NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
[MS108TUP] - Switching - VLAN and routing
Hello everyone,
I've this network configuration:
Firewall --> MS108TUP --> Access Point Wifi
The firewall and the AP is not a Netgear product.
I've a domotic house so I've decided to separate the smart devices from the Main network.
So in this case I've created an dedicated AP SSID with VLAN ID 20 only for manage smart devices.
My network is also managed by a dedicated firewall device that manage VLAN Interfaces, WAN Interfaces, LAN Interfaces etc etc.
Throught this Firewall, manage all the L2/L3 levels, from DHCP (one for every interfaces) to Privacy control, from Captive Portal (for Guests account) to Policy Control rule, ACL, Static route, QoS etc etc.
So, I've configured the MS108TUP with several VLAN created in Switching mode (Switching --> VLAN).
This is my current VLAN configuration on MS108TUP:
MG1 is the Firewall uplink port, instead MG2 is the AP Uplink port.
And this is the configuration of the interfaces into my Firewall:
In this way, the AP create a SSID with VLAN 20, MG2 take the VLAN 20 and route it on MG1 VLAN 20; the firewall (MG1) take the VLAN 20 on port P2 and create it's own network with it's own dedicated DHCP and Static IPs list.
All works good but when, from the firewall, I try to block traffic from/to the same interface/zone, not working.
For example, if I try to block the SSH port from the tablet to my Raspberry PI and the tablet and the RPI is in the same interface/zone, the traffic is not blocked (my rule is: from DomoDevicesVLAN to DomoDevicesLAN source "tablet" destination "RPI" any service --> deny ----> this rule must deny the traffic for any service from the tablet to the RPI "using" the same zone but not work).
Seems because the packet traffic is directly managed by the MS108TUP. Seems as the request is not passing throught the firewall, but remains at the switch level.
For example: 192.168.0.5 --> 192.168.0.6 directly
In this way the traffic is bypassing the firewall, because remain into the "switch" level
Instead, how I can route the traffic thought the firewall?
192.168.0.5 --> 192.168.0.254 (Firewall interface) --> 192.168.0.6
In this way the traffic must pass into the firewall, and in this way I can have full-control on the packets and I can apply a Policy Control rule.
Thank you so much
Best Regards,
Valerio
13 Replies
The firewall can just jump in on connections or sessions between -different- IP subnets respectively between different zones.
192.168.0.5 --> 192.168.0.6 directly
In this way the traffic is bypassing the firewall, because remain into the "switch" levelYes, these two addresses are very likely in the same IP subnet and therefore in the same zone - so the behaviour is intentional.
Why oh why should the correct working L2 switch send some traffic through this firewall, as everything is in the same IP subnet?
Some firewall systems can be configured as a transparent firewall, also known as a bridge firewall, is a Layer 2 application that installs easily into an existing network without modifying the Internet Protocol (IP) address. The transparent firewall is not a routed hop but instead acts as a bridge by inspecting and moving network frames between interfaces.
Needless to say this traffic must flow direct through this bridge respectively the firewall.
Hi schumaku
I've configured the interface of the firewall as "VLAN" (not bridge), in this way the firewall create a new network with is own DHCP Server and subnet.
I think that all pass throught the firewall, because is the firewall that "generate" the VLAN.
So, if the devices take the IP from the firewall, why the traffic not pass throught it also in "intra-VLAN"?
I've configured the interface of the firewall as "VLAN" (not bridge), in this way the firewall create a new network with is own DHCP Server and subnet.
I think that all pass through the firewall, because is the firewall that "generate" the VLAN.Two VLANs, and both are in the same IP subnet - reads like an illegal config for your unknown firewall (make, model, firmware). or in fact for any common router in general.
Such a firewall should not accept such a configuration - regardless of a device with a security zone concept like e.g a ZyXEL - it can't deal with, since at the end of the day its a router and it can and will work as a basic router. So two IP networks with the same subnet and address range will never work...
I cannot upload screenshot, I do not why.
But for the firewall interfaces I have:
Zone DomoDevicesVLAN - 192.168.0.254/255.255.255.0 - VLAN ID 20
Zone LAN - 192.168.1.1/255.255.255.0 - (NO VLAN)
Zone MGMT - 192.168.2.1/255.255.255.0 - VLAN ID 1
Zone WLANGuest - 192.168.100.1/255.255.255.0 - VLAN 100
Zone MainWLAN - 192.168.10.1/255.255.255.0 - VLAN 10
For the MS108TUP VLAN Switch:
MG1 - Tag Only - VLAN 1, 10, 20, 100 - TAG on port MG1/MG2
MG2 - Tag Only - VLAN 1, 10, 20, 100 - TAG on port MG1/MG2
MG3 --> MG8 - Untag Only - (PVID VLAN) - NO TAG
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
