Configuring static route

It just dawned on me--why not create a 5th vlan and put your 'Internet of things' in there? Then you can simply allow intervlan communication between all the other the vlans you want.

SamirD wrote:
It just dawned on me--why not create a 5th vlan and put your 'Internet of things' in there? Then you can simply allow intervlan communication between all the other the vlans you want.

Have you tried to control access between VLANs - based on my looking at the interface and my discussions with tech support, once you enable interVLAN routing you have no further control.

It MAY be possible to disable interVLAN routing on a specific VLAN, but I have not tested this. I do have a new 318N still in shrinkwrap I'll break out when I have the time, but that's not going to happen this week.

On the other hand - you CAN set DMZ/LAN rules - so it should be possible to prevent access from the IOT on a DMZ to any or all of the VLANs.

fordem wrote:

Have you tried to control access between VLANs - based on my looking at the interface and my discussions with tech support, once you enable interVLAN routing you have no further control. It MAY be possible to disable interVLAN routing on a specific VLAN, but I have not tested this. I do have a new 318N still in shrinkwrap I'll break out when I have the time, but that's not going to happen this week. On the other hand - you CAN set DMZ/LAN rules - so it should be possible to prevent access from the IOT on a DMZ to any or all of the VLANs.

You're right that it is all or nothing on intervlan routing.

However, you can choose which vlans are in allowed to do intervlan, so you can exclude a single vlan if you want. Hence what I was thinking by putting all the IOT devcies in its own vlan with intervlan disabled.

Ok, so this is something I wasn't clear on; for interVLAN routing to work, does it have to be enabled on each of the VLANs that will talk to each other? For instance, if I have: VLAN1 - interVLAN routing = ENABLED VLAN2 - interVLAN routing = ENABLED VLAN3 - interVLAN routing = DISABLED VLAN4 - interVLAN routing = ENABLED Does this allow interVLAN sharing of devices on VLAN1 with VLANS2 & 4 but not to VLAN3 and do I still need to set up static routes to the specific devices once enabled or is that implicit when you enable interVLAN routing. Also in doing this is there's no way block traffic between VLANs 2 & 4?

tachyon_pulse wrote:

Ok, so this is something I wasn't clear on; for interVLAN routing to work, does it have to be enabled on each of the VLANs that will talk to each other? For instance, if I have: VLAN1 - interVLAN routing = ENABLED VLAN2 - interVLAN routing = ENABLED VLAN3 - interVLAN routing = DISABLED VLAN4 - interVLAN routing = ENABLED Does this allow interVLAN sharing of devices on VLAN1 with VLANS2 & 4 but not to VLAN3 and do I still need to set up static routes to the specific devices once enabled or is that implicit when you enable interVLAN routing. Also in doing this is there's no way block traffic between VLANs 2 & 4?

So in this example, everything on vlan1,2,4 will see each other. Vlans 2 and 4 will have full access to each other.

Which devices are you referring to for static routes? What vlan are they on?

tachyon_pulse wrote:
Does this allow interVLAN sharing of devices on VLAN1 with VLANS2 & 4 but not to VLAN3 and do I still need to set up static routes to the specific devices once enabled or is that implicit when you enable interVLAN routing. Also in doing this is there's no way block traffic between VLANs 2 & 4?

I have not attempted interVLAN routing with more than two VLANs, so I can't comment on that, but SamirD seems to be saying that you can exclude a single VLAN.

No static routes will be necessary to permit interVLAN routing as the router will automatically configure the routes required for the directly connected networks, and there is presently no way to block/permit specific traffic between the VLANs 2 & 4

Ok, thank you both. For interVLAN routing to work, you must enable it on all the VLANs you want to be able to pass data between. Checking it on a single one does nothing for you (is that correct?)

In another forum I was told that the FVS318N was limited as far as how you can configure (for my needs) and recommended a ZyWALL USG40W-NB and a managed switch with 'private vlan' or 'guest vlan' feature to support my requirement of isolating my wired 'IoT' devices.

Is there similar Netgear equipment?

fordem wrote:
...but SamirD seems to be saying that you can exclude a single VLAN.

Yep, you can. I checked my own 318N Web UI before posting. ;)

tachyon_pulse wrote:

Ok, thank you both. For interVLAN routing to work, you must enable it on all the VLANs you want to be able to pass data between. Checking it on a single one does nothing for you (is that correct?) In another forum I was told that the FVS318N was limited as far as how you can configure (for my needs) and recommended a ZyWALL USG40W-NB and a managed switch with 'private vlan' or 'guest vlan' feature to support my requirement of isolating my wired 'IoT' devices. Is there similar Netgear equipment?

Yes, checking on a single vlan does nothing. I think it is checked by default because I found it checked on my default vlan even though I don't have it checked on any other vlans.

The 318N is quite powerful in it's ability to limit it's attached devices from seeing each other. I'm not sure what your physical wiring is to your IOT devices, but a setting a vlan to a particular port and putting only those devices on that port coupled with disabling intervlan should give you the isolation that you want. I've used that several times for internal testing.

SamirD wrote:
The 318N is quite powerful in it's ability to limit it's attached devices from seeing each other. I'm not sure what your physical wiring is to your IOT devices, but a setting a vlan to a particular port and putting only those devices on that port coupled with disabling intervlan should give you the isolation that you want. I've used that several times for internal testing.

Either I'm not understanding what he wants, or you're not understanding what he wants. Here's what I think he wants - in addition to isolating the IoT VLAN from the rest of the network, he also wants devices on the IoT VLAN isolated from one another. Wireless it can be done, but wired, it will requires a managed switch with a VLAN for every device, so not with the 318N, unless it's a very small number of devices.

fordem wrote:
Either I'm not understanding what he wants, or you're not understanding what he wants. Here's what I think he wants - in addition to isolating the IoT VLAN from the rest of the network, he also wants devices on the IoT VLAN isolated from one another.

haha, I agree. :D

I've asked a few times if the IOT devices would need to be isolated from each other, but don't remember a clear answer. If they don't need to be, then a separate vlan would be great. If they do...I'll have to think about it a bit.