HOW TO isolate webgui with port vlan on other way ?

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

HOW TO isolate webgui with port vlan on other way ?

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
HOW TO isolate webgui with port vlan on other way ?
HOW TO isolate webgui with port vlan on other way ?
2024-04-05 21:26:20
Tags: #security
Model: TL-SG105E  
Hardware Version: V5
Firmware Version:

Hello is there any way to phisically isolate webgui ?

the best way would be "port vlan" because the isolation is port based but if I try to enable that the web gui is still open from all the ports.

For example I can create a port vlan in this way:

 

- vlan1 port_n2 port_n3

- vlan2 port_n1 port_n4 port_n5

 

but the web gui is still open from all physicall ports.

Obviously I do this for security reason.

Normal vlan, I mean tag based vlan seems not very security because they're logic vlan.

Can I realy isolate teh gui with port vlan ?

Can I disable the webgui and enable just the a command line interface ? (ssh or other)

 

 

  0      
  0      
#1
Options
3 Reply
Re:HOW TO isolate webgui with port vlan on other way ?
2024-04-07 05:48:26

Hi @Isaia 

Thanks for posting in our business forum.

1. Port VLAN is not a feature of this model.

You should consider SG2XXX models. Usually, if there is a need to do this kind of setup, you use ACL+VLAN.

2. No. No support for CLI on this model.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#2
Options
Re:HOW TO isolate webgui with port vlan on other way ?
2024-04-09 00:59:09

  @Clive_A 

 

Hello again,

are u sure about that this model does not super port vlan ?

Because I read on the datasheet paper that u can find here the following:

 

• 32 VLANs (out of 4K VLAN IDs)

• MTU/Port/802.1Q VLAN

 

I tried to configure vlan (by tag) and it works to isolate webgui (it means that the webgui ip is not reachable from the wrong vlan).

But obviously a port based vlan would be better.

 

  0  
  0  
#3
Options
Re:HOW TO isolate webgui with port vlan on other way ?
2024-04-09 01:14:58

Hi @Isaia 

Thanks for posting in our business forum.

Isaia wrote

  @Clive_A 

 

Hello again,

are u sure about that this model does not super port vlan ?

Because I read on the datasheet paper that u can find here the following:

 

• 32 VLANs (out of 4K VLAN IDs)

• MTU/Port/802.1Q VLAN

 

I tried to configure vlan (by tag) and it works to isolate webgui (it means that the webgui ip is not reachable from the wrong vlan).

But obviously a port based vlan would be better.

 

I apologize for that misunderstanding. 802.1Q VLAN should contain the concept of tag/untag/PVID. PVID equals the Port VLAN.

To do what you want, it is not a problem with the VLAN, in my understanding. I think this should be done with the help of ACL which is what we usually do. Specify the ports 80 and 443 and stop the access from any network to its IP.

I don't have a test model of this. But if you still use this model, and require the isolation, you can try out the router ACL on your router.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#4
Options