How to configure TL-R605 connected to Easy Smart Switches with 802.1q VLAN while blocking intervlan
With the latest firmware (v1.2.1) for ER605 v1 it is possible to isolate inter-vlan traffic, it's described in this post.
After the v1.2.0 firmware release this trick can't be used anymore as the latest firmware treats vlans with ! at the beginning in a way that it will also restrict the access to the gateway itself.
So the following concept only works with the v1.1.1 firmware.
After the latest firmware release (v1.1.1) I decided to change my configuration from MTU-VLAN to 802.1q VLAN. There is a benefit (being able to detect and locate connected devices), although it heavily increases CPU usage on R605 (at least when you browse on the standalone setup page, it slows down quite significantly).
The 802.1q VLAN config with the latest firmware did not solve the intervlan issue though, AGAIN! There is no "one-click option" to block intervlan traffic in TL-R605 (in standalone mode).
But I've found an easy work-around.
In my setup there is an EAP in addition to the two easy smart switches but it's unimportant for this tutorial.
The main purpose is to provide internet access to routers or devices connected to the switches, while isolating the LAN ports from each other.
Setting up the SG1024DE Easy Smart Switches:
Configuring the R605:
Network -> LAN
The starting and ending IP Address range in DHCP Server setup is up to you, depending on your needs.
Network -> VLAN
Network -> VLAN -> Ports
The PVID of the LAN ports in R605 you can leave on default vlan, I guess. Instead I maintained it from my old (MTU VLAN) config where the switches had their own vlan and IP subnet. (I'm not sure which is better to do.)
At this point I got disappointed because – after a brief test – realized that with this new config the intervlan issue still remained unsolved. And I knew there is no way to create so many (2 x 46) ACL rules to block traffic between vlans due to the router's ACL limits.
BUT THE GOOD NEWS IS,
there is a work-around:
- Create a phantom vlan and tag it to one of the LAN ports.
(I created vlan99 for that purpose)
- in Firewall -> Access Control add a rule to block all service type in LAN->LAN direction with both the Source and Destination network choosing this phantom vlan with the exclamation mark at the beginning. (It means any vlan outside of this one.)
... and Voilà!