T1500G-10PS : is it possible, to allow only http https and whatsapp in vlan‘s

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

T1500G-10PS : is it possible, to allow only http https and whatsapp in vlan‘s

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
T1500G-10PS : is it possible, to allow only http https and whatsapp in vlan‘s
T1500G-10PS : is it possible, to allow only http https and whatsapp in vlan‘s
2018-05-16 02:39:47
Model :

Hardware Version :

Firmware Version :

ISP :

Hello.
My planned configuration at home is shown in the following picture. I already have the router, the switch and one EAP330






The router is a FritzBox 7490, which has two different LAN’s. Port 1-3 is the „default LAN“ (IP-Adress 192.168.x.y and on Port 4 is a guest-LAN activated (IP-Adress 172.31.179.x).
This means, that the FritzBox has two DHCP-Services running.


My plan is, to plug Port 1 on the switch to Port 1 on the FritzBox to use this as my family-net. Port 8 on the switch plugs to Port 4 on the FritzBox (own IP-Adress-Range with DHCP).

In the future three AP’s should be connected to the switch and broadcast two SSID’s (guest-net, family-net) with different VLAN-ID’s.

The VLAN-configuration in the switch is:
Port 1: VLAN-ID 1 untagged, VLAN-ID 100 untagged (PVID 1, 100)
Port 2: VLAN-ID 1 untagged
Port 3: VLAN-ID 1 untagged
Port 4: VLAN-ID 1 untagged
Port 5: VLAN-ID 1 untagged, VLAN-ID 100 tagged, VLAN-ID 200 tagged (PVID 1,100,200)
Port 6: VLAN-ID 1 untagged, VLAN-ID 100 tagged, VLAN-ID 200 tagged (PVID 1,100,200)
Port 7: VLAN-ID 1 untagged, VLAN-ID 100 tagged, VLAN-ID 200 tagged (PVID 1,100,200)
Port 8: VLAN-ID 1 untagged, VLAN-ID 200 tagged
Port 9/Port 10 (SFP): VLAN-ID 1 untagged


I read some descriptions here in the forum and hope, that these configuration will manage my network as follows:

- Users in the guest-net (VLAN-ID 200) will get an IP-Adress from the guest-net-DHCP on the FritzBox.
- Users in the family-net (VLAN-ID 100) will get an IP-Adress from the default-DHCP
- guests can not access the family-net


Will that work???
Or do i have to „tell“ the switch, to route VLAN-ID200-packets to Port 8 and VLAN-ID100-packets to Port 1 in another way?






Next idea is, that in this guest-net only allowes http, https and WhatsApp.

Do i have to create ACL’s (Extend-IP ACL) and bind them to the VLAN’s? Or can this be solved in another way?

Does anyone exactly knows, what ports WhatsApp will use??? I searched and found port 5222 and port 5223.

Here i configured one ACL for port 80 (http):










For my understanding: will all other ports be rejected, that have no ACL defined???

Or will this work like some kind of firewall: first, you forbid all and then you allow ACL’s with defined ports???






Sorry for all these questions. But try and error is not the way i want to go. Maybe i can get some hints to configure the system as it should be.


Thanks

maddinla
  0      
  0      
#1
Options
10 Reply
Re:T1500G-10PS : is it possible, to allow only http https and whatsapp in vlan‘s
2018-05-16 06:46:47

maddinla wrote


The VLAN-configuration in the switch is:
Port 1: VLAN-ID 1 untagged, VLAN-ID 100 untagged (PVID 1, 100)
Port 2: VLAN-ID 1 untagged
Port 3: VLAN-ID 1 untagged
Port 4: VLAN-ID 1 untagged
Port 5: VLAN-ID 1 untagged, VLAN-ID 100 tagged, VLAN-ID 200 tagged (PVID 1,100,200)
Port 6: VLAN-ID 1 untagged, VLAN-ID 100 tagged, VLAN-ID 200 tagged (PVID 1,100,200)
Port 7: VLAN-ID 1 untagged, VLAN-ID 100 tagged, VLAN-ID 200 tagged (PVID 1,100,200)
Port 8: VLAN-ID 1 untagged, VLAN-ID 200 tagged
Port 9/Port 10 (SFP): VLAN-ID 1 untagged


Every VLAN can have only one Primary VLAN ID (PVID), not three of them.

What's more, VLAN 1 is the Default VLAN on TP-Link switches and as long as you don't need it, don't use it. If you choose to use it, see it as an isolated VLAN (such as the LAN for the family, similar to your choice of VLAN ID 100), which implies that you remove all other ports not members of the family LAN from this isolated VLAN 1.

Setup for your layout above is:

- Access ports 1 and 7 (FritzBox LAN) should be member of VLAN 100 only, PVID 100.

- Access port 8 (FritzBox GUEST) should be member of VLAN 200 only, PVID 200.

- Trunk ports 2-4 need to be tagged ports and members of VLAN 100 and 200. PVID can be left at 1, meaning untagged frames arriving on the trunk ports will be assigned to (unused) VLAN 1. Keep in mind that untagged Ethernet frames arriving on a trunk port will be tagged with the port's PVID, but will have the tag removed on egress on other trunk ports if their PVID match the frame's tag (that's what makes the Default VLAN somewhat special, but some TP-Link switches allow to specify this handling in a more fine-grained detail).

Thus, guest WiFi is assigned to VLAN 200 (FritzBox GUEST), family WiFi to VLAN 100 (FritzBox LAN) and house LAN also to VLAN 100.

Beware that the switch itself will be accessible only on VLAN 1 as long as you don't assign a dedicated VLAN and IP address for management purposes. How to do this depends on the switch - some have an input box to specify the MGMT VLAN (could be 100 in your case to access the switch from devices within the family VLAN), others need a virtual interface for the MGMT VLAN, so you would need to assign a virtual interface with an IP from the family LAN to VLAN 100 if you want to be able to still reach the switch from within your LAN.

Or do i have to „tell“ the switch, to route VLAN-ID200-packets to Port 8 and VLAN-ID100-packets to Port 1 in another way?


No, routed ports make no sense for such a setup.

Next idea is, that in this guest-net only allowes http, https and WhatsApp.

Do i have to create ACL’s (Extend-IP ACL) and bind them to the VLAN’s? Or can this be solved in another way?


The FritzBox guest network can be set to allow mail and http/https only, but not Whats App. So, yes, you need to use ACLs to achieve this, since the FritzBox doesn't allow access to its (proprietary) firewall.

Does anyone exactly knows, what ports WhatsApp will use??? I searched and found port 5222 and port 5223.


Whats App messenger uses TCP ports 80, 443, 4244, 5222, 5223, 5228, 5242, 50318, 59234 and UDP ports 34784, 45395, 50318, 59234 depending on traffic (data and/or voice). But they may change or extend port ranges without further notice and did so in the past.

For my understanding: will all other ports be rejected, that have no ACL defined???


The default policy is to permit all traffic if no ACL is defined. As soon as you define an ACL and bind it to a port, the default policy is changed for this port to deny traffic not explicitly permitted. If you want to define different levels of access for different users (for examples, banning bad guys abusing the guest network), you might want to configure ACLs that consist of explicit deny entries, then add an entry to permit all access to the end of each ACL just like in firewalls. Depending on the switch you could also find an option to explicitly set a default policy.
༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
  0  
  0  
#2
Options
...won't work
2018-05-30 02:49:13
Hello R1D2. ...was few days on holiday-tour. ;-) Thanks for your suggestions. But this won't work. As you mentioned, i changed Port 1 (to the FritzBox) and Port 7 (to my EAP330) to VLAN100 with PVID100 and Port 8 to VLAN200 with PVID200. There was no further information of tagging/untagging these ports so i decided to set them up as untagged ports. ....mistake???? You would set up Port2-4 as "trunk ports". Why??? My switch on Port2 with all other devices behind has no VLAN-ability..... Anyway... I plugged a cable from LAN4 (FritzBox - guest-network) to Port8 in the switch and had a crash. The switch was dead and after removing this cable and power on the switch again, i had no connection at all. Think i do a hardware-reset and try again tomorrow. Thx, maddinla
  0  
  0  
#3
Options
Re:T1500G-10PS : is it possible, to allow only http https and whatsapp in vlan‘s
2018-05-30 03:01:41

maddinla wrote

Thanks for your suggestions. But this won't work.


For me it works perfectly; I have similar setup with Fritzbox, UBNT EdgeRouter, T-1600G and several EAPs with even more VLANs.

As you mentioned, i changed Port 1 (to the FritzBox) and Port 7 (to my EAP330) to VLAN100 with PVID100 and Port 8 to VLAN200 with PVID200. There was no further information of tagging/untagging these ports so i decided to set them up as untagged ports. ....mistake????


No. You wrote that you configured port 1 to VLAN 1 untagged, VLAN 100 tagged, which makes it a trunk port. Likewise, port 8 is member of VLAN 1 untagged and VLAN 200 tagged, also a trunk port. Yes, that's a mistake if you want to have those as pure access ports.

Access ports may be member of only one VLAN and they need to be untagged. If one of the two conditions isn't met (either member of more than one VLAN or using a tagged port), the port becomes a trunk port.

You would set up Port2-4 as "trunk ports". Why???


Sorry, meant ports 5-7. T1500G has the opposite order in port numbering than most other smart switches from TP-Link.
༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
  0  
  0  
#4
Options
Re:T1500G-10PS : is it possible, to allow only http https and whatsapp in vlan‘s
2018-05-30 04:41:53

R1D2 wrote

No. You wrote that you configured port 1 to VLAN 1 untagged, VLAN 100 tagged, which makes it a trunk port. Likewise, port 8 is member of VLAN 1 untagged and VLAN 200 tagged, also a trunk port. Yes, that's a mistake if you want to have those as pure access ports. Access ports may be member of only one VLAN and they need to be untagged. If one of the two conditions isn't met (either member of more than one VLAN or using a tagged port), the port becomes a trunk port. Sorry, meant ports 5-7. T1500G has the opposite order in port numbering than most other smart switches from TP-Link.
O.K. I changed now the configuration like this: Port 1: Only VLAN100, untagged Port 2: VLAN1 and VLAN100 (untagged) Port 3: ---"--- Port 4: ---"--- Port 5: VLAN1, VLAN100 (tagged), VLAN200 (tagged) Port 6: ---"--- Port 7: ---"--- Port 8: Only VLAN200, untagged ...will test this configuration with my EAP330 the next two or three days Thx, maddinla
  0  
  0  
#5
Options
Re:T1500G-10PS : is it possible, to allow only http https and whatsapp in vlan‘s
2018-05-30 04:45:44
...damn. Why does my return-key not work??? I want to have my text in separate lines...
  0  
  0  
#6
Options
WLAN O.K. but EAP330 not accessible
2018-06-01 18:19:30
...did some changes and tested.

Thanks a lot: WLAN for family and for guests works fine

But i can't reach my EAP330 anymore

VLAN-Settings as followed:
Port 1: VLAN100 PVID 100, untagged (to FritzBox)
Port 2: VLAN100 PVID 100, untagged (to my internal switch with TV, PC,...)
Port 3 and 4: VLAN1 PVID1 (not used)
Port 5-7: VLAN100 tagged and VLAN200 tagged, PVID1
Port8: VLAN200 PVID200, untagged


From my PC (plugged in my internal switch) i can reach the FritzBox, the T1500G-10PS and other Hardware inside my network but not the EAP330.

Does anyone knows why???
Maybe the EAP330 has settings for a kind of management-VLAN as the T1500G??? I dont't know.


Thx,
maddinla
  0  
  0  
#7
Options
Re:T1500G-10PS : is it possible, to allow only http https and whatsapp in vlan‘s
2018-06-02 00:08:35

maddinla wrote


But i can't reach my EAP330 anymore


Of course you can't reach it anymore if you did not create a VLAN for management. Either assign the port as a member of an untagged VLAN or use a dedicated tagged VLAN for management (recommended). In the latter case, set this VLAN ID in EAP330's Management setting. To do so, use untagged frames when configuring it.
༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
  0  
  0  
#8
Options
Re:T1500G-10PS : is it possible, to allow only http https and whatsapp in vlan‘s
2018-06-02 22:53:23
I tried some stuff with a new tagged VLAN999 for management.

...without success. In the end the EAP330 was not accessible anymore - with or without VLAN-equipment or not.

Don't ask why. I don't want to know it at least...

Pushed the reset-button and made a backup with my basics and: found a nice setting: Access Control Management with MAC-Authentication

Have now VLAN100 as Management-VLAN and my MAC-adress for authentication set.

Family- and guest-WLAN works, all devices can be reached, WhatsApp works, guests can't get access to my family-net - everything is fine for me!!!


Thanks for your support

maddinla


PS:
Think, that i won't configure any ACL's, because the FritzBox has some features to allow only HTTP/S and Mail-things (maybe i block these specific ports sometimes).
  0  
  0  
#9
Options
Re:T1500G-10PS : is it possible, to allow only http https and whatsapp in vlan‘s
2018-06-11 18:55:40
Very Good Information
  0  
  0  
#10
Options
Re:T1500G-10PS : is it possible, to allow only http https and whatsapp in vlan‘s
2019-03-05 08:23:53

Nice information, I think it's possible after reading this brief information properly. if you want to read more information visit Cool Whatsapp Status to find the best status and information.

  0  
  0  
#11
Options