How to configure TL-R605 connected to Easy Smart Switches with 802.1q VLAN while blocking intervlan

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

How to configure TL-R605 connected to Easy Smart Switches with 802.1q VLAN while blocking intervlan

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
How to configure TL-R605 connected to Easy Smart Switches with 802.1q VLAN while blocking intervlan
How to configure TL-R605 connected to Easy Smart Switches with 802.1q VLAN while blocking intervlan
2021-09-28 22:16:51 - last edited 2022-10-27 19:14:39
Model: ER605 (TL-R605)  
Hardware Version: V1
Firmware Version: ER605(UN)_v1_1.2.1 Build 20220512

Solution (26-10-2022):

With the latest firmware (v1.2.1) for ER605 v1 it is possible to isolate inter-vlan traffic, it's described in this post.

 

---------------------------------

Edit:

After the v1.2.0 firmware release this trick can't be used anymore as the latest firmware treats vlans with ! at the beginning in a way that it will also restrict the access to the gateway itself.

So the following concept only works with the v1.1.1 firmware.

---------------------------------

 

After the latest firmware release (v1.1.1) I decided to change my configuration from MTU-VLAN to 802.1q VLAN. There is a benefit (being able to detect and locate connected devices), although it heavily increases CPU usage on R605 (at least when you browse on the standalone setup page, it slows down quite significantly).

 

The 802.1q VLAN config with the latest firmware did not solve the intervlan issue though, AGAIN! There is no "one-click option" to block intervlan traffic in TL-R605 (in standalone mode).

But I've found an easy work-around.

 

In my setup there is an EAP in addition to the two easy smart switches but it's unimportant for this tutorial.

 

The main purpose is to provide internet access to routers or devices connected to the switches, while isolating the LAN ports from each other.

 

 

Setting up the SG1024DE Easy Smart Switches:

Switch_1

 

Switch_2

 

Configuring the R605:

Network -> LAN

The starting and ending IP Address range in DHCP Server setup is up to you, depending on your needs.

 

Network -> VLAN

 

Network -> VLAN -> Ports

The PVID of the LAN ports in R605 you can leave on default vlan, I guess. Instead I maintained it from my old (MTU VLAN) config where the switches had their own vlan and IP subnet. (I'm not sure which is better to do.)

 

At this point I got disappointed because – after a brief test – realized that with this new config the intervlan issue still remained unsolved. And I knew there is no way to create so many (2 x 46) ACL rules to block traffic between vlans due to the router's ACL limits.

 

BUT THE GOOD NEWS IS,

there is a work-around:

- Create a phantom vlan and tag it to one of the LAN ports.

(I created vlan99 for that purpose)

- in Firewall -> Access Control add a rule to block all service type in LAN->LAN direction with both the Source and Destination network choosing this phantom vlan with the exclamation mark at the beginning. (It means any vlan outside of this one.)

... and Voilà!

  2      
  2      
#1
Options
2 Reply
Re:How to configure TL-R605 connected to Easy Smart Switches with 802.1q VLAN
2021-09-28 22:31:05 - last edited 2021-09-30 09:26:33

Observe on the Network -> LAN -> Network list page, there is a bug. Hello @Fae!

It changed the order with no logical reason.

I created all the vlans precautiously in the correct order, knowing that there is no way to modify the order afterwards. Then suddenly it messed it up, putting vlan102-124 to the end (leaving only vlan119 in front of the vlan202-224 range).

There is no option on any page to define order ID, the developers forgot to put that input field where it should be.

  0  
  0  
#2
Options
Re:How to configure TL-R605 connected to Easy Smart Switches with 802.1q VLAN
2021-10-08 08:27:59

Dear @Arion,

 

Arion wrote

Observe on the Network -> LAN -> Network list page, there is a bug. Hello @Fae!

It changed the order with no logical reason.

I created all the vlans precautiously in the correct order, knowing that there is no way to modify the order afterwards. Then suddenly it messed it up, putting vlan102-124 to the end (leaving only vlan119 in front of the vlan202-224 range).

There is no option on any page to define order ID, the developers forgot to put that input field where it should be.

 

Thank you for your valued feedback. I've reported this to the developer team for checking.

>> Omada EAP Firmware Trial Available Here << *Try filtering posts on each forum by Label of [Early Access]*
  0  
  0  
#3
Options