Vlan Internet

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Vlan Internet

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Vlan Internet
Vlan Internet
2022-05-09 06:11:12

HI Guys

 

i recently got my oc200 hardware and this is my first experience with TP link cloud, i'm using it to my home network. unfortunately, i setup different Vlans and SSID,but  i'm not able to get internet on Vlans, i can only apply the Vlan1 the main one.

 

I notice that on the map view from controller showing internet disconnected. is this could be the reason ?

 

  0      
  0      
#1
Options
5 Reply
Re:Vlan Internet
2022-05-09 12:03:36

Amds wrote

HI Guys

 

i recently got my oc200 hardware and this is my first experience with TP link cloud, i'm using it to my home network. unfortunately, i setup different Vlans and SSID,but  i'm not able to get internet on Vlans, i can only apply the Vlan1 the main one.

 

I notice that on the map view from controller showing internet disconnected. is this could be the reason ?

 

  @Amds  What gateway router are you using ?

  0  
  0  
#2
Options
Re:Vlan Internet
2022-05-09 13:23:24 - last edited 2022-05-09 13:24:18

Hi Gael Thanks for your reply. The router is the one prided by ISP, i think it's huwaei or linksys. @GaelForce 

Amds wrote

 

 

  0  
  0  
#3
Options
Re:Vlan Internet
2022-05-09 16:28:26

  @Amds 

 

You will need a managed Omada router (ER605 most likely for you) before you can manage multiple SSIDs/VLANs to work in conjunction with the OC200 and the APs (or monitor the gateway to internet connection).  Further, if you wish to isolate users on one SSID from users on another SSID, you will will need to add an Omada switch, such as the SG20008(P).  I know this because that's exactly how I started, first the OC200 and a few EAP225-outdoors for meshing, then the gateway, then the switch.  Now that I have all the pieces, the solution works quite nicely (and I'm less grumbly about having to spend the extra cash).

<< Paying it forward, one juicy problem at a time... >>
  2  
  2  
#4
Options
Re:Vlan Internet
2022-05-09 17:38:27

  @d0ugmac1 

Hello
Many thanks for your response, you got exactly to the point,  got it

I already have the TL-SG2008P switch and OC 200 controller with EAP 225 and 235 Wall.  but it seems the i still need the ER605 to isolate the VLAN's.

 

However, happy to manage now without the Vlan subnet.

 

Thanks

 

 

 

 

  0  
  0  
#5
Options
Re:Vlan Internet
2022-05-11 10:28:35 - last edited 2022-05-11 10:29:32

  @Amds 

 

Out of the box there is no segregation between the vLANs. That's fundamentally different form the most common solutions, where anything is denied until you permit the traffic.

 

I'm not sure if I did it the way TP-Link recommends, but I blocked the traffic with some switch ACL. 

 

  • Gateway: configure your vLAN as interface and bind it too at least one port (LAN). Don't forget the vLAN ID
  • I recommend to use DHCP from the gateway
  • Configure the uplink port from the switch to the gateway with the default LAN as native and the vLANs as tagged networks (on the switch)
  • Configure the port the OC200 is connected to as native default LAN or keep it as it is (on the switch)
  • Configure the EAP ports the same way like the gateway uplink port (on the switch)
  • Configure client ports with the desired vLAN as native network without tagged networks
  • Configure your Wireless LAN / SSID with the desired vLAN

 

Now you should be able to access the internet from all of your clients. But you also can access devices across the vLAN.

 

BACKUP NOW! Seriously. 

 

You can use switch ACL to block this traffic:

 

  • Configure switch ACL rule (pairs) for all unwanted connections. Be careful when you group networks, this can lead into a fully locked system. 
  • Don't forget to block the connection between vLAN's and the defaul LAN (be sure to configure a management port first or use the second port of the OC200)
  • Don't forget to block the direct access into WAN/DMZ and vice versa if you want to use the firewall of the gateway. Since WAN is not a network from the ACL perspective, you can safely create an IP group with the WAN subnet
  • If you need any connection direct from internal to the WAN/DMZ configure individual premit rules and place them above the deny roles.

 

 

  0  
  0  
#6
Options