Hi,

Next week i have a vlan aware router, and then after saving i can get a firewall even, but that takes a while..

My question now is: can i set vlan's on the tp-link switch and on the router so that the vlan's cannot communicate with each other BUT some devices must communicate with each other, lets say for example my pc and a monitoring device must communicate with all devices connected to all vlan's, is this possible without a firewall?

The goal is to create a save as workable enviroment that is:

IoT devices in a vlan (but for example 1 camera must communicate with the NAS to save images)

SSID in a vlan (Tp-link deco's one wired into the switch)

management pc and monitoring pc in a vlan but must accessing all the other devices

every vlan get's his own subnet.

Port 24 from the tp-link switch is goiing to be connected to a lan port of the vlan aware router

I do not exaclty know how to enable traffic from the pc to the IoT devices which are in another vlan and they may not connect to the pc so one way traffic. All traffic goes thru port 24 on the switch which is a trunk port and goes into the vlan aware router.

Now without the vlan's most devices are in a guest SSID but the problem now is i cannot reach those devices from the LAN.

  @surfer1 

I am setting up the vlan aware router now. Made the vlan's on the router the same as on the Tp-link switch. made 3 vlan's on switch and router and set ports 1-6 untagged with pvid 1 and 7-12 untagged with pvid 2 and 8-16 untagged pvid 3.

Every vlan gets its subnet ip allocated by the router.

Port 24 is member of all vlan's. However it is not clear to me if port 24 which is connected to the router, what pvid this port get and if it must be tagged or not. I know all other ports must be untagged becasue pc's and camera's do not know tagging, but port 24 must be a Trunk port i believe so it must be a tagged port in PVID 1?

Is this how to set it up but then with my own vlan numbers and port 24 is my uplink in stead of 1?

So when i have vlan 1,2,3 and 4 port 24 must be a tagged member of all vlan's?

example is this correct?

vlanid 1: untagged ports 1-5 member ports 1-5 and 24

vlanid2: untagged 6-12 member ports 6-12 and 24

vlanid3: untagged 13-19 etc

vlanid4: untagged 20-23 etc

  @surfer1 The easy way I think of it is that the PVID is used to associate a VLAN to the incoming untagged packets, and the Untagged VLAN setting is to identify outgoing untagged packets.  So a packet in switch memory always has a VLAN association and when it is about to go out a port with the Untagged setting matching the packet association, no tag is applied or if tagged the tag is removed.  Then when an untagged packet comes in a port, that packet is associated with the PVID setting to keep it isolated.

Tagged packets, keep the tag in or out when they match the port tagged setting.

The general practice that TPLink suggests for trunk ports in the manuals, and other brands suggest, is to have the port PVID and Untagged settings match.  Some switches can be set to ignore incoming untagged packets, and when combined with tagged only VLANs, the switch should only have tagged packets in and out.

As far as your Port 24 trunk, I would set it to be PIVD = 1, Untagged = 1, Tagged = 2, 3, 4.  Assuming the router has PVID set to 1, and Untagged to 1.

  @JoeSea 

Hi,

The last remark i thought was clear to me but when choosing the vlan config i add ports to that vlan and not tagged or untagged to port 24.

So i set the pvid of port 24 to 1 (default vlan) and add the ports to vlan 1 which must be in that vlan untagged.

vlan 2 add the ports which must belong to vlan 2 untagged.

So how do i set tagged ports that is to which vlan i add tagged ports?

I have tested with a Draytek router and set all vlans on that router however the client connected does not get an ipadres in a particular vlan. Maybe it is a good idea to let the switch do the DHCP for the different vlan's? Is that hard to do?

After the following change it seems to work:

Al all VLAN's set the uplink port tagged in those vlans except for default vlan 1, it set automatically. Now when the pvid is right for a port on the switch it gets the appropiote ipadres in that subnet.