Guest Network via LAN?

524
197
NAS
DS212J, DS214play, DS216, DS216play, DS414, DS918+, RS212, RS816, RS819, DS223, DS920+
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. iOS
Maybe I'm missing something basic. On the RT2600 and/or MR2200ac, is there no way to associate ethernet ports/connections with the guest network rather than the main network?

That is: I have two wireless networks running on my Synology routers - the main one, and the guest. The guest does not have access to other LAN resources. I would like to use one of the ethernet ports (on the 2600 or a 2200, I don't care which) so that hardwired devices connected to it will be on the guest, rather than main, network. (So that devices connected there will have addresses in the same range as the wireless network - 192.168.2.X, rather than in the range used by the main network, 10.86.173.X.)

But I don't see any way to do it.

Is that not possible?
 
Last edited:
It's Guest WiFi [WLAN] not Guest LAN. i've not seen any built-in support in SRM for, easily creating, a Guest LAN.

The wireless network can support 'internal' and guest WLANs because the connections are supported by the hardware and that hardware is exclusively running Synology SRM. To have a guest LAN would require either
  • explicitly assigning SRM router LAN ports to one network or another and any connected devices and switches will then be all on one LAN or the other
  • or, logical separation of LANs [virtual LANs, VLANs] by the SRM port and these are honoured and supported by connected switches which assign their ports to be in one network or the other
  • or, there is explicit dynamic networking that's supported by the router and switches than recognise and profile the connecting device and then assign it to the correct internal or guest LAN. For example, how Cisco is doing this in ISE and devices connected using pxGrid.

I have no need for supporting two separate local subnets that is mediated by the SRM router, but it's probable that adding routing in SRM and editing network files by hand will add support for two networks, but you'll need switches that support VLANs, at minimum.

BTW my recent tests on the MR2200ac was that the LAN port only works when the WAN port is connected: LAN port connection doesn't bridge to WLAN backhaul.


Update:

Thinking about it, and haven't tested it so may not work...

I have my ISP router setup in bridge/modem mode so that it does nothing more than present the Internet IP on the RT2600ac. There is a virtual, private DMZ that is between the WAN port of the RT and the LAN port of the router, the erstwhile internal LAN that the router would provide. This enables me to access the router's config interface. Anyway, I digress.

Now, if I switch the ISP router back into router mode then its internal LAN ports can be used as a private DMZ and one connection will be too the RT2600ac WAN port. Disabling SRM's NAT will mean there's no double-NAT (might be useful). The RT will protect the true internal LAN using its outward facing firewall, and it can do internal and guest WLAN. Any devices connected to the remaining ISP router LAN ports will be on the 'guest LAN', and they are blocked from the local access unless the RT's firewall has rules to allow it.

In this case the security hole that many ISP routers offer, 'DMZ', could be used to direct traffic to the internal RT's WAN IP. The DMZ feature is where any inbound traffic that isn't handled by the ISP router's NAT and firewall rules will be forwarded to the IP specified in the DMZ configuration
 
Fredbert, I figured as much. I was hoping against all odds that there was some setting I had missed. It wouldn't be completely out of the question as other mesh systems (like Open-Mesh) offer multiple simultaneous SSIDs and allow you to choose which SSID's range the LAN port on the units will be associated with. From my perspective, it's a feature deficit on the Synology system.
1571589339558.png
 
“dynamic networking” - this feature has been one of main in my decision to choose Ubiquiti, to isolate single or more port from another by port operation profiles (for wired or wireless networks).
Btw: Ubiquiti USG Pro is for same price as RT2600ac
then usage of pair: router+switch from same vendor has the added value, include third layer: AP.
Synology (now) has good drive to “single or All in one” layer network topology architecture, good job. No doubt. But sometime it’s not enough.
 
BTW my recent tests on the MR2200ac was that the LAN port only works when the WAN port is connected: LAN port connection doesn't bridge to WLAN backhaul.
I need to correct my previous statement on MR2200ac LAN/WAN port to wireless backhaul. I originally posted this recently in another thread (have repeated this update there) and it still seemed odd that the wired port wouldn't bridge over the wireless backhaul.

I've now had more time to redo the test and ensure that the Auto backhaul setting has settled down after pulling the backhaul ethernet cable from the MR2200ac. It took quite some time for the MR and RT to complete the switch from wired to wireless backhaul. So here's the new result:

Connecting a local device to the ethernet ports of the MR works like this:
  • WiFi uplink: Yes. The Mac Mini get's an ethernet DHCP assignment when connecting to the LAN port.
  • WiFi uplink: Yes. The Mac Mini get's an ethernet DHCP assignment when connecting to the WAN port.
  • Ethernet uplink using WAN port: Yes. The Mac Mini get's an ethernet DHCP assignment when connecting to the LAN port.
  • Ethernet uplink using LAN port: Yes. The Mac Mini get's an ethernet DHCP assignment when connecting to the WAN port.

I'd still recommend a wired uplink between the devices because even what I thought was a short distance through an uncomplicated ceiling/floor caused the >900Mbps link to drop to ~200Mbps.
 
Fresher, thanks for taking the time to update!
This seems to suggest that there’s no difference between the functions of the “WAN” and “LAN” ports when the MR is not being used as a router, which makes sense.
 
It is possible to extend the "Guest Network" to your LAN. Not to go into a long conversation about what a VLAN is or is not. I stumbled into the solution after reading this point about the WiFi Point.

Requirements:
  1. All switches need to support VLANs and tagging. If not, VLAN 1733 (Guest VLAN) is not usable
  2. Admin access to managed switch
My current setup is a RT2600AC and Cisco SG300. I have tested it on a Cisco 2960 and 3750 and all works as well.

RT2600AC VLANs:

VLAN 1 - default VLAN and is not tagged
VLAN 1733 - Guest VLAN and is tagged

Here are the steps:

RT2600AC

  • Ensure the guest network is enabled and a DHCP pool in configured
  • Test a wireless client to make sure the Guest network is functioning and assigning IP addresses. I beleive the default DHCP is 192.168.2.0 / 24 (255.255.255.0)
  • Connect the RT2600AC to your managed switch
  • Ensure the port on the switch is in an up status - the link light on the managed switch should be on. You can also check via the switch command line.
Cisco Switch:

Configure the switch port that connects to the RT2600AC router with the following commands:
  • Configure VLAN 1733
    • config t
    • interface vlan 1733
    • no shutdown
    • end
  • Configure the port that connects to the RT2600AC
    • config t
    • interface gigabitethernet 1 (this will be different based on the port you are using)
    • switchport mode trunk
    • switchport trunk allowed vlan all (this command will not show in your running config, but it ensures the ports has access to all VLANs presented to the port.
    • no shutdown
    • end
  • Configure the Guest LAN port - the LAN port you want to be part of the Guest Network (do this for all ports needing to be part of the guestnetwork.
    • config t
    • interface gigabitethernet 2
    • switchport mode access
    • switchport access vlan 1733
    • end
  • Save your configuration
    • copy running-config startup-config
    • Destination filename [startup-config]? (press enter)
Pretty simple to accomplish and the switch config may be different for your switch.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

Yes, I just checked and you're right: the specific Guest private network/VLAN has no way to assign a LAN...
Replies
2
Views
416
  • Question
A follow-up on moving back to connecting the printer to the dedicated SSID on the TP-Link travel router as...
Replies
17
Views
1,241
I misspoke. I should have said "limited to 5 Vlans". I'm not sure why Synology limits the number of Vlans...
Replies
41
Views
5,361

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Back
Top