How to create a VLAN ?

zappu
zappu Posts: 27  Freshman Member
First Anniversary Friend Collector First Comment Zyxel Certified Network Administrator - Security
edited April 2021 in Security

Hello guys,

Before asking how and what I want to do, I attached the schema below:

The connection between my Wi-Fi Router and Zywall is in bridge with DHCP automatically, so all the IPs are coming from Firewall. Also, the Wi-Fi Router is in P4 LAN:

After I put the Wi-Fi Router in bridge, I create a VLAN with Interface internal, Zone LAN1 and Base port lan1. I assigned an IP from 192.168.x.x different than the one from LAN1 and also, a DHCP server. Please have a look below:


From what I understand from other discussions from the forum, this configuration must work.

Another thing what I did is to add VLAN1 in the same zone with LAN1

Also in Security Policy->Policy Control, it can be seen

May I know what I have to do ?

I'm asking because when I put manual the IP in my tablet from VLAN, it doesn't work.


Thank you,

Alex

Accepted Solution

«1

All Replies

  • PeterUK
    PeterUK Posts: 2,653  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer

    The way you think it works will not work as devices need to be tagged for the given VLAN as it is all your devices are untagged.

    You will need much more equipment to do what you want.   

  • zappu
    zappu Posts: 27  Freshman Member
    First Anniversary Friend Collector First Comment Zyxel Certified Network Administrator - Security
    edited March 2020

    Hello Peter,

    So you think, I have to add also a Switch ? It doesn't work with Wi-Fi Router which I had ?

    I'm asking because I have 2 devices on LAN via Wi-Fi Router and all the other devices are via Wi-Fi (mobiles, tablets, laptops, TVs).

    Also, how do i tag my devices ?

  • PeterUK
    PeterUK Posts: 2,653  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited March 2020

    Yes you need a VLAN Switch like this one

    GS1920-24v2

    https://www.zyxel.com/products_services/8-24-48-port-GbE-Smart-Managed-Switch-GS1920-Series/specification

    So VLAN ID 1 should not be used for starting a VLAN setup or is used to Untag all ports on the Switch. Most devices can't be tagged so you need a VLAN Switch to take a Untagged devices to tagged to the VLAN ID.

    Its also best to make a new Zone name for the VLAN like VLAN10 for the firewall rules to allow from VLAN10 to WAN instead of LAN1 to WAN.

    Here is a setup with two VLAN's you can add AP that are untagged to give wireless.


  • zappu
    zappu Posts: 27  Freshman Member
    First Anniversary Friend Collector First Comment Zyxel Certified Network Administrator - Security

    Dear @PeterUK ,

    Please correct to see if I understand correctly or not, from your previous message.

    From what I saw regarding what you sent is a little bit unclear to me, who is each IP ?

    I suppose:

    • 192.168.1.1 is the IP from Zywall;
    • 192.168.2.1 is the IP from Switch;
    • 192.168.3.1 is the IP from Wi-Fi Router;
    • 192.168.4.1 is the IP from Desktop
    • 192.168.5.1 is the IP from NAS

    If I put like this, how I will manage the VLANs for Tablets, Mobiles Phones, Laptops, TVs and Guest?

    I'm asking because from your message I saw that I have to create each VLAN in Zywall and in Switch as well.

    Thank you


    Regards,

    Alex

  • zappu
    zappu Posts: 27  Freshman Member
    First Anniversary Friend Collector First Comment Zyxel Certified Network Administrator - Security

    Dear @PeterUK ,

    I checked on the Internet, do you know this Switch:Zyxel GS2210-8, is ok for what I need ?

    Thank you

    Regards,

    Alex

  • zappu
    zappu Posts: 27  Freshman Member
    First Anniversary Friend Collector First Comment Zyxel Certified Network Administrator - Security

    @PeterUK ok, I'll find a way to buy it. I'm still thinking how is working what I told you regarding the devices which are connected through Wi-Fi Router.

  • imaohw
    imaohw Posts: 123  Ally Member
    First Anniversary 10 Comments Friend Collector First Answer

    @zappu - I’m curious. Why are you segregating the network into 6 vlans?

    Any network traffic that needs to go from a device in one Vlan to a device in another Vlan will need to go thru the router/firewall. That means if your laptop needs data from the NAS the traffic has to go from the NAS to the router and then to the PC. It will not go directly from the NAS to the PC.

    I have a network with over 150 devices on it that makes use of many vlans but the vlans are set up for specific purposes and keeping network traffic separate. For example a management Vlan for switches, a security camera Vlan, a user device Vlan for laptops, desktops, tablets, and phones, and a guest Vlan.

    Your vlans seem to be set up by device type (other than guest) rather than how the devices need to interact or how they should be isolated from each other.

  • zappu
    zappu Posts: 27  Freshman Member
    First Anniversary Friend Collector First Comment Zyxel Certified Network Administrator - Security

    @imaohw I'm doing this because I want to segregate all the VLANs, I mean NAS is used for something. Tablets, phones for others and so on, but if one of my tablets are virused for example, I don't want to propagate in all the VLANs.

  • Zyxel_Vic
    Zyxel_Vic Posts: 281  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @zappu

    You scenario should be supported by the Zywall 110. Is only VLAN 1 doesn't work or all the other VLANs don't work as well??

    BTW, the switches Peter suggested is mainly to add the VLAN tag to let the Zywall 110 recognize it or there won't be any VLAN tagged packets pass to the Zywall 110 and the Zywall 110 can't separate different traffics from different area.

Security Highlight