This topic has been marked solved and closed to new posts due to inactivity. We hope you'll join the conversation by posting to an open topic or starting a new one.
How to block traffic between other ports but Internet access point using FS750T2
Hi,
I'm new to network stuff and I hope someone could help me out with this problem:
I have several apartments and one Internet access point (VPN gateway) connected to a 48 port switch. There is an end device in each apartment and I need to make them inaccessible/invisible from other apartments to avoid any unauthorized modifications or sabotage.
How do I configure the switch so that there is no access from one apartment to another but each apartment has connection to Internet/gateway? The switch seems to be configured so that VLAN covers all the ports by default. What happens if I delete this VLAN?
To separate devices, in that way that you want, you will need to use VLANs. It is the only proper way to do this. Each "department" in its own VLAN.
However, you will have a problem in that these VLANs need to be routed to the Internet as well. This switch cannot do that as it is only a layer 2 switch. It can do the VLAN part, but not the routing part. It is fine as long as your router/gateway can though. Is your router/gateway VLAN aware?
To separate devices, in that way that you want, you will need to use VLANs. It is the only proper way to do this. Each "department" in its own VLAN.
However, you will have a problem in that these VLANs need to be routed to the Internet as well. This switch cannot do that as it is only a layer 2 switch. It can do the VLAN part, but not the routing part. It is fine as long as your router/gateway can though. Is your router/gateway VLAN aware?
Re: How to block traffic between other ports but Internet access point using FS750T2
This can be done with MAC ACLs. The switch will prevent traffic flow between the cusotmer ports, but allows all traffic to the Internet (router) port. You don't need to set up VLANs.
Make a MAC rule with ID=1, action permit, assign queue=0, redirect interface= the port connected to your router, match every=false. Souce and destination MAC and mask should be set to FF:FF:FF:FF:FF:FF.
Go into "MAC binding configuration" and set ACL ID to the name of the ACL you made above. Click the ports that are part of this special configuration.
Save it all and test. I checked it on my 724Tv2 just now and it works fine.
Thanks for your input, and I see your point. Essentially redirect all traffic to the router, from each port. This would actually work as well, but there is a potential problem.
The reason this works is because ARP requests cannot resolved between the devices in the LAN, as everything is redirected to the uplink port. Thus all ARPs are redirected to the uplink as well, but they will be discarded by the router as the router won't forward broadcast down the same link. It just means that no LAN device can communicate because ARPs cannot be resolved. However, Internet still works as all devices can communicate with the router.
Two problems with the ACL setup
It is not as secure as VLANs because the only reason LAN devices cannot communicate is because ARPs cannot be resolved. But, if I add static entries to the ARP tables of the end devices, then they can communicate. If security is key, use VLANs.
If OP ever wanted to add another shared device to the network - such as a printer, NAS, etc., that would be a problem as well!
Maybe I should have been clearer, in my wording, originally. I still stand by the fact that to do it properly, you use VLANs.
Re: How to block traffic between other ports but Internet access point using FS750T2
I tried adding static ARP entries into the PC's arp tables and still was not able to get the differenet PCs to communicate. It is true I can see arp requests from other PCs, but if all replies from all ports are redirected to the Internet router port, how is it possible to actualy communicate from one switch port to another if the MAC and IP addresses of endpoints are known? Isn't the switch now forcing all traffic that would normally be routed to another switch port for a PC to be forced to the router port only?
"Isn't the switch now forcing all traffic that would normally be routed to another switch port for a PC to be forced to the router port only?"
Yes, but only in one direction - from clients to router. Your ACL is inbound and only bound on client ports 🙂 So, unicast traffic will only really take a detour. You are not actually blocking anything with these ACLs - as you know.
Example (given that ARP tables and address tables are known andpopulated):
- PC A (port 1) and PC B (port 2).
- PC A sends ping to PC B --> Ping is forced up to the router (due to the ACL) and arrives at the router.
- Router's LAN ports are a switch, essentially. Given a populated address table, the router looks at the destination mac address of the frame and determines to send the frame (back) to the switch. No ACL is stopping that action.
- The frame arrives at the switch and the switch will look in its address table and send it to PC B (port 2). There is nothing stopping or redirection the traffic in that direction.
I am not testing this, I am just "deducing" here. I might give it a test later.
But even so... how would you solve the problem of say, OP wants to add a shared device? Maybe a printer or a NAS or something else? That will be a big problem. Even if you find a work-around, it would still make more sense to use VLANs + ACLs for pure scalability. VLANs are the standard method for segmenting networks and for good reason. It scales incredibly well. More effort in the beginning, better management and less effort once implemented.
You method is really good in certain scenarios - absolutely! And maybe for OP finds it easier to implement. It always good to have options.
Re: How to block traffic between other ports but Internet access point using FS750T2
Just to add... I played around with it in the lab.
You are right @hokie21, it actually works as noticed in your tests - even with static ARP entries. No communication is happening between the two PCs. It must be because the router won't allow even a unicast to be sent back from where it came - i.e. the packets are likely discarded by the router.
So, that is really interesting!
Still though - that solution won't scale at all, compared to VLANs 🙂
