Mesh network over VLAN

Currently reading
Mesh network over VLAN

3
0
NAS
DS218+, DS420+
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
I have a mesh network with system default guest network activated. The problem is guests can connect to the ethernet port of any wifi point and be assigned an IP address from my main LAN so bypassing the guest network. Since SRM does not support 802.1x ethernet authentication (only wireless through radius server) I wonder if
I can deploy the mesh network on a separate VLAN so that my MR2200AC WIFI points broadcast only the VLAN SSID and connecting to the ethernet port of my MR2200AC WIFI points I get an IP address from the VLAN. Is this possible?

My set up: 1 RT2600AC and 3 MR2200AC with SRM 1.3

Thank you in advance for any suggestion.
 

fredbert

Moderator
NAS Support
Subscriber
4,188
1,667
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
  3. RT6600ax
Operating system
  1. macOS
Mobile operating system
  1. iOS
Welcome to the forum.

From what I read you have your mesh setup and working. The question is: if people have physical access to any of the routers (primary or mesh AP) and plug an Ethernet cable from their device to one of the LAN ports (or WAN in the case of a mesh AP), is there a way to stop them getting assigned access to the primary network?

I don't think there is a way to configure the mesh AP LAN ports to use specific VLANs, or disable the LAN port completely. But I wonder if there are a couple of ways to do something.
  1. Configure the primary network to be useless: use the SRM firewall to block access to the Internet and other VLANs. This will force wired devices to have to use VLAN tags when connecting and most (devices and people) won't be capable of doing this.
  2. Use wired back haul from the mesh APs to a primary router's LAN port that has been specifically assigned to a different VLAN. Any devices connecting to the mesh AP's other LAN ports will get placed on this VLAN.
Something like that might work, I haven't tried it. But you have a good point about the need to have more configurability for the physical ports and have this stretch to the mesh APs, which are today treated as expensive, dumb devices.
 
3
0
NAS
DS218+, DS420+
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Thank you. Yours are very good suggestions. I also thought of buying a second RT2600AC and have this manage the guest network as its primary network. And move all the mesh wifi points to this network. This second router would have an IP assigned by the primary network of the first router to its WAN. This seems to me th cleanest way to do it (albeit more expensive). I can have essentially two mesh networks (if I want).
 

fredbert

Moderator
NAS Support
Subscriber
4,188
1,667
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
  3. RT6600ax
Operating system
  1. macOS
Mobile operating system
  1. iOS
If that’s all you want to do, why not reconfigure all the MR2200ac as a guest network. You’d use one of the MR2200ac as the primary router of this network. There’s no need to buy new primary router.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

  • Question
Sound advice by @Shoop above. Don’t use UPnP. A quick search showed the following (there’s something on...
Replies
2
Views
3,260
Dear Jeyare, Been in contact with PlusNet, the Plusnet Hub One can't support "Bridge Mode". This being...
Replies
8
Views
1,246
  • Question
Hey folks I have a question which hopefully will be quick to resolve... I have successfully used WebDAV...
Replies
0
Views
244
Got this figured out. I connected the NAS to my pc directly with a LAN cable and ran the Synology...
Replies
5
Views
962
  • Solved
You're right, I have several networks/subnets with different purposes. I suppose keeping 192.168.1.x...
Replies
7
Views
1,220
My TP-Link SG108E managed switch has some sort of a cable tester, not sure how good or bad it is but it is...
Replies
5
Views
471
Well....today everything is working fine.....i don't know because of what... but it works now.... thanx...
Replies
4
Views
752

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Top