TL-R605 VLAN and Guest Network Questions

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

TL-R605 VLAN and Guest Network Questions

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
TL-R605 VLAN and Guest Network Questions
TL-R605 VLAN and Guest Network Questions
2021-03-14 09:20:32 - last edited 2021-04-16 09:12:30
Model: ER605 (TL-R605)  
Hardware Version:
Firmware Version:

Hello

 

I recently purchased the TL-R605 and EAP225 and have some questions about using these for a home network.

 

Topology is cable modem > TL-R605 (router/switch) > EAP225 > wireless devices.

 

My goal is to keep a network printer in a sort of DMZ to allow trusted and untrusted devices to print without accessing each other. I have a very workable solution and am okay with the security tradeoff.

 

I'm trying to keep things simple by using guest networks as much as possible. Putting my work-from-home laptop on its own guest network so it can't access any of our other devices. Putting my kids COVID school-from-home laptops on their own, separate, guest network for the same reason.

 

Then I want to setup another network for the printer. A laptop from either work, school, or a trusted device should be able to switch SSIDs to this new network and then print.

 

Will either of these options below work?

 

  1. Create a guest network for the printer and allow devices on the network to discover each other? I don't see this type of permission setting in the EAP 225.
  2. Create a VLAN on the TL-R605 and assign it to an SSID on the EAP225.

 

I've spent hours trying to setup #2 but have no experience with VLANs and need help. I've created the VLAN, tried to figure out what I need to do in terms of tagging ports (or not), what to do with PVIDs, etc.

 

I'm at the point where I've got the printer SSID setup on EAP225, it references the custom VLAN (I'm calling it 200). I've got that VLAN created on the TL-R605, tried various combinations of other options. I can connect to the SSID and print with one computer but not the other. Neither computer can access the internet from that SSID (maybe a good thing?). And I'm just thinking that fumbling through this may create a bigger security risk.

 

Appreciate any detailed help or guidance. Somehow I can't find an actual manual in the support area of the website. Many of the other posts here and on Spiceworks (and elsewhere on Google) are for other equipment - mostly separate switches and routers.

 

Thanks for any help!

  0      
  0      
#1
Options
8 Reply
Re:TL-R605 VLAN and Guest Network Questions
2021-03-14 19:49:40 - last edited 2021-04-16 09:12:30

@tlr6052021 

 

Hey

 

Your problem may be that you dont have a managed switch to handle the VLAN and therefore you are unable to create a VLAN interface..  granted I have never tried this without a switch so cant say for 100% certain that is it...   The R605 is a router and not a Switch / Router combi like you would get from your ISP

 

You will need to set the SSID to the same VLAN as you have configured on the R605 and i would put that on a seperate IP Range from your other lan traffic..

 

You dont have any controller for this?   Software or OC200?  That might make this easier for you

 

 

  1  
  1  
#2
Options
Re:TL-R605 VLAN and Guest Network Questions
2021-03-15 00:12:04 - last edited 2021-04-16 09:12:30

@Philbert 

 

Thank you for taking the time to reply. It provided good insight.

 

Today I downloaded the Omada Controller software to help with configuration. As I said, I couldn't find so much as a user manual for the router so I didn't know this free software was even an option. I had been trying to configure the devices through their web interfaces.

 

Anyway I had watched this helpful video and followed along to setup the VLANs with the Omada Controller software:

https://www.youtube.com/watch?v=xsXgDIMyj6M&t=53s

 

Ran into a problem where I couldn't assign the port profile to ports on the switch. That's also the time I saw your post pointing out that I don't have a switch! I had naively assumed that the router had an onboard switch. I still don't understand how it doesn't...

 

So it looks like I either need to buy a switch or give up on this approach. 

 

The TL-SG2008P looks like the switch that suits my needs and will work with Omada but it's $90 on Amazon. Not sure this is a $90 problem. The TL-SG105E is a $22 switch that has VLAN support but looks like it won't work with Omada. Any idea as to whether it can be integrated manually into my network?

  0  
  0  
#3
Options
Re:TL-R605 VLAN and Guest Network Questions
2021-03-15 10:03:48 - last edited 2021-04-16 09:12:30

@tlr6052021 

 

Ah yes the MAC Telecoms video, passed that on a few people the last while.. it is very good for this type of thing

 

Thinking about this last night and pretty sure it is the lack of a switch that is causing it.  The Router is literally a router alone, combi Router / switch devices are not the normal in Business Grade setups, most IT guys prefer to keep these separated (myself included) for a number of reasons

 

1. 1-4 ports simply isn't enough switch capacity for business grade, hell most homes would fill a 4 port switch.  

2. If that device goes, you lose EVERYTHING.. LAN and WAN.    That is a risk, least if its just a router its only WAN and your users can still print, access shares etc.

3. Combi devices are not as high capacity or as reliable.  They come with shorter warranty and tend to be "good at everything, master at nothing" devices

4. The big one.. as they are combi, you cant configure them as tightly as you can a device specific for one task. 

 

Basically how this will work is traffic is coming in from the internet Untagged (with no vlan), the router will look at the packet and tag it with a VLAN header (say 101 Guest) and pass it down the TRUNK port to the switch.  Trunk ports are basically back haul used for mass transport of data between switches, Routers APs etc.. . 


The Switch will then read the TAG and move the data to the appropriate interface port based on the VLAN Tag..  That could be a end device, or another Switch / AP where the process starts again.

 

The VLAN movement is very much a switch technology.  The R605 being a router doesn't work like this, rather it has 1-4 trunk ports its expects to send tagged packets down for attention of a switch.    Routers don't care about end devices, they just move data from Network A (Internet) to Network B (your LAN).  Switches are the opposite, they care only about what devices are connected to them specifically and don't know about different networks. 

 

Hope  that helps?     With that in mind, you will need a switch that can support VLANs..     Of the 2x you mentioned, I personally went for the 2008P as it offered full support for the SDN, was newly released in late 2020 and had 4x POE ports so I could power my EAP245s from the switch without the injectors.

 

The TL-SG105E will likely work if you go for it.. however as its an older model now and doesn't support the SDN you would need to manually configure the VLANs and Trunks yourself to match the SDN setup.  That could get messy, cant see why it wouldnt work but it would be more.. well messy..

 

If you want my honest opinion, when it comes to SDN setups like Omada, Ubiquiti, Meraki you are expected to go all SDN or no SDN.   That is generally why they come as new device ranges, in the Omada case this is the 2xxx and 3xxx range of switches for example. 

 

I only moved to Omada from Ubiquiti last year for home use, the reason was Uniquiti was working out much too pricey at the time.   However for all SDN setups, you need to buy the hardware..  Yes its a bit of a kicker, but look at it as an investment long term ad ultimately you are buying Business Grade hardware with lifetime warranties     vs    home grade with 1 year warranty and perhaps 1 firmware update over its life. 

 

The Omada range is VERY new and will only get improved over time with firmwares and features, its $70 more yes, but in the long run it will be easier and better supported for you, my opinion for what its worth.. spend the money and enjoy a few years of playing with the new SDN as this appears to be how the market is heading.    

 

p.s..   I live in the UK and prices are higher here, its £80 difference for me, which is about $120 US...  

  2  
  2  
#4
Options
Re:TL-R605 VLAN and Guest Network Questions
2021-03-16 18:53:44 - last edited 2021-04-16 09:12:30

@tlr6052021 I think I'm in the same boat.

 

I share an internet connection with another company at my office - right now I'm using a Linksys LRT214 router/switch which allows me to create a port based VLAN on one physical port. The other guy connects to that to go straight out on the internet and he can't see my printers, NAS, computers etc. The linksys has started freezing a lot so I suspect a hardware failure as it's getting on in years.

 

I was hoping the TL-R605 would be a straight replacement but hadn't realised the need for a separate switch.

 

 

  1  
  1  
#5
Options
Re:TL-R605 VLAN and Guest Network Questions
2021-03-20 06:15:40 - last edited 2021-04-16 09:12:30

@Stevieboy999 

 

The way I'm explaining it to myself, which could very well be wrong, is that the TL-R605 router DOES have a switch but it's an unmanaged/dumb switch. If you plug multiple devices into the router then things work as you would expect if there were a switch onboard.

 

For example I could connect my access point and a NAS drive. I can then wirelessly go through the AP into the NAS. This suggests to me that it is switching.

 

For what you want to do it sounds like you need to setup custom configurations for specific ports. The TL-R605 didn't seem to allow this through the standalone web interface or the software controller. I bought the TL-SG2008P switch and can now custom configure the switch ports.

  2  
  2  
#6
Options
Re:TL-R605 VLAN and Guest Network Questions
2021-03-20 06:33:19 - last edited 2021-04-16 09:12:30

@Philbert 

 

Thanks again. I went ahead and bought the TL-SG2008P switch. Omada compatible. Allows custom configurations of switch ports.

 

For any future readers, this may be solved by the following:

 

Goal: setup a dedicated SSID and VLAN for my printer. Move work and school computers off their independent guest networks to the printer SSID when they need to print. Keep the printer SSID on a separate VLAN so, at no point, can my work computer or kids school computers access our private network.

 

Steps and settings:

 

  1. In the Omada software controller go to Settings (gear icon, bottom left) > wired networks > LAN and create a new LAN.
  2. I set it as an Interface based on the Youtube video linked earlier. Not sure this is correct. I'm concerned this will enable communication between VLANs. Edit: This does enable communication between VLANs. Refer to this document.
  3. Set VLAN number to 100.
  4. Set Gateway/Subnet to 192.168.100.1/24 (or customize based on your network but you need to have the VLAN number in there).
  5. Click update DHCP range. If you don't see that button go down to DHCP server and click enable.
  6. Click save.
  7. Then go to wired networks > LAN and up at the top click Profile. Create a new Port Profile. Keep everything default except go down to Tagged Networks and click the box for the VLAN name you just created. Click save.
  8.  Then go wired networks > LAN and up at the top click Switch Settings. Click Edit Port Profile. 
  9. For the switch port that my access point is plugged into (#1) I click Edit and in the drop down assign the port profile I just created. Click apply.

 

I think that was it.

 

Edit: #10 if you're trying to create a wireless network for this VLAN you need to create a new wireless SSID, click advanced settings, click enable VLAN, and enter the VLAN number.

 

Outcome:

 

  • From my work computer, when I'm connected to the work SSID I cannot see the printer or any other devices on my network. This is what I want (assuming that the devices are truly undiscoverable).
  • From my work computer, when I'm connected to the home SSID I cannot see the printer but I do see other devices on my network (NAS drive). This is what I want. 
  • From my work computer, when I'm connected to the printer SSID I can see and use the printer but do not see any other devices on my network (NAS drive). This is what I want.
  • From a different computer, when I'm connected to the home SSID I can see the printer and the other devices on my network. This is NOT what I want. I wanted the printer invisible unless connected to the printer SSID.

 

So there's more tinkering to do but it's getting close.

 

Pitfalls

 

  1. Through various other configurations I had a problem where computers couldn't access the internet from the printer SSID / from a VLAN. This configuration solved that. Not sure I actually want it for this use case but it seems worth pointing out.
  2. I'm running the Omada Software Controller on a personal laptop. This may be blatantly obvious to you more experienced readers but I ran into a problem where when I switched SSIDs to test the settings it would disconnect from the Omada gear. I realized that switching SSIDs disrupts the connection between the Omada Software Controller and the hardware. So, try switching SSIDs on a different computer for testing purposes.

 

If anyone cares to comment on my settings and help me improve/secure the setup that would be greatly appreciated. Hope this helps one of you. The documentation I've seen has been less than helpful...

  2  
  2  
#7
Options
Re:TL-R605 VLAN and Guest Network Questions
2021-03-20 06:54:15 - last edited 2021-04-16 09:12:30
You could always connect to the system with a cable then you probably wouldn't experience dropped connections when the AP parameters are changed. Nice write up, thanks for sharing!
  0  
  0  
#8
Options
Re:TL-R605 VLAN and Guest Network Questions
2021-04-15 15:12:08 - last edited 2021-04-16 09:12:30

@tlr6052021 

If you connect multiple computers to the printer SSID simultaneously, those devices will see each other, unless you can configure that SSID with client isolation in it.

  0  
  0  
#9
Options