VLAN Tagging RT2600ac

[Eddy Current]

I can’t see how to set the trunk traffic to VLAN tagged, can anyone advise me please? Does there need to be a VLAN set up in the router before tags can be set? If so, does this mean that I need to create a network, obviously with a different ip range, to get tagged traffic? I tried this and I could not tag it. Does this also mean that port 4 which I’m currently using to send all the traffic to my managed switch containing VLANs, would then have to have the same ID as the VLAN ID in my switch? Does it mean that if I create 3 VLANs in the router, they must only appear on different ports - if so then, say the iot VLAN, would be sent to the switch but nothing else? But I could have 3 ports on my switch connected to the router for the 3 separate VLAN tags?

There has to be an easier way of doing this, may be I haven’t understood how this works. Can anyone ahead light on this please?

 

[fredbert]

I can’t see how to set the trunk traffic to VLAN tagged, can anyone advise me please?

• Does there need to be a VLAN set up in the router before tags can be set?
• If so, does this mean that I need to create a network, obviously with a different ip range, to get tagged traffic?

I tried this and I could not tag it.

• Does this also mean that port 4 which I’m currently using to send all the traffic to my managed switch containing VLANs, would then have to have the same ID as the VLAN ID in my switch?
• Does it mean that if I create 3 VLANs in the router, they must only appear on different ports - if so then, say the iot VLAN, would be sent to the switch but nothing else?
• But I could have 3 ports on my switch connected to the router for the 3 separate VLAN tags?

In theory a VLAN can use the same or overlapping IP subnet to another VLAN. In the network the VLANs are handled separately even though they share the same physical hardware. The issue comes when you have a device that brings VLANs together to be managed and routed: if the device doing this doesn't support multiple zones or domains to isolate each VLAN then it becomes impossible to determine which of the overlapping subnets is the intended source/destination, 'this time'. You will require a router/firewall that supports virtualising and isolating its functionality: have a look at VDOMs in Fortigate firewalls.

The trunk interfaces are passing all the traffic and maintaining any VLAN tagging so that the connected switch/device can then correctly handle it. The receiving switch/device will have to understand the tagging and so needs to have the same IDs configured.

It should be possible to configure your setup so that the router VLANs that are assigned to a specific port are untagged (I just tested it and saw that assigning an Ethernet port made that and access port and for the VLAN it was untagged). You can also just use one port to trunk everything between router and switch.

The main point is to use the same VLAN IDs in the router and switch. Also, set up a test using a VLAN and router port that won't stop the rest of your network working, then see what happens.

 

[Eddy Current]

In theory a VLAN can use the same or overlapping IP subnet to another VLAN. In the network the VLANs are handled separately even though they share the same physical hardware. The issue comes when you have a device that brings VLANs together to be managed and routed: if the device doing this doesn't support multiple zones or domains to isolate each VLAN then it becomes impossible to determine which of the overlapping subnets is the intended source/destination, 'this time'. You will require a router/firewall that supports virtualising and isolating its functionality: have a look at VDOMs in Fortigate firewalls.

The trunk interfaces are passing all the traffic and maintaining any VLAN tagging so that the connected switch/device can then correctly handle it. The receiving switch/device will have to understand the tagging and so needs to have the same IDs configured.

It should be possible to configure your setup so that the router VLANs that are assigned to a specific port are untagged (I just tested it and saw that assigning an Ethernet port made that and access port and for the VLAN it was untagged). You can also just use one port to trunk everything between router and switch.

The main point is to use the same VLAN IDs in the router and switch. Also, set up a test using a VLAN and router port that won't stop the rest of your network working, then see what happens.

Thank you so much for replying and confirming my understanding, thats helpful.
I hope that you can help further please. knowing the context of my problem may help and is as follows:-

A few years ago I setup my home network using a TP-SG1016DE 16 port managed switch and it connects to 2 EAP115 units at either end of my long house which is made of rock. I use the 802.1Q VLAN method in the switch. I have 3 SSIDs on each AP, and all devices connected to the APs are isolated from each other even on the same SSID. My printer is hard wired into a port on the switch and my private networked devices can see the printer but not each other. Everything works correctly and well.
But foolishly I thought that it was time for a wifi speed upgrade to the Access Points so I bought one Omada EAP620HD to try it out. I plugged it into a port of my TP-SG1016DE and setup the VLAN in the switch to accommodate it in the same way as my older EAP115s. I discovered the following:- only if there is no VLAN setup in the EAP620HD can devices using it access the internet.

TP-link technical have said that the Omada APs are different in some way, but they won't/can’t tell my how they are different from their previous APs eg the EAP115, but information that I got from them yesterday said that not only does the switch have to handle VLANs, but the router does too and needs to have it traffic tagged. I puzzle how this new AP knows that the router doesn’t have VLANs setup and why should it care as it gets VIDs from the switch as do my existing APs.

Q1. Am I right in thinking that the router can’t tag traffic unless at least 1 VLAN is setup? If so I then need to setup a VLAN. I tried last night when I created a VLAN but I couldn’t see how to tag the traffic. Any clues please? I was able to set a VID and a new ip range, but on whatever tab it was that showed the status of all the ports it showed all ports untagged and the wireless guest as tagged. Port 4 wasn’t shown as tagged. Yes I set the same VID in my router and switch and EAP620H, and in the switch I selected the two ports to it, port 1 to the router and port 10 to the EAP620HD. I set both ports to tagged. Still no internet access using the AP.

Q2. I need to set the new network in the router to tagged, but don’t know how. Suppose that I do manage to setup a VLAN, assign port 4 to it and use that port to send ALL traffic to the managed switch (I did that last night but with untagged traffic), and let’s suppose that I can tag that traffic, then everything goes to the switch. This Omada EAP620HD gets one VID. I assign an SSID to it and let’s suppose that works. I now need to setup up an IoT SSID. I’m thinking that the router will need to have another VLAN created to handle IoT traffic. Can the same port 4 be used as the main traffic, I’m assuming yes?

Thank you for your help, I really appreciate it.

 

[fredbert]

The RT2600ac is using VLANs, even if you aren't using the extra three that were added in SRM 1.3. So you should be able to setup it and your switch to handle the VLAN used by the wireless access points. In the RT2600ac you need to setup the VLAN and firewall to allow it to access the Internet, and other internal LANs if you want. I'm not familiar with the TP-Link wireless devices you have, so instead let me provide some information on how I have set up my VLANs.


I use a TP-Link T1600G-28TS managed switch with my RT2600ac and meshed MR2200ac, with wired back haul. To ensure the mesh handles the Guest WiFi VLAN correctly between the two routers it requires switch ports to be tagged correctly for VLAN ID 1733 (default ID for this task).

I've added three extra VLANs on SRM 1.3 but haven't yet started to use them in anger. I haven't assigned any particular LAN ports to any of these VLANs so this is the default tagging that the router is doing. You'll see that any LAN port is trunking all the VLANs, and if no tag it will be assumed to be Primary Network.

When untagged this will remove any tag info from packets and then forward. But tagged will forward with the tag info.

Focusing on two VLANs, primary and guest, this is my current VLAN setup on the switch. I've mimicked the Guest WiFi VLAN setup for the three new ones, so the extra SRM VLANs are currently setup as WiFi only.

• Switch port 1 is connected to RT2600ac's LAN 1 interface.
• Switch port 5 is connect to the MR2200ac (probably WAN interface, but it doesn't matter).
• Switch ports 3 and 4 are LAG 1 and were used to connect to another switch, but it was overkill for supporting the MR2200ac and a Mac. It's not used today and I moved the cables to 5 and 6. Saved electricity too.
• Switch port 10 is my Mac that I test dual-homing with a Thunderbolt adapter to connect wired on the Guest 'WiFi'. It worked.

Doing the Guest VLAN tagging will ensure isolation between it and switch ports. The Guest WiFi packets reach the RT2600ac from MR2200ac where they are then processed according to the isolation and firewall policy in the main router.

VLAN ID 1: Ports

VLAN ID 1: LAGS

VLAN ID 1733: Ports

VLAN ID 1733: LAGS

 

[Eddy Current]

Thats very helpful thank you. I’ve only had a skim read through and I’ll have a detailed look tonight. What’s has confused me is that as your screenshot shows, the primary network on ports 1-4 are untagged. So traffic is going down these ports untagged?

I love your ‘insecure’ of things, totally hilarious . I’m going to call it that from now on.

So I can ignore the LAG1.

I think I’m seeing that currently your switch sends all VLANs to all ports 3-6 and 10.

Here is my switch VLANs and the EAP11.

Is there any particular reason why you have set all 4 of the router’s ports to output the same VLANs? I was just going to select port 4 and connect my router into that port.

Any further comments will be appreciated before I have another go tonight.

 

[fredbert]

Glad you like my IoT

My LAG 1 can be ignored, I was just explaining what I have configured so it made some kind of sense.

I have just dug out the switch that used to be on the other end of LAG 1, it's a smaller TP-Link TL-SG108E, as it has a very similar interface to your switch. Here's how it was configured, where LAG 1 was to the big switch and port 8 was my MR2200ac. See how ports 1, 2, and 8 are in both VLANs but only tagged in VLAN 1733. But all other ports are only untagged and in VLAN 1.

If you keep as tagged then that information will be passed between network devices and keeps the VLAN 'tunnel'. I don't think you'll get your network routing to work it you untag multiple VLANs on the same ports. Have one untagged and the rest when they use the same port as tagged.

 

[Eddy Current]

Hi, I’ve spent the evening messing around and have had some success, but it’s messy and I’d prefer it wasn’t messy.
I created my 3 VLANs and strange things happened. At the start I had the main Ethernet cable plugged into port 4. I created secure_network vlan 10 first, and l looked at the VLAN tags page and it showed port 4 as untagged. I checked my entries and found nothing out of what I’d expect. I then created IoT_network, checked the VLAN tab and port 4 showed untagged but port 3 tagged for both the new networks. I carried on and created the Guests_network. The screen shot shows what resulted. Obviously my usual network stoped working as soon as I created the first new network so I used the router’s wifi to continue work. I then moved the Ethernet cable to the switch to port 3. My existing network leaped into life again, and after I setup the EAP620HD with its 3 VLANs and SSIDS and setup the VLANs in my switch, hooray, my devices could now use the EAP620H. So that’s terrific. I was going to sell this access point but I would have got so little money back it wasn’t worth making the effort and better to plug away and get some help from the right people. So thank you for your guidance. I really appreciate it.

But, have you got any idea why even though I assigned port 4 to each of the new networks, port 4 doesn’t work but port 3 does . I would like another port operational and at the moment port 4 is trashed.

Thanks again
Kind regards
Eddy

 

[fredbert]

That's really good to hear you've made progress.

As for why port 3 works and port 4 doesn't: I've not investigated this but looking at you screen shots then you have Guest in VID 30 solely assigned to port 4 and packets are entering it untagged. Have you got the mapped switch ports tagged or untagged? If the VID 30 tag isn't added back for the WiFi AP then it won't know that this is VID 30 packets. So, I would look into what I've done on the switch and see which configuration of tagged and untagged ports for a VLAN works with that VLAN's untagged router port.

I have just tested and I can only explicitly assign a router LAN port to one VLAN. When assigned the port is exclusively used, untagged, for that VLAN. Also, if I assign the port again to another VLAN then the current assignment is replaced without notification.

When a port is assigned to a VLAN it becomes and 'access port' meaning that anything connected to it is expected to be associated to that VLAN and doesn't need any tagging... conceptually like an unmanaged switch that does switching but assumes any port can talk to any other port. But when a port is a 'trunk port' it can then support VLANs, and seems that it can trunk all VLANs. I haven't checked all possibilities to see if there's a way to trunk just some VLANs, probably not.

 

[Eddy Current]

That's really good to hear you've made progress.

As for why port 3 works and port 4 doesn't: I've not investigated this but looking at you screen shots then you have Guest in VID 30 solely assigned to port 4 and packets are entering it untagged. Have you got the mapped switch ports tagged or untagged? If the VID 30 tag isn't added back for the WiFi AP then it won't know that this is VID 30 packets. So, I would look into what I've done on the switch and see which configuration of tagged and untagged ports for a VLAN works with that VLAN's untagged router port.

I have just tested and I can only explicitly assign a router LAN port to one VLAN. When assigned the port is exclusively used, untagged, for that VLAN. Also, if I assign the port again to another VLAN then the current assignment is replaced without notification.

When a port is assigned to a VLAN it becomes and 'access port' meaning that anything connected to it is expected to be associated to that VLAN and doesn't need any tagging... conceptually like an unmanaged switch that does switching but assumes any port can talk to any other port. But when a port is a 'trunk port' it can then support VLANs, and seems that it can trunk all VLANs. I haven't checked all possibilities to see if there's a way to trunk just some VLANs, probably not.

I was out this morning taking old electronic equipment to our local tip (traumatic experience) when it suddenly struck me that perhaps assigning a port to a Vlan in the router isn’t necessary. So I’ve got home a just tried it. Indeed, you don’t have to allocate a port (as you do in a switch). So I’m up and running and it’s much easier than I was imagining. So thanks for giving me encouragement to sort out this simple issue, as it turned out. I can’t imagine why they can’t document this stuff, it’s quite straight forward. I still don’t know why the router needs to initiate the VLAN and not the switch for the Omada APs to work. But its working now. The way you phrase things sounds as if you are UK dude as I am. Just wondered if you might like to chat tech stuff from time to time. If you do, I can create a temporary email so we could exchange our real email.

 

[fredbert]

taking old electronic equipment to our local tip (traumatic experience)

I've some old Mac kit in the roof that it will pain me to get rid of. Not to mention the parts and cables that will never be used again, but I still have bags of them.

The way you phrase things sounds as if you are UK dude as I am.

Good guess

I came to the conclusion that it's best to not assign router ports to VLANs, that way they stay as tagged. What I want to do is have a 1 GbE connection between the switch and router for each VLAN (or most VLANs, since there are five of them and only four ports). That will take some testing and I'll do that when I have a real need. After that it would be interesting to see if it's possible to configure switch ports and VLANs to force the MR2200ac to share its VLAN routing across its two LAN ports.

There's the direct Conversations feature here if you need it.

 

[Eddy Current]

I've some old Mac kit in the roof that it will pain me to get rid of. Not to mention the parts and cables that will never be used again, but I still have bags of them.


Good guess

I came to the conclusion that it's best to not assign router ports to VLANs, that way they stay as tagged. What I want to do is have a 1 GbE connection between the switch and router for each VLAN (or most VLANs, since there are five of them and only four ports). That will take some testing and I'll do that when I have a real need. After that it would be interesting to see if it's possible to configure switch ports and VLANs to force the MR2200ac to share its VLAN routing across its two LAN ports.

There's the direct Conversations feature here if you need it. View attachment 11183

I can’t see an icon to do a direct conversation. Is this like messenger?

OK, I’ve spent more hours exploring the limitations and benefits of the VLAN in the router.
1. I setup a private network VLAN 10. Configured my switch, set port 1 to tagged, port 10 (EAP620HD is connected to port 10), port 3 and 4 to tagged (my 2 existing APs). I set all 3 EAPs to VLAN 10 and tested the connectivity. I set all 3 AP to isolate devices. Yes, I can connect. Next I ran a network scan. The usual behaviour appeared where two or more devices on the same SSID and on the same AP were blind to each other, devices connected to the other APs could be seen.
I solved this problem with my existing setup (not using the VLAN of the router because it didn’t have that functionality at that time), by creating two different VLANs. One could access one AP, the other VLAN could access the other AP. I connected both of these VLANs to port 2, my Synology NAS, and port 5 my printer. All worked fantastically well and devices in the kitchen could not see devices in the sitting room, and vice versa.

2. Now I’m trying to do the same thing using twin VLANs in the router, and just working with two APs. This also provided the isolation of devices from the two APs.

3. I’m now working through connecting my Synology NAS and HP printer to the switch. I spent 2 hours last night trying to get the NAS and printer to appear on the network, they wouldn’t! I tried changing their DHCP reserved table values to one of the secure VLAN subnets but the router wouldn’t change their IP to a VLAN subnet range. Is this normal? I tried some other ideas and eventually tried using VLAN 1 in the switch, set port to tagged and then I couldn‘t connect to it so I had to hard reset it! So this morning I have tried again to access the NAS and printer using the VLAN IP subnet but to no avail.

Is it possible to force a printer and NAS connected by Ethernet to a switch be allocated a VLAN subnet rather than the trunk subnet?

Thank you for your help.

 

[Rusty]

I can’t see an icon to do a direct conversation. Is this like messenger?

 

[fredbert]

I glad your are sorting things out. I'm somewhat lost as to what you're trying to do now, are your latest blocks of text 1 and 2 saying things work how you want?

For information, the two APs and the switch are on the trunk IP subnet.

There's no such thing as a trunk IP subnet. There's a private subnet per VLAN and the default LAN 'Primary Network' is what everything would use if you don't assign router LAN ports and don't explicitly configure devices to be on a VLAN: perhaps this is what you mean by truck IP subnet?

How to explain this?? You're in the UK, so... each road or part road (if it's a long one) has a post code (e.g. AB12 3CD) and each house on a road has a unique number or name: so house 47 on AB12 3CD can be uniquely identified with its number and post code. If the owners of the house decided to use 47 AB12 3CE then this would no longer be the same road and their post would end up somewhere else. The post code is analogous to the VLAN's subnet.

Each of the VLANs use a different subnet so that it is possible for the RT2600ac to route between all its connected interfaces (WAN, LANs, VPNs, etc). Within each VLAN the local devices will get an IP address that is assigned from within that VLAN's subnet... this includes the router's interface that is on this VLAN: the router should be a.b.c.1 in all VLANs and VPN Plus service. The gateway setting of a VLAN's DHCP configuration should be the router's VLAN IP because this is the 'door' to get out of the VLAN to the wider world.

It's possible to use a DHCP server that is outside the current VLAN/subnet but that's outside the scope of the SRM DHCP services, except where you make an explicit client reservation and would have to do this for every device you connect in other VLANs... so not ideal. Also you would have to use DHCP relay to pass DHCP traffic between subnets. So forget this!

What you need is one DHCP server per VLAN and SRM does this, just be sure that you are not running another DHCP server as part of your TP-Link wireless setup as this will cause issues.

When you have devices assigned with IP addresses from their own VLAN subnet then the next thing you have to do is setup routing and firewall rules to allow the interaction you need. The RT2600ac will act as the gateway between all VLANs and also WAN. To have a VLAN accessible to others it must have its Isolation setting disabled, now you can configure firewall rules to allow and deny connects both VLAN A to B and also B to A, the rules can be different for each direction and you only have to add the initial client request direction: device N on B wants to access device X on A, for example.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
A VLAN does not have to be associated to a subnet: a VLAN is a software mechanism to identify and separate packets so that switches and routers associate them with selected interfaces. But usually they are used to facilitate routing and handling of different subnets using the same physical hardware. In this case it's normal to consider a VLAN and subnetting together.

Within SRM there is an association between VLANs and subnets, to give you private zones on your internet network so that you can treat different classes of device / user with the appropriate authentication and security policy.

[In SRM] I don't know if it is possible to use a single subnet across VLANs, and then use firewall policies to limit access based on VLAN... I bet it's not possible.

 

[Eddy Current]

I glad your are sorting things out. I'm somewhat lost as to what you're trying to do now, are your latest blocks of text 1 and 2 saying things work how you want?


There's no such thing as a trunk IP subnet. There's a private subnet per VLAN and the default LAN 'Primary Network' is what everything would use if you don't assign router LAN ports and don't explicitly configure devices to be on a VLAN: perhaps this is what you mean by truck IP subnet?

How to explain this?? You're in the UK, so... each road or part road (if it's a long one) has a post code (e.g. AB12 3CD) and each house on a road has a unique number or name: so house 47 on AB12 3CD can be uniquely identified with its number and post code. If the owners of the house decided to use 47 AB12 3CE then this would no longer be the same road and their post would end up somewhere else. The post code is analogous to the VLAN's subnet.

Each of the VLANs use a different subnet so that it is possible for the RT2600ac to route between all its connected interfaces (WAN, LANs, VPNs, etc). Within each VLAN the local devices will get an IP address that is assigned from within that VLAN's subnet... this includes the router's interface that is on this VLAN: the router should be a.b.c.1 in all VLANs and VPN Plus service. The gateway setting of a VLAN's DHCP configuration should be the router's VLAN IP because this is the 'door' to get out of the VLAN to the wider world.

It's possible to use a DHCP server that is outside the current VLAN/subnet but that's outside the scope of the SRM DHCP services, except where you make an explicit client reservation and would have to do this for every device you connect in other VLANs... so not ideal. Also you would have to use DHCP relay to pass DHCP traffic between subnets. So forget this!

What you need is one DHCP server per VLAN and SRM does this, just be sure that you are not running another DHCP server as part of your TP-Link wireless setup as this will cause issues.

When you have devices assigned with IP addresses from their own VLAN subnet then the next thing you have to do is setup routing and firewall rules to allow the interaction you need. The RT2600ac will act as the gateway between all VLANs and also WAN. To have a VLAN accessible to others it must have its Isolation setting disabled, now you can configure firewall rules to allow and deny connects both VLAN A to B and also B to A, the rules can be different for each direction and you only have to add the initial client request direction: device N on B wants to access device X on A, for example.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
A VLAN does not have to be associated to a subnet: a VLAN is a software mechanism to identify and separate packets so that switches and routers associate them with selected interfaces. But usually they are used to facilitate routing and handling of different subnets using the same physical hardware. In this case it's normal to consider a VLAN and subnetting together.

Within SRM there is an association between VLANs and subnets, to give you private zones on your internet network so that you can treat different classes of device / user with the appropriate authentication and security policy.

[In SRM] I don't know if it is possible to use a single subnet across VLANs, and then use firewall policies to limit access based on VLAN... I bet it's not possible.

Thank you for the explanations above. The only piece of information that I was missing to be able to reach my printer and NAS from other subnets was your mention of the firewall. When I started looking at what it offered I could see that was so comprehensive that it could deal with access between IP address/ranges/ports/protocols and different subnets on the LAN side. Silly of me for not realising, but never having to delve into firewalls before I will probably forgive myself in a few days time.

After following the link provided on a page within the firewalL which was:-

How can I block access between two local networks while allowing communication among certain devices? - Synology Knowledge Center

Synology Knowledge Center provides you with answers to frequently asked questions, troubleshooting steps, software tutorials, and all the technical documentation you may need.

kb.synology.com

I was able to successfully achieve access to my printer and NAS, which the router insisted on putting on the primary network, and the private subnet I setup on which I’ve put our iPhones and laptops.

It was an interesting learning experience and everything is working as I wanted.

Thank you for helping to resolve the difficulties I was having. It always helps discussing problems with somebody as the process of having to explain the problem to someone else really helps to crystallise the issue in one’s mind and helps to look at it from a different petspective.

Best regards

Eddy

 

[fredbert]

That's really good to hear. You had a complicated problem so I hoped talking around the subject and concepts would help you to figure it out, and now you know how it works or tries to work

Three areas building on each other across different vendor devices to make it work: VLANs; IP addressing; firewall.

Save the configs!!

 

[stephan1827]

So I am trying to set up a VLAN and Wifi devices work fine but I cant get LAN devices to work. This is my IoT network.

I have a TP Link router that is connected over port 2 on the Synology router and port 8 on the TP-Link. On port 1 of the TP Link switch is Hue bridge that is supposed to be in the IoT network so I configured it like this.

But the Hue bridge does not get an internet connection. Is there something wrong in my configuration?

 

[Rusty]

Is there something wrong in my configuration?

firewall rules configured as well?

 

[stephan1827]

firewall rules configured as well?

Yep, WIFI devices work fine and can be pinged

 

[fredbert]

This is my TP-Link TL-SG108E VLAN configuration. It's not in daily use, but with the below configuration it's a useful tool to directly access the different VLANs.

The VLANs themselves. Of the five VLANs supported by I have made four ports untagged for the main LAN, and one untagged port each for the remaining LANs. Each LAN can be used on the other ports if the connecting device has tagged its interface.

But don't forget to also set the PVID for each port, which is used for the untagged packets. This manually setting is available on both my TP-Link switches but not my Netgear switch (all managed). It seems Netgear does the PVID assignment automatically.

 

[stephan1827]

@fredbert thx, that fixed the connection but now I found another issue. When the IoT Wifi runs for a while I get massive network lags after a while. I spent hours of testing but I cant figure out what the issue may be. It doesn't seem to be a specific device and it affects the primary network which should be isolated by the firewall rule. The Synology runs behind a FritzBox as exposed host so maybe double NAT is an issue but I dont understand why this only shows up after the network runs for several minutes.