I have a typical home network comprised of an ASUS RT-N16 router running DD-WRT, and a handful of wired and wireless clients. New to the network is a Raspberry Pi which will be used by a team for a school project I am working on.
The Pi is set up to run a reverse SSH tunnel to an Internet facing server so that anybody on the wider Internet can SSH into the device on my home network.
Because the Pi is available on the Internet, and also on my home network, I want to segregate it from all my other devices on my network. Effectively, I want the Pi on one side of a fence, and everything else on the other. All devices need access to the Internet.
At first, I tried unsuccessfully to set up two VLANs on my DD-WRT router, but after a day of messing around and forum surfing, it seemed like many people had trouble with firmware bugs. To make my life easier, or so I thought, I bought a TP-Link TL-SG108E "Easy Smart Switch" which advertises VLAN support. For the life of me though, I cannot get it to work like I'd expect!
On the TP-Link switch:
- Port 1 – Goes to router's built-in switch
- Ports 2-7 – Various clients of mine
- Port 8 – Raspberry Pi to be segregated
First, I tried to set up Port Based VLAN. It seems like I couldn't assign port 1 (the router) to two VLANs at once.
Port Based VLAN Setup:
If I had chosen VLAN 2 to include port 1 as well, it would have been removed from VLAN 1.
I moved on to trying to set up 802.1Q tag based VLANs.
802.1Q VLANs
With the PVIDs
PVIDs
This setup did seem to work when port 8 had a different PVID than 1 through 7, the Pi was unreachable from my LAN, but it was also unreachable from the Internet too! If I made the router PVID 1, my clients PVID 2, and the Pi PVID 3, nothing could talk to the router at all.
At this point, I'm confused and ready to admit my ignorance. What am I doing wrong?
Best Answer
The segregation you are asking for is what Multi-Tenant Unit VLAN is good for. Quoting the help text in the switch configuration:
So you could use that and configure port 1 as the uplink port. Unfortunately that also means that ports 2 through 7 cannot communicate with each other.
If you need ports 2 through 7 to communicate, you need to look at other options, because the Multi-Tenant Unit VLAN feature does not appear to be flexible enough to allow that.
Port based VLAN as you have noticed cannot do what you want either.
That leaves tagged VLANs as your last option. But having a port be an untagged member of more than one VLAN is problematic because untagged frames sent to the switch could be intended for any of those VLANs, and the switch cannot know.
Instead what you should do is to make the uplink port to the router be an untagged member of no more than one VLAN and a tagged member of the rest.
On the router itself you also need to configure the same VLAN tags such that the router will know which VLAN a packet originated from and the router can tell the switch which VLAN a packet is for.
On the router this will look like two virtual network interfaces connected to the two different VLANs. And the recommended configuration is to have the router use different IP prefixes for the two VLANs.