Reply

Re: RDP over Difrerent VLAN issueddd

NemoNeil
Luminary

RDP over Difrerent VLAN issue

I have SXK80 with 2 Sattelites

 

my configuration is as follows regarding VLAN:

 

Computer A is on VLAN "O20" with Client Isolation Enabled and Network Isolation Enabled
Computer B is on VLAN "O30" with Client Isolation Disabled and Network Isolation Diabled

 

Why can i not RDP from Computer B to Computer A?

 

I thought having network isolation off on VLAN O30 would mean that it can talk to other VLANs?

 

I also tried as a test disabling the Network Isolation on VLAN 020 and still cannot RDP

 

Any help or guidance appreciated

thanks

Message 1 of 10
BruceGuo
NETGEAR Expert

Re: RDP over Difrerent VLAN issue

Can you ping? I want to know when RDP is failed, does "ping" fail as well.

Message 2 of 10
NemoNeil
Luminary

Re: RDP over Difrerent VLAN issue

Hey Bruce

 

I cannot Ping the machine

 

Heres simplified setup:

 

Port 1 = Connected to ISP Modem = VLAN ID 1 (Trunk Mode)
Port 2 = Connected to an unmanaged 4 port Switch = VLAN ID 2 (Trunk Mode) 
Port 3 = Connected to PC 1 = VLAN ID 3 (Access Mode) Client Isolation=On Network Isolation=On
Port 4 = Connected to PC 2 = VLAN ID 4 (Access Mode) Client Isolation=Off Network Isolation=Off

 

From PC 2 I want to able to RDP to PC 1. As i understand Network Isolation is off on VLAN 4, so should be able to connect to VLAN 3?

 

I have RDP enabled on PC 1. Not sure what else i can check?

Message 3 of 10
hnagaraju
NETGEAR Expert

Re: RDP over Difrerent VLAN issue

If you have separate VLANs, then you need configure static routes.

In SRK80, the solution will be to enable different wireless on same VLAN and enable client isolation for rest of the devices, with just these two clients allowed to communicate. 

 

We will be adding mDNS gateway that will allow some know protocols to be routed across VLANs.

Please reach out to @BruceGuo  via messaging to get a pre-release firmware if you want to try it out.

 

 

Message 4 of 10
BruceGuo
NETGEAR Expert

Re: RDP over Difrerent VLAN issue

Network isolation means clients under different vlan network cannot talk to each other.

Can you disable network and client isolation in VLAN3? I think the source VLAN and destination VLAN needs to be without any isolation in your case. 

 

Bruce

Message 5 of 10
NemoNeil
Luminary

Re: RDP over Difrerent VLAN issue

Thanks for the reply. 

I wanted VLAN3 to be most secure as its a high risk computer. Hence i enabled client and network Isolation

Yet I wanted computer 2 VLAN4 to have access to computer 3. which i thought turning off network Isolation would grant me this.

 

I thought having Network Isolation on VLAN3 means it cannot communitcate out to other VLANs?

so in a scenario where VLAN3 was compromised, it cannot infect other VLANs.? same goes with Client Isolation, if enabled it cannot infect other client within the same VLAN

 

Having VLAN4 Netowrk Isolation off mean it should be able  to talk to other VLANs in this case VLAN3 

 

Correct me if im wrong.


Thanks

Message 6 of 10
NemoNeil
Luminary

Re: RDP over Difrerent VLAN issue

So having disabled the Cliant Isolation and Netowrk Isolation OFF on VLAN 3 and also on VLAN 4 allows me to RDP between PC 2 to PC 1

 

But doesnt this defeat the purpose of VLAN as now the network communcication between both VLANs are now open?

 

If one VLAN was compromised, the other VLAN surely will get infected?

 

Why can i not only enable RDP ports between the 2 VLANs so not everything is exposed?

 

 

Message 7 of 10
BruceGuo
NETGEAR Expert

Re: RDP over Difrerent VLAN issueddd

I thought having Network Isolation on VLAN3 means it cannot communitcate out to other VLANs?
=> Ans: Yes

 

so in a scenario where VLAN3 was compromised, it cannot infect other VLANs.? same goes with Client Isolation, if enabled it cannot infect other client within the same VLAN
=> Ans: Yes

 

Having VLAN4 Netowrk Isolation off mean it should be able to talk to other VLANs in this case VLAN3
=> Ans: No. It means other VLANs can talk to VLAN4


So having disabled the Cliant Isolation and Netowrk Isolation OFF on VLAN 3 and also on VLAN 4 allows me to RDP between PC 2 to PC 1. But doesnt this defeat the purpose of VLAN as now the network communcication between both VLANs are now open?
If one VLAN was compromised, the other VLAN surely will get infected?
=> Ans: Let me explain more. The desing of VLAN is to separate broadcast domain. Layer 2 packets will be only active in within a VLAN. So, if a PC is comprised and then it is flooding,
other VLANs would not be impacted. But, it doens't prevent layer 3 attacks. The infected PC can still communicate across VLANs via https, smtp, etc. The design of network isolation enhances the security. It "compeletely" isolates inter-VLAN traffic.

 

Why can i not only enable RDP ports between the 2 VLANs so not everything is exposed?
=> Ans: we don't have this feature now. The design will be more complicated. The can be future work and will forward to PLM to decide when we can implement it.

Message 8 of 10
NemoNeil
Luminary

Re: RDP over Difrerent VLAN issueddd

Hi @BruceGuo 

 

Thanks for the explanations and gives a good understanding around how the Orbi Network Isolation works

 

I would be really intrested in seeing inter-vlan integration. being a £1k device, its very similar to my previous home user router which was around £100 and yes the Orbi has some nice advantages, but not feature rich which im still yet to see. comparing to somthing like Asus home router  which has a whole vast of settings, i would expect this to be better. Performance wise i cant fault the Orbi, but really like to see what more can the Orbi offer.

 

Is there a beta version of firmware to be released with other tweaks and enhancements? when do major firmware updates are released?

 

Thanks

 

Message 9 of 10
hnagaraju
NETGEAR Expert

Re: RDP over Difrerent VLAN issueddd

We have been releasing almost every 3 months for SXK80 with some new features and some enhancements to existing features.

 

If you need new features implemented. Please post it here and you can cross link to other threads too.

 

https://community.netgear.com/t5/Idea-Exchange-For-Business/idb-p/idea-exchange-for-business

 

Getting UpVotes to new ideas on this forum will catch the eyes of  the PLMs.  

Please keep your ideas coming in. cross vote for other people ideas that will help general deployments.

 

Thank you,

Engineer.

 

  

Message 10 of 10
Top Contributors
Discussion stats
  • 9 replies
  • 1527 views
  • 3 kudos
  • 3 in conversation
Announcements