Issue with R605 router connected to Easy Smart Switches
Issue with R605 router connected to Easy Smart Switches
There are 3 ISPs connecting to 3 WAN ports of a multi-wan router (previously it was R470T+ v4, now R605).
The 2 remaining ports of this router act as LAN ports and are connected to 2 easy smart switches (SG1024DE v4) that are configured with MTU VLAN.
The switches provide wired connection to flats of the building, 1 LAN port per flat. I need the LAN ports to be isolated from each other but getting internet from the R605.
We needed easy smart switches configured with MTU VLAN to be prepared for any router-on-a-stick situation because in the flats people can connect their devices either directly wired or using their own wifi router which may accidentally be configured as DHCP server which would act as rogue server in an unmanaged local network.
(The uplink port on the switches is port1, but that's irrelevant.)
When I replaced the R470T+ with the new R605, first I realized that its setup page deals with VLAN configuration differently from R470T+, so I just let it on default setup without creating different VLANs for the R605's LAN ports. I think all ports are on the default VLAN1 now. But I thought it doesn't really matter because the switches must isolate their LAN ports anyway. If I created different VLANs for the router's LAN ports, the only benefit would be isolating traffic between the two switches, right?
What happened was suddenly a router (TP-Link WR740N, connected to one switch port) started to act as rogue DHCP server, trying to give IP for other devices connected to other switch ports.
Note that there are several routers in router mode (DHCP on) connected to the switches and none of them caused this issue, none of them appeared as rogue server.
It didn't matter if I connected that rogue router to a different switch port or to the other switch, it kept acting as rogue server.
I find it odd.
One detail that might matter: the rogue router has the same IP range (192.168.10.x) as one of the ISP's router connected to the first WAN port, that is a (remotely controlled by the ISP) Ubiquity device that I don't have access to modify anything in it.
Is it possible that there is a flow, a bug on R605 that causes this mysterious issue?
The R605's LAN is set to a different IP range (192.168.6.x).
Do I have to setup the LAN ports on R605 with VLANs different from the default VLAN1 to avoid this issue? And if so, what would be that setup (in standalone mode)?
There are only instructions for router connected to L3 switches, creating different IP pools etc... that is not our case.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Thanks again.
I see intervlan is a valuable feature on the router, I was just wondering why there isn't an easy (one tick) option to block it when people don't need it. But of course, I can use ACL rules.
And I guessed that MTU-VLAN doesn't tag the uplink port, I was just not sure. Now it's clear.
The remaining question is about the online detection method, how to make it more reliable in case of mobile ISP.
- Copy Link
- Report Inappropriate Content
I created the ACL rules in Firewall.
It seems to work, however I need some clarification:
- Source network and destination network.
It seems obvious, right? But when I wanted, let's say, to block devices in swirch_1 to reach devices in switch_2, it only worked if I chose switch_2 as source and switch_1 as destination. Which is the contrary that my logic would suggest.
Also I want that devices on the same vlan not to be able to reach each other. In the easy smart switches I have already achieved that but wanted to make sure R605 doesn't overrule that in the layer3 environment. So, does it make sense choosing the same vlan to source and destination in a blocking rule? or was it an overkill silliness of mine? If the router let's me do it, I supposed there must be a sense.
A less important question is why are the Source and Destination columns empty? creating the rule there is no such an option (when choosing LAN->LAN).
Finally, I'd like to create a rule for my laptop's IP address to have access to every vlan. Kind of a management access on the local network.
I created an IP Group but when I go to choose LAN->LAN in Access Control, it doesn't give me the option to choose IP Group, only vlans.
If I choose !LAN->LAN and have to option to put that IP Goup, it doesn't work.
And what is "Me" in the list? is it the IP address of the device with what I accessed the web UI of the router?
Anyway, the router doesn't let me choose this Me either when using LAN->LAN.
- Copy Link
- Report Inappropriate Content
I would really like to have some feedback and advise about how to avoid inter-vlan with ACL rules on R605.
Above I posted what I had done but it's not clear what is the best way to do.
And most importantly, as @Fae also suggested to configure the easy smart switches with 802.1Q VLAN instead of MTU-VLAN, I can't do it if I have to create as many rules (twice the number of vlans) as in the example above because if I'm not mistaken, in R605 you can create up to 20 rules only.
In the switches I would need a vlan for each port, so there would be 46 vlans created (preferable with different subnet in /24) and trunked via uplink port of the switches to the LAN port of the R605.
If developers created a one-tick option to stop inter-vlan in LAN->LAN communication, life would be easier. But by now we need to find a work-around.
I had an idea: what if I create a vlan (e.g. VLAN2) that won't be connected to any LAN port and therefore not used by any device, although I could create an ACL rule to block traffic between the source !VLAN2 and destination also !VLAN2. Would it work?
In theory it should mean, any traffic from outside of VLAN2 to outside of VLAN2 would be blocked between vlans in LAN->LAN.
I can't test it right now as the devices are in use but if someone could help me testing or giving valuable feedback, I would appreciate it.
If it worked as I wish, then I could setup the swtiches with 802.1Q VLAN, otherwise it's impossible to stop inter-vlan traffic in R605 for so many vlans.
- Copy Link
- Report Inappropriate Content
Please, help in this question:
If I configure the R605 and the connected Easy Smart Switches with 802.1q VLAN as you suggested, following the provided instructions, do I still need to create ACL rules to block inter-vlan traffic or the 802.1q already guarantees that on the R605? And if it doesn't, what is the maximum number of ACL rules that can be created on R605 in standalone mode?
- Copy Link
- Report Inappropriate Content
Although I haven't got any more help by the dear developers, I managed to do it by my own. And demonstrated it in a new thread.
Here is the solution.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 3673
Replies: 15
Voters 0
No one has voted for it yet.