NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
VLAN Puzzle
I would appreciate assistance diagnosing a VLAN problem. Now that many homes have Ethernet cables installed from most rooms to a central patch panel, some users find that the patch panel is not a gre...
The VLAN Puzzle arose because of an attempt to use a single Ethernet cable to connect an Orbi router to both the Internet source (WAN) and the local network (LAN). The obvious solution is to install a second Ethernet cable, which is not always practical (or inexpensive). A pair of inexpensive Smart switches can create one VLAN for the WAN to ISP traffic and a second VLAN for the LAN to local network traffic, with a "tagged" port on each switch keeping the traffic separated as it passes between the router and the central wiring hub.
This also addresses a problem many users have when they put an Orbi router into "access point" (AP) mode and have only a single cable from the router to the central network location. Orbi routers expect that satellites will be connected either (over WiFi) or to the router LAN ports. Satellites will never be connected to the WAN interface.
Everything works great unless (a) satellites are 'wired' to the router, and (b) the Guest WiFi network is enabled. The puzzle was to determine why the Guest network fails.
It turns out that an Orbi 750 satellite connected to an Orbi 750 router using a "managed" Ethernet switch does not support devices connecting to the Guest WiFi network because Netgear uses two types of Ethernet frames on the same Ethernet ports:
- Ordinary Ethernet frames carry communication between the router and satellite and any devices 'wired' to them or connected to the primary WiFi network
- Frames tagged with VLAN 4093 carry communication between:
- The 5G WiFi ports on the router and satellite, and
- Any devices connected to the Guest WiFi network on the satellite.
Generic Smart Switches (i.e. "managed") from Netgear, TP-Link (and probably other companies) support two types of VLAN:
- Port Based VLAN. Any frame arriving at a port is "tagged" with the VLAN designated for that port and keeps that tag as long as it is within the smart switch architecture. Using internal MAC address tables, the switch determines which port the frame should be sent out of. If that port is also a Port Based VLAN, then the VLAN tag is stripped from the frame.
- 802.1Q Tagged VLAN. If a port is "tagged", then the frame is sent out with the VLAN tag intact. It goes to the next switch, and the process repeats.
I used Wireshark and a network tap to capture the traffic between an RBR750 and RBS750. The instant they are physically connected, they begin sending ieee1905 topology notification messages.
https://en.wikipedia.org/wiki/IEEE_1905
- Messages from the hardware MAC address of the router LAN port have no VLAN tag.
- Messages from the hardware MAC address of the router 5G WiFi port have VLAN Tag 4093.
When the satellite responds with ieee1905 topology information:
- Messages with the hardware MAC address of the satellite LAN port have no VLAN tag.
- Messages with the hardware MAC address of the satellite 5G WiFi port have VLAN tag 4093.
So, all we need to do is tell this pair of Smart switches:
- If a frame comes in from the router/switch LAN port with no VLAN tag, temporarily assign a tag to it (maybe "3") so that it can find it's way to the tagged port leading to the other switch. When it gets to the other switch, find the correct port and output the frame with no tag.
- If a frame comes in with VLAN tag 4093, send it to the tagged port to the other switch. When it gets to the other switch, send it to the right port and send it out, keeping the VLAN tag on it.
I can find NO 802.1Q VLAN setting to make this happen.
Why on earth yet another new thread? Please merge accordingly!
CrimpOn wrote:
So, all we need to do is tell this pair of Smart switches:
- If a frame comes in from the router/switch LAN port with no VLAN tag, temporarily assign a tag to it (maybe "3") so that it can find it's way to the tagged port leading to the other switch. When it gets to the other switch, find the correct port and output the frame with no tag.
- If a frame comes in with VLAN tag 4093, send it to the tagged port to the other switch. When it gets to the other switch, send it to the right port and send it out, keeping the VLAN tag on it.
I can find NO 802.1Q VLAN setting to make this happen.
This quoted section only? This is exactly my proposal from before! So I try again...
Simple:
As per your example, define the port where the untagged frames are coming in (the Orbi router facing one, same for the switch2switch connection trunk link) to work on VLAN 3: Make it [U]ntagged and VLAN 3, PVID 3. (the switch will assign these frames into the VLAN 3). Add additional [T]agged ports needed - so this port becomes a trunk, plain Ethernet for VLAN 3, plus all the other VLANs
On the Orbi satellite end same story:
Make it [U]ntagged and VLAN 3, PVID 3. (the switch will assign these frames into the VLAN 3). Add additional [T]agged ports needed - so this port becomes a trunk, plain Ethernet for VLAN 3, plus all the other VLANs
Voila, here is your trunk connection.
When it comes to IEEE1905, only IEEE1905 compliant devices can communicate. IEEE 1905 can establish dedicated control channels and actions, reconfiguring things. This might include the ability to "generate" not only plain Ethernet connections, but also tagged connections.
"Simple:
As per your example, define the port where the untagged frames are coming in (the Orbi router facing one, same for the switch2switch connection trunk link) to work on VLAN 3: Make it [U]ntagged and VLAN 3, PVID 3. (the switch will assign these frames into the VLAN 3). Add additional [T]agged ports needed - so this port becomes a trunk, plain Ethernet for VLAN 3, plus all the other VLANs
On the Orbi satellite end same story:
Make it [U]ntagged and VLAN 3, PVID 3. (the switch will assign these frames into the VLAN 3). Add additional [T]agged ports needed - so this port becomes a trunk, plain Ethernet for VLAN 3, plus all the other VLANs"
So with this configuration, I presume this can be all configured on 1 switch in between the RBR and RBS and avoid the use of two switches and the extra LAN cable?
Appreciate the patience. (I REALLY do.)
Now, to the mechanics to make this happen.
- The WAN-ISP link must be separate from all other traffic. No broadcast packets (like DHCP requests) from network devices hitting the ISP except for the router itself.
- The switch port connected to the router LAN port must accept both untagged frames and VLAN 4093 tagged frames. Untagged frames addressed to other devices have to go through the switch and come out the correct port. Both untagged and tagged frames addressed to the satellite (or a device connected to the satellite) must go through the switch and come out the same way they came in (untagged and VLAN 4093 tagged).
- Likewise, both untagged and VLAN 4093 frames sent from the satellite to the router must come out this port the same way they went in. (some untagged. some VLAN 4093 tagged.)
- This is the setting I cannot find.
- This would seem to indicate that the ports connecting both switches must be 802.1Q tagged. (otherwise, broadcast and multicast frames would go 'everywhere') But, that means that both switches must be set up as 802.1Q VLAN. Not "Port Based" VLAN.
Here is the design
Your theory seems to lead to some think I've thought about. GN is isolated from the main lan and I believe tied directly to the WAN port for internet resources. I presume may not be behind any firewall layer either.
How you have this laid out has the RBS at the 1st switch with the ISP services on same switch. Seems to have some credence on getting around the GN isolation barrier when in normal configuration modes.
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
