T2600G-28MPS how to separate networks?

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

T2600G-28MPS how to separate networks?

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
T2600G-28MPS how to separate networks?
T2600G-28MPS how to separate networks?
2017-11-30 23:00:23
Model :

Hardware Version :

Firmware Version :

ISP :

Hello Eyerybody,

im trying to install a hotspot environment in our company. Im using a ER6120 Router, several T2600-G 28MPS Switches and several EAP330 Accesspoints.
The APs shall provide two SSIDs. One "Internet Hotspot" for the customers and one "Office WiFi" for our service staff. Both SSIDs or networks share the same Internet connection but must be separated internally.
So i followed the instructions in this guide:

How to configure Multiple SSIDs with Multiple Subnets on EAP products

http://www.tp-link.de/faq-1849.html


DHCP works fine so far. When i log into the "Internet Hotspot" Network I get an IP of 172.168.0.0 /21 (VLAN20) and when I log into the "Office WiFi" I get an IP of 192.168.128.0 /21 (VLAN10). Also when I attach the Laptop directly to the switch I get the correct IP depending on the VLAN config of the port.
Now my problem is, that both Networks communicate with each other. So when I log into the "Internet Hotspot" (no difference, if I use WiFi or cable (both VLAN20)) with my Laptop and obtain an IP of 172.168.0.0/21, then I can still access my NAS which is directlly attached to the switch ("Office" VLAN10, fix IP 192.168.128.7 /21).
To my understanding, this should not be possible for two reasons:
First: the two devices are in differents subnets (192... /21 and 172... /21)
Second : the two devices are in different VLANs (20 and 10)
Do I have to configure an ACL (port or VLAN bound? ) or is the VLAN configuration wrong?
Im just on my way to get into the advanced networking world, so I hope I dont annoy the experts with my noob questions.
Thanks for your help.

Kind regards Bertl
  0      
  0      
#1
Options
1 Reply
Re:T2600G-28MPS how to separate networks?
2017-12-03 18:39:17

Bertl wrote

DHCP works fine so far. When i log into the "Internet Hotspot" Network I get an IP of 172.168.0.0 /21 (VLAN20)


You better do not use 172.168.0.0, it's part of AOL's official network (netname AOL-172BLK, IP range: 172.128.0.0/10).

Now my problem is, that both Networks communicate with each other.
[...]
To my understanding, this should not be possible for two reasons:
First: the two devices are in differents subnets (192... /21 and 172... /21)
Second : the two devices are in different VLANs (20 and 10)


Third: your router creates two separate networks isolated against each other using firewalling or you use ACLs to allow access from clients in the guest network to your router's gatewaying interface only, but not to other clients in the LAN subnet.

This third point is obviously missing from your setup, your router therefore does routing and so clients in your hotspot network can reach internal hosts.


Do I have to configure an ACL (port or VLAN bound? )


This is one way to isolate the subnets, yes. Another way would be to create two LANs: one is the protected office network, the other one is the public hotspot.
For the latter you will need what TP-Links calls "Multi-Nets NAT" (NATing for more than one subnet, supported by almost any router).
༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
  0  
  0  
#2
Options