline
- Member
Less
More
- Posts: 208
- Thank you received: 17
14 Aug 2023 07:51 #102761
by HodgesanDY
Replied by HodgesanDY on topic Re: VLAN Configuration
Look at it this way, once you start using VLANs, you will without doubt, be using different subnets anyway, so it’s worth getting used to other subnets now, rather than just 192.168.1.*.
Also, this is a perfect example of why you would not want to use 192.168.1.* or 192.168.0.* for your internal network, as you will almost always encounter these subnets being used by domestic modem/routers across the world.
In the situation of a compromised network, a hacker for example, when they see a generic subnet like 192.168.1.* or 192.168.0.* they can almost guarantee the network they have compromised, is a flat-network, and potentially vulnerable in several areas. So moving away from using these generic subnets, immediately adds a level of complexity to your network, which is a good thing.
Also, this is a perfect example of why you would not
In the situation of a compromised network, a hacker for example, when they see a generic subnet like 192.168.1.* or 192.168.0.* they can almost guarantee the network they have compromised, is a flat-network, and potentially vulnerable in several areas. So moving away from using these generic subnets, immediately adds a level of complexity to your network, which is a good thing.
Please Log in or Create an account to join the conversation.
- cosmarchy
- Topic Author
- Offline
- Junior Member
Less
More
- Posts: 33
- Thank you received: 0
18 Aug 2023 19:59 #102764
by cosmarchy
Replied by cosmarchy on topic Re: VLAN Configuration
Ok, so back after some internet issues (fortunately not related!! ).
So a recap of where I am...
I have the Smart Hub (192.168.1.254) connected to WAN 1 on my 2927ax (192.168.10.254) and LAN 1 has an IP address.
At the moment, I have two devices attached to the 2927ax (each device has DHCP enabled and IP bound to Mac Address).
Port 1 - NVR (192.168.10.200)
Port 2 - NAS (192.168.10.225)
The VLAN is enabled -
I have two laptops, one connected to SSID1 and the other to SSID2
My first question is why can I ping the Smart Hub (192.168.1.254) from both SSID 1 and SSID 2? According the VLAN settings, both VLANs are able to access the internet, but I thought that being on 192.168.10.x would prevent me accessing a device on 192.168.1.x
The next question is why am I able to ping some devices and not others on a different VLAN. My laptop on SSID 2 on VLAN 2 (where the intention was that it should only have access to the internet and no other devices) can ping 192.168.10.200 but not 192.168.10.225 even though these two addresses are on the same VLAN 1 which in turn is separate from the VLAN SSID 2 is connected to.
Laptop connected to SSID 1 can ping both 192.168.10.200 and 192.168.10.225 as you would expect.
Neither laptops can ping each other; again this is what I'd expect.
So a recap of where I am...
I have the Smart Hub (192.168.1.254) connected to WAN 1 on my 2927ax (192.168.10.254) and LAN 1 has an IP address.
At the moment, I have two devices attached to the 2927ax (each device has DHCP enabled and IP bound to Mac Address).
Port 1 - NVR (192.168.10.200)
Port 2 - NAS (192.168.10.225)
The VLAN is enabled -
I have two laptops, one connected to SSID1 and the other to SSID2
My first question is why can I ping the Smart Hub (192.168.1.254) from both SSID 1 and SSID 2? According the VLAN settings, both VLANs are able to access the internet, but I thought that being on 192.168.10.x would prevent me accessing a device on 192.168.1.x
The next question is why am I able to ping some devices and not others on a different VLAN. My laptop on SSID 2 on VLAN 2 (where the intention was that it should only have access to the internet and no other devices) can ping 192.168.10.200 but not 192.168.10.225 even though these two addresses are on the same VLAN 1 which in turn is separate from the VLAN SSID 2 is connected to.
Laptop connected to SSID 1 can ping both 192.168.10.200 and 192.168.10.225 as you would expect.
Neither laptops can ping each other; again this is what I'd expect.
Please Log in or Create an account to join the conversation.
- HodgesanDY
- Offline
- Member
Less
More
- Posts: 208
- Thank you received: 17
18 Aug 2023 23:59 #102765
by HodgesanDY
Replied by HodgesanDY on topic Re: VLAN Configuration
Hi Cosmarchy,
Ok, so ALL LANs, be them VLAN’d or not, have access to the Wide Area Network (WAN), so they can all communicate with the WAN network, that’s how they exit the internal network(s) and make their way out on to the internet, which means they send packets through the Smart Hub, meaning they can also connect to it and it’s GUI page, and also ping it.
The VLANs are only governing internal packets and not packets exiting the network. Once they leave their LAN(VLAN) to go out onto the internet, they are no longer VLAN’d, the VLAN element is stripped off before they exit.
Looking at your screenshot, of the VLAN setup page, you have Port 1 assigned to both VLAN0 & VLAN1, which is why you can communicate with that NVR (192.168.10.200) node from your laptop on SSID2.
You also referred to ‘VLAN2’ in your post, which you have nothing assigned to in your VLAN setup page screenshot, so I’m guessing you meant VLAN1, as VLAN0 is the default first/top VLAN on the page..?
You are also using the same LAN1 subnet for both VLANs, which isn’t a problem, but is probably why you’re able to communicate with the Port 1 device from both VLANs as well.
If you do not want your SSID2 devices to access the NVR, de-tick the Port 1 VLAN1 assignment and try the ping test again.
Really, you should be using a new LAN subnet for each VLAN, as not doing so will prevent you from using the Firewall to control communication between the LANs(VLANs) at a later date, if and when, you decide you want certain protocols to pass between the two VLANs for specific devices - be it from one LAN(VLAN) to another, or, if not that, then a VPN connected network; although that would still work if everything was on a single LAN subnet.
FYI, before you start down the Firewall rabbit-hole, it’s best to set a FW rule that blocks all traffic between different LANs and/or VPNs, that way you can then open up only specific rules for protocols you do want to allow, this is also relevant when turning on ‘inter-LAN’ routing, as inter-LAN routing without a Firewall rule blocking the traffic will open up ALL traffic between the two LANs; apart from broadcast packets, which will stay contained within the subnet they’re broadcasting on.
Try to move away from one subnet, expand your network onto other subnets, after all, you’re trying to separate them, so purposefully separate them with different subnets too. I know you have said you like to have the one subnet you’re used to but, you’re already evolving towards something requiring more subnets which is giving you better seclusion and improved security, therefore, I would say, don’t have one foot still in the old way of thinking.
Btw, your Vigor’s ‘Current Time’ has reverted, probably during the firmware update.
Now that you have internet access at the Vigor, you can set the time to ‘Use Internet Time’ and set the ‘Time Server’ to “pool.ntp.org”, then set the following options relevant to your location.
Ok, so ALL LANs, be them VLAN’d or not, have access to the Wide Area Network (WAN), so they can all communicate with the WAN network, that’s how they exit the internal network(s) and make their way out on to the internet, which means they send packets through the Smart Hub, meaning they can also connect to it and it’s GUI page, and also ping it.
The VLANs are only governing internal packets and not packets exiting the network. Once they leave their LAN(VLAN) to go out onto the internet, they are no longer VLAN’d, the VLAN element is stripped off before they exit.
Looking at your screenshot, of the VLAN setup page, you have Port 1 assigned to both VLAN0 & VLAN1, which is why you can communicate with that NVR (192.168.10.200) node from your laptop on SSID2.
You also referred to ‘VLAN2’ in your post, which you have nothing assigned to in your VLAN setup page screenshot, so I’m guessing you meant VLAN1, as VLAN0 is the default first/top VLAN on the page..?
You are also using the same LAN1 subnet for both VLANs, which isn’t a problem, but is probably why you’re able to communicate with the Port 1 device from both VLANs as well.
If you do not want your SSID2 devices to access the NVR, de-tick the Port 1 VLAN1 assignment and try the ping test again.
Really, you should be using a new LAN subnet for each VLAN, as not doing so will prevent you from using the Firewall to control communication between the LANs(VLANs) at a later date, if and when, you decide you want certain protocols to pass between the two VLANs for specific devices - be it from one LAN(VLAN) to another, or, if not that, then a VPN connected network; although that would still work if everything was on a single LAN subnet.
FYI, before you start down the Firewall rabbit-hole, it’s best to set a FW rule that blocks all traffic between different LANs and/or VPNs, that way you can then open up only specific rules for protocols you do
Try to move away from one subnet, expand your network onto other subnets, after all, you’re trying to separate them, so purposefully separate them with different subnets too. I know you have said you like to have the one subnet you’re used to but, you’re already evolving towards something requiring more subnets which is giving you better seclusion and improved security, therefore, I would say, don’t have one foot still in the old way of thinking.
Btw, your Vigor’s ‘Current Time’ has reverted, probably during the firmware update.
Now that you have internet access at the Vigor, you can set the time to ‘Use Internet Time’ and set the ‘Time Server’ to “pool.ntp.org”, then set the following options relevant to your location.
Please Log in or Create an account to join the conversation.
- cosmarchy
- Topic Author
- Offline
- Junior Member
Less
More
- Posts: 33
- Thank you received: 0
20 Aug 2023 21:40 #102770
by cosmarchy
Replied by cosmarchy on topic Re: VLAN Configuration
Hi,
Yes the VLAN2 was a typo and should have been VLAN1
I see now the pinging situation on WAN 1 to 192.168.1.254 now, that makes perfect sense.
The VLAN configuration is currently:
Forgive my ignorance here but I'm struggling with one small concept. You mentioned setting a firewall rule to block traffic between VLANs but isn't that what the configuration is supposed to do? I thought anything connected on specific ports or SSIDs shouldn't be able to communicate across VLANs unless they are enabled????:?
With regard to the firewall, I couldn't find any specific guides so decided to look at the options before embarking on something that could turn out to be wrong...
Looking at Filter Set 1, Rule 2 (this is the next rule which is 'free') -
I'd assume that this is what you were indicating and that I'd have to make another blocking rule that points from LAN 2 to LAN 1???
I'm also curious as to why there are 12 filter sets each with 7 rules and the option of which filter set to start from? Why not just have one filter set of 84 rules? What advantage does it have to start from another filter set?
Yes the VLAN2 was a typo and should have been VLAN1
I see now the pinging situation on WAN 1 to 192.168.1.254 now, that makes perfect sense.
The VLAN configuration is currently:
Forgive my ignorance here but I'm struggling with one small concept. You mentioned setting a firewall rule to block traffic between VLANs but isn't that what the configuration is supposed to do? I thought anything connected on specific ports or SSIDs shouldn't be able to communicate across VLANs unless they are enabled????
With regard to the firewall, I couldn't find any specific guides so decided to look at the options before embarking on something that could turn out to be wrong...
Looking at Filter Set 1, Rule 2 (this is the next rule which is 'free') -
I'd assume that this is what you were indicating and that I'd have to make another blocking rule that points from LAN 2 to LAN 1???
I'm also curious as to why there are 12 filter sets each with 7 rules and the option of which filter set to start from? Why not just have one filter set of 84 rules? What advantage does it have to start from another filter set?
Please Log in or Create an account to join the conversation.
- HodgesanDY
- Offline
- Member
Less
More
- Posts: 208
- Thank you received: 17
21 Aug 2023 00:27 #102771
by HodgesanDY
Replied by HodgesanDY on topic Re: VLAN Configuration
Hi Cosmarchy,
Yes, you are correct, the communication between the VLANs is isolated, but, VLANs and LANs are different.
The communication I am referring to is between LANs(subnets), regardless of VLAN. VLANs are like encapsulated wrappers around the LAN traffic that isolate them from other LAN traffic flow, but that traffic still gets routed, by the router, under the LAN element of the setup. So if you want to “route” traffic/packets between different LANs, you would do that via the router, your Vigor.
To route from one LAN to another LAN inside the router (your Vigor), you must enable an ‘Inter-LAN’ connection, or connections for multiple LANs. That is as simple as ticking the corresponding LAN# to LAN# in the grid of tick boxes. See LAN>>General Setup and scroll down to the lower section of the page.
Once these inter-connections are made all traffic/packets between the specified LANs will flow, which seems to defeat the purpose of separating them, but, don’t forget that broadcast packets will not crossover the inter-LAN link, which reduces unnecessary network traffic which would otherwise slow down your larger, global network. That is one of the basic benefits of separating your network into multiple LANs.
Now that you have that open LAN link, you can then use the Firewall to shut it down again but, you now have granular control over what can be authorised to pass, or not!
The filter rules are processed in order, so bunching them together gives you simplified control rather than 84 rules in one big list. You can label these collections(sets) too, making it easier to navigate when your list of rules becomes much larger. Firewall rules can trip-you-up no-end if you don’t know how they are working together, or independently.
Also, because they process in order, you may want to move a collection of rules before or after another collection of rules, which is why there is a ‘Next Filter Set’ option at the bottom of each rule set page. This allows you to jump from a collection you added much later to before a collection you created some time in the past which is now needing to be processed later in the chain of overall rules, remember, they are all processed in order…
Yes, you are correct, the communication between the VLANs is isolated, but, VLANs and LANs are different.
The communication I am referring to is between LANs(subnets), regardless of VLAN. VLANs are like encapsulated wrappers around the LAN traffic that isolate them from other LAN traffic flow, but that traffic still gets routed, by the router, under the LAN element of the setup. So if you want to “route” traffic/packets between different LANs, you would do that via the router, your Vigor.
To route from one LAN to another LAN inside the router (your Vigor), you must enable an ‘Inter-LAN’ connection, or connections for multiple LANs. That is as simple as ticking the corresponding LAN# to LAN# in the grid of tick boxes. See LAN>>General Setup and scroll down to the lower section of the page.
Once these inter-connections are made all traffic/packets between the specified LANs will flow, which seems to defeat the purpose of separating them, but, don’t forget that broadcast packets will not crossover the inter-LAN link, which reduces unnecessary network traffic which would otherwise slow down your larger, global network. That is one of the basic benefits of separating your network into multiple LANs.
Now that you have that open LAN link, you can then use the Firewall to shut it down again but, you now have granular control over what can be authorised to pass, or not!
The filter rules are processed in order, so bunching them together gives you simplified control rather than 84 rules in one big list. You can label these collections(sets) too, making it easier to navigate when your list of rules becomes much larger. Firewall rules can trip-you-up no-end if you don’t know how they are working together, or independently.
Also, because they process in order, you may want to move a collection of rules before or after another collection of rules, which is why there is a ‘Next Filter Set’ option at the bottom of each rule set page. This allows you to jump from a collection you added much later to before a collection you created some time in the past which is now needing to be processed later in the chain of overall rules, remember, they are all processed in order…
Please Log in or Create an account to join the conversation.
Moderators: Chris, Sami
Copyright © 2024 DrayTek