Orbi WiFi 7 RBE973

SRX5308 How to isolate some clients so they have internet only and can't contact peers

GDRitter
Aspirant

SRX5308 How to isolate some clients so they have internet only and can't contact peers

We are a small business with an SRX5308.

 

I have a basic, consumer WiFi router also hooked into it. 

 

What I want to know, is if there is a way to configure these so that known work computers on the WiFi can access the LAN but guests can only get to the internet and not our LAN (so they can't get to our servers for example).

 

I'm wondering if I did static IPs for all computers and then told it everything within the DHCP IP Range were assumed to be guests and not allowed to access network resources perhaps? Then I can plug the WiFi router in as an AP to just link up to the SRX5308 DHCP server.

 

I was able to set up separate VLANs so that the WiFi Router could get online but couldn't access any network resources at all, but I'm hoping to allow SOME users to get to the network and others not. I guess in theory I could throw a second cheapo router on a different VLAN and have that router be exclusively guests and not share the password to the other one if I have to.

 

Is this possible to do somehow?

Model: SRX5308|PROSAFE Gigabit Quad WAN SSL & IPSEC VPN Firewall
Message 1 of 7
DaneA
NETGEAR Employee Retired

Re: SRX5308 How to isolate some clients so they have internet only and can't contact peers

Hi GDRitter,

 

Welcome to the community! 🙂 

 

Setting up VLANs on the SRX5308 is correct in order to separate the guest network from the private network.  However, the SRX5308 does not have the option to tag/untag ports.  Also, is the WiFi router that you have a VLAN-aware device?  

 

Here is a network setup that I suggest:

 

 

From the network diagram above, the Private VLAN and Guest VLAN should be configured on both SRX5308 and GS110TP.  As you observe, port 1 of the SRX5308 is connected to port 8 of the GS110TP.  Port 8 of the GS110TP should be configured as a tagged port to establish a trunk link between the SRX5308 and GS110TP.  Port 1 of the GS110TP is connected to the LAN port of the WAC730.  Port 1 of the GS110TP should be also configured as a tagged port because the WAC730 is a VLAN-aware device.  Tagging the ports is needed in order to identify which VLAN the packet belongs to.  The ports of the GS110TP connected to the PCs are configured as untagged ports since the PCs are not-VLAN-aware devices.  The laptops and PCs are set as members of their respective VLANs.  

 

I recommend you the WAC730 access points because you can create a wireless network and dedicate a VLAN to it.  For example, create a Guest wireless network that is dedicated to the Guest VLAN.  Also, the WAC730 can be powered on through its LAN port.  For more information about its specification, check its data sheet here.  

 

I recommend the GS110TP smart switch because it supports VLAN as well as PoE (Power over Ethernet) on all 8 LAN ports.  For more information about its specification, check its data sheet here.

 

 

Regards,

 

DaneA
NETGEAR Community Team

Message 2 of 7
GDRitter
Aspirant

Re: SRX5308 How to isolate some clients so they have internet only and can't contact peers

Here's an image of what I tried to set up but it's not working.

 

I have two different VLANs. One is our local LAN (VLAN1 / Default) and the new one is intended for internet only access (VLAN2 / Guests) and won't talk to the other VLAN.

 

I configured the WIFI Router to a static IP through the VLAN2 gateway. If WiFi Router is plugged into a LAN Port on SRX5308 which has the VLAN2 set as default for the port, then it works as expected. You get internet access only and can't talk to the other VLAN.

 

However, if WiFi is plugged into a port that has VLAN1 set as default, it can't seem to connect to VLAN2 and give any access at all, even internet access.

 

I want to set up the WiFi downstairs near a conference room for guests to get good signal and have it be isolated from our regular network. So it will have to travel via our switch to LAN2.

 

What am I configuring wrong?

netgear wiring for guests.png

netgear wiring for guests 2.png

Message 3 of 7
DaneA
NETGEAR Employee Retired

Re: SRX5308 How to isolate some clients so they have internet only and can't contact peers

@GDRitter,

 

Let me inform you that the WNDR3400 router (even if its configured as an access point) does not support VLAN.  The reason why it works when you connect the WNDR3400 to port 4 of the SRX5308 which is a member of VLAN 2 is because the static IP address set on the WNDR3400 is within the IP range of VLAN 2 configured on the SRX5308.  The moment you connect the WNDR3400 to other ports (ports 1-3) of the SRX5308, it will not work because ports 1-3 belongs to the default VLAN 1 which has a different IP range.  

 

Pertaining to your current network setup, here are my suggestions: 

 

a. Add another WNDR3400 router configured as an access point and dedicate it only for VLAN 1.  Or, 

b. Replace the WNDR3400 with an access point wherein you can create a wireless network dedicated to each VLAN.  If you will choose this option, refer again to my suggested network setup.  You could still use your existing GS748T switch for the network setup I suggest.  However, since the GS748T doesn't support PoE, I suggest you the WN203 access point.  Check the WN203 specifications here.  

 

 

Regards,

 

DaneA

NETGEAR Community Team

Message 4 of 7
GDRitter
Aspirant

Re: SRX5308 How to isolate some clients so they have internet only and can't contact peers

Thanks so much for your help Dane.

 

Could I insert a VLAN aware switch such as GSS108E that then has a port defined VLAN between the GS748T and WNDR3400 to enable what I'm after? I happen to have a GSS108E laying on the shelf and I don't want to spend more $ if I can avoid it.

 

If not, I'll probably just leave the WNDR3400 on LAN4 of the SRX5308 and guests will have a bit weaker signal strength downstairs.

 

Thanks again!

Message 5 of 7
DaneA
NETGEAR Employee Retired

Re: SRX5308 How to isolate some clients so they have internet only and can't contact peers

@GDRitter,

 

If you just wanted the wireless connections downstairs dedicated only for guests, access and follow the steps on the article below:

 

How do I set up one or more VLANs between a NETGEAR ProSAFE firewall and a smart switch? 

 

Note: From the article, the SRX5308 and M4100-12G switch are used.  You already have an SRX5308 and you can use your existing GS748T on this setup.  Also from the article above, VLAN 1 and VLAN 5 are used an an example.  I suggest that you follow all the steps indicated on the article so that we will be in the same pace.  The goal here is to have both VLAN 1 (Private) and VLAN 5 (Guest) to have internet access but no access to each VLAN.  

 

Answer the questions below:

 

a. Are you able to access the internet when you connect PC1 to port 6 of the GS748T?  If you follow the article, port 6 is on VLAN 1 or Private VLAN.

b. Are you able to access the internet when you connect PC2 to port 11 of the GS748T? If you follow the article, port 11 is the only port on VLAN 5 or Guest VLAN.

c. From PC1, are you able to get replies when you ping the IP address of PC2? 

d. From PC2, are you able to get replies when you ping the IP address of PC1? 

 

Note: If your answers above are: (a)Yes, (b)Yes, (c)No, and (d)No, it means that you have really followed the steps from the article.  Proceed to the next phase below.

 

 

Remember that port 11 is the only port on VLAN 5 (Guest VLAN) which is untagged (U) and the rest of the ports of the GS748T belong to VLAN 1 (Private VLAN).  Here are the steps below:

 

1. Set a static IP address to WNDR3400 (configured as an access point) that is within the IP range of VLAN 5.

2. Connect the WNDR3400 to port 5 of the GS748T. 

3. Connect to the SSID configured on the WNDR3400 and check if you are able to go online wirelessly.

 

Note: Be reminded that only the Guest VLAN will be able to go online wirelessly.  

 

Let us know the result.

 

 

Regards,

 

DaneA

NETGEAR Community Team

Message 6 of 7
DaneA
NETGEAR Employee Retired

Re: SRX5308 How to isolate some clients so they have internet only and can't contact peers

@GDRitter

 

I just want to follow-up on this.  Were you able to perform the steps I suggested?  If yes, what is the result? 

 

 

Regards,

 

DaneA

NETGEAR Community Team

 

Message 7 of 7
Discussion stats
  • 6 replies
  • 5068 views
  • 2 kudos
  • 2 in conversation
Announcements