This topic has been marked solved and closed to new posts due to inactivity. We hope you'll join the conversation by posting to an open topic or starting a new one.
I have the SXK80 for my home since I really wanted the VLAN feature set and especially network isolation between my main LAN and IoT.
I know in the settings I can disable network isolation completely for all devices. I was just wondering though if this could be done for a client/s.
My use case which a lot of people probably run into is I keep my phone on the main LAN. Since I do this there is a small delay in IoT updates and commands since everything must go to the cloud and back down into my IoT VLAN. If my phone is on the IoT VLAN everything is nice and snappy. It's not a huge deal but I would love to know if I could take the cloud out of the equation and open up a cross VLAN path for bidirectional traffic for my phone.
@BruceGuo it's actually pretty amazing. From my tests, I can keep network isolation on for the source vlan and access still works. Further, the gateway is doing single direction resolution. In the past, I've tried to use the avahi gateway but ran into issues with it essentially echoing back to hosts their own name which causes Apple produces to change their name to "some device (123)" and on macOS display a dialogue about the name being taken. This resolves that.
So, it looks like the gateway is discovering devices according to the Shared Service Type, creates iptables prererouting/redirect rules, and then relaying the broadcast? This is far better than what was done before and I'm impressed.
The only thing I'd ask to change is that the dropdown for services is someone restrictive. AFP is dying, AirPlay and Chromecast are good as are scanners and printing, but there should be a middle ground before hitting "All Services". For example, HomeKit is missing which is probably the second most used behind AirPlay/Chromecast. I would suggest giving people a custom option to add something like "_scanner._tcp", "_sonos._tcp", or whatever else.
Anyways, tomorrow I'll finally move my IoT devices off to their own VLAN and begin long term testing.
IIRC, this was discussed here a few months back. In order to do this, mDNS support is required. Apparently a beta was created that included mDNS support, but it was never actually included in a production build.
Should anyone care, I would also like this facility.
Is it possible to downgrade to the beta from V3.3.0.122? Will this be updated in the future? I just got my setup this week and didn't realize what a pain this would be without it and this is deciding whether I ship back and go with another system.
While I was waiting for a reply, I setup a raspberry pi on the default LAN with two VLAN entries for 20 and 30 and enabled the avahi reflector which allows a similar functionality. This is great but now the IoT devices can now see devices on 1 and 20.
Does this beta do bidirectional replication as the default configuration in avahi or something more similar to the bonjour-reflector which allows for one way resolution?
I haven’t had time to flash my units yet to test but that might be something to consider in future updates if it hasn’t been done.
@BruceGuo it's actually pretty amazing. From my tests, I can keep network isolation on for the source vlan and access still works. Further, the gateway is doing single direction resolution. In the past, I've tried to use the avahi gateway but ran into issues with it essentially echoing back to hosts their own name which causes Apple produces to change their name to "some device (123)" and on macOS display a dialogue about the name being taken. This resolves that.
So, it looks like the gateway is discovering devices according to the Shared Service Type, creates iptables prererouting/redirect rules, and then relaying the broadcast? This is far better than what was done before and I'm impressed.
The only thing I'd ask to change is that the dropdown for services is someone restrictive. AFP is dying, AirPlay and Chromecast are good as are scanners and printing, but there should be a middle ground before hitting "All Services". For example, HomeKit is missing which is probably the second most used behind AirPlay/Chromecast. I would suggest giving people a custom option to add something like "_scanner._tcp", "_sonos._tcp", or whatever else.
Anyways, tomorrow I'll finally move my IoT devices off to their own VLAN and begin long term testing.
I also wanted to have the ability to use my phone to connect to IoT devices so I installed the beta firmware V4.2.1.106 on my SXR30/SXS30 and it seems to work. The exact steps to enable it were a bit hard to figure out though.
My network setup:
1(Default)
Desktop PC
20(Employee) - Network Isolation
30(Iot) - Network Isolation. I previously had Client Isolation on, but it prevents this feature from working. Makes sense.
Chromecast Ultra
LG WebOS TV
40(Guest) - Client & Network Isolation
10(Personal) - Network Isolation
Android Phone
So In the web interface > Advanced > Advanced Setup > mDNS Gateway, I enabled mDNS Gateway and added the following policies:
Policy 1, All Services, Source VLAN 1, Destination VLAN 30
I don't know if all of these policies were necessary, but rebooting the router and the devices takes a very long time to test so I didn't mess around too much with it.
Going with this configuration and rebooting the router and the Chromecast, reconnecting etc., now my phone and desktop PC are able to cast to the Chromecast. My LG ThinQ app on my phone can't connect to the TV, but I guess that is not supported. If this is possible in the future, I would appreciate it. I tried pinging devices from across each VLAN and they seem to be isolated properly on the network.
My only feedback, was that it was hard to get working without knowing what I should do. At one point I thought I had to disable network isolation on the Iot network to get it working, and that I needed another VLAN to separate my devices since 1(Default) does not have network isolation. Also it would be nice if the mDNS Gateway page would populate itself with devices it detected on the network (not sure if this is possible) so you can just enable a policy rather than writing it yourself.
