Jorge87 wrote

Does anybody know how can I configure the switch to make a port to accept only untagged traffic, so a rogue device cannot spoof the VLAN?

 

Yes. Assign each »Access Port« to only one VLAN.

 

However, this requires to terminate the VLAN in the router, not in the switch, meaning you need to define at least two different local networks.

 

 

I define 3 VLANs as follows:

• VLAN 1 = System = All ports untagged
• VLAN 2 = Only LAN = Ports 2-6 untagged
• VLAN 3 = Only Internet = Ports 1, 7-8 untagged

 

Then I configure the PVID like this:

• PVID (from port 1 to 8) = 1, 1, 1, 1, 2, 2, 3, 3

 

You are using VLANs 2 and 3 just for port isolation controlled by the Port VLAN ID.

Ports 7-8 form an asymmetric VLAN. Traffic to the router uses VLAN 3, replies use VLAN 1.

 

Note that you actually have 2 LANs: VLAN 1 (»System«) is LAN for ports 2-4, VLAN 2 is also LAN for ports 5-6 (both according to their PVIDs).

Traffic from ports 5-6 will not only not reach Internet, but also not reach ports 2-4 despite the »Only LAN« classification, is this intented?

 

Anyway, ports are not truly isolated, since broadcasts from router still go to all ports over VLAN 1.

 

The need to have ports in more than one VLAN (VLAN 1 and VLAN 2 or 3 for ports 5-8) makes them no true »Access Ports« anymore.

THIS is what allows clients to fake a VLAN ID.

 

The correct setup for a topology you have in mind is a VLAN with an »one-armed router«:

• Define a second local network, e.g. »GUEST«.
• Define the VLAN tags in the router (here we terminate all VLANs).
• Use a Trunk port on the router and switch to connect them: Port 1 is a tagged member of VLANs 2 and 3 only.
  »Acceptable Frame Types« is »Tagged only«. PVID is irrelevant, set to 2.
• Assign ports 2-4 untagged members of VLAN 2, PVID=2, remove it from VLAN 1. That's your LAN network, say 192.168.1.0/24.
• Assign ports 5-6 untagged members of VLAN 1, PVID=1. That's your DROP network, say 172.16.0.0/24.
• Set clients on ports 5 and 6 to static IPs, e.g. from 172.16.0.0/24 network.
• Assign ports 7-8 untagged members of VLAN 3, PVID=3, remove from VLAN 1. That's your GUEST network, say 192.168.2.0/24.
• Create a forwarding rule from the GUEST network (resp. its firewall zone) to the WAN (Internet).
• Allow clients in the GUEST network to access the router only for DNS (port 53) and DHCP (port 67) services, deny all other.
• Create a forwarding rule from the LAN to the GUEST network to connect to devices in the GUEST network from within the LAN.

 

Now you have a properly set up VLAN:

• the »Access Ports« are only untagged members of the VLAN they belong to,
• »Ingress Checking« ensures that invalid frames (wrong VLAN tags) are dropped,
• the »Trunk Port« drops all untagged frames on ingress,
• ​​​​​every VLAN carries traffic from a real isolated network,
• isolation of router services are defined on the router where it belongs to,
• broadcasts from the router are not sent to all devices anymore.

 

If you want to use DHCP on ports 5-6, create another network for it, say »LAN2«, on the router.

 

I also recommend to use the »System« VLAN 1 either tagged-only on Access and Trunk ports (in other words: as a regular VLAN not different from any other) or to use it as kind of an untagged »dead-end« VLAN for unused/unassigned ports. Using it for the DROP network above sees VLAN 1 as a regular VLAN, it could also have VLAN ID 10 or 50 or whatever.

 

I see not other solution with T1500G.

 

With T1600G there might be an alternative with the »Port Isolation« function rather than using VLANs.

 

 

Jorge87 wrote

Are there any known plans for adding Acceptable Frame Types = UNtagged Only to TP-Link switches?

 

Inside a VLAN network there is no untagged traffic. All frames are always tagged.

 

It's just that untagged traffic arriving on an Access Port of the switch gets tagged with its Port VLAN ID. This PVID can be any VLAN (1, 2 , 3, 200, 300, whatever). As soon as the frame is received by the switch, it gets tagged.

 

If you connect clients such as PCs, laptops etc. over a Trunk Port (= member of more than one VLAN), they can choose which VLAN to use. It's intentional that on Trunk Ports tagged traffic can arrive. All what's really needed is to either drop untagged frames or accept them (and assign them the appropriate VLAN using the PVID).

 

This is the weak point in your topology! You use Trunk Ports for the clients instead of »Access Ports« which accept only untagged traffic (what you want).

 

Albeit I did show you the professional way to implement two or three networks for two or three VLANs, you can indeed use a single shared network over different VLANs, if this is what you want. But it can't be an asymmetric VLAN for the switch. That's all. This is your Acceptable Frame Type = Untagged Only setting!

 

So, ensure you have real Access Ports, ports which are assigned only one membership of either the DROP (1), LAN (2) or GUEST (3) VLAN.

Connect two cables from the router's LAN to the switch (but first configure the switch). Here you create the asymmetry, outside the switch.

 

VLAN config is:

• Router LAN1 ↔ Switch Port 1, untagged member of VLAN 2 (LAN) only, PVID=2
• Router LAN2 ↔ Switch Port 2, untagged member of VLAN 3 (GUEST) only, PVID=3
• Ports 3-4: VLAN 2, PVID=2
• Porst 5-6: VLAN 1, PVID=1
• Ports 7-8: VLAN 3, PVID=3

 

Still asymmetric VLAN due to the router's ports LAN1 and LAN2 which are either bridged Ethernet NICs or two ports of a built-in switch.

 

But, for the TP-Link switch the VLAN now is symmetric. Broadcasts won't loop, certain protocols appear on both VLANs. Should work this way.

 

Note that this is no true isolation, neither for routers using bridged Ethernet ports nor for routers using a built-in switch for the LAN1/LAN2 ports.

 

Jorge87 wrote

• Devices connected to ports 5 and 6 will only be able to talk to each other, which is something I don't really need.
• I see no ports that could not reach the router and talk to LAN devices at the same time (those ports would belong to VLAN 2, named Only LAN in my initial post).
• As switch ports 1 and 2 are configured as untagged and connected to my router, despite they have different VLAN and PVID, they will be able to talk each other (once their traffic reach to the router) because the router will act as an unmanaged switch.

 

1. You didn't specify whether ports 5-6 on LAN should be able to communicate with VLAN »System« (which is actually LAN, too).
   But since Internet is on LAN, connecting ports 5-6 to LAN gives them Internet access. That's done by your router.
2. LAN and GUEST need Internet. Yes, I wrote: the clients are not truly isolated since your router has only one network. Certain broadcasts are forwarded to all.
3. Switch ports LAN1 and LAN2 of the router are untagged, yes. This means that the router sends out broadcasts on all 4 ports or what number of ports your router has for the LAN.

But for the switch, the frames are not untagged. Remember: there is no such thing as an untagged frame in a managed switch, even not in Netgear switches. For the switch this is traffic in either VLAN 2 or 3. Devices in both VLANs, 2 and 3, are not able to talk to each other as long as their VLANs are terminated at the switch (not on another switch, that's the price). Ports 1 and 2 of the switch can also not talk to another. Re-check the settings, please.

 

I think what confuses you is that you have currently all ports in VLAN 1. Bad idea. I wrote: remove those ports from VLAN 1. Assign all ports to only one VLAN 1, 2 or 3. Never assign a port member of two VLANs.

 

Or take an outdated WiFi SOHO router laying around somewhere near you, install OpenWrt Linux on it (free of cost) and you can easily integrate this router into the VLAN network. Problem solved.