On my Balance 20X, I have 4 computers on the wired Ethernet LAN; and 3 TV sets connected as separate devices via Wifi. Is there a way to segregate the 3 TVs on Wifi to provide more security to the wired LAN?
One approach is to set up a separate VLAN for the WiFi SSID. That approach will allow the 3 TV’s to talk with each other within the VLAN. Then make sure “Inter-VLAN routing” is disabled for that VLAN so it can’t communicate with your other VLAN/LAN.
A more restrictive approach for WiFi devices is to to enable Layer 2 Isolation on the SSID on the AP Controller page. This is “guest” WiFi mode where WiFi devices can’t communicate to anything except your WAN internet. You may have to unhide the advanced SSID options to configure this.
2 Likes
What about Balance 20x with external AP One AX. I want normal network, guest network, and network for IoT devices/security cameras. Some wired some wireless. I make 3 vlan each SSID assigned 1 of the 3 and the wired network just share same vlan as main normal network ssid?
One approach is to set up a separate VLAN for the WiFi SSID. That approach will allow the 3 TV’s to talk with each other within the VLAN. Then make sure “Inter-VLAN routing” is disabled for that VLAN so it can’t communicate with your other VLAN/LAN.
Mark, thanks for the idea. How does one “set up a separate VLAN for the Wifi SSID”?
@Bob_P, you can set up multiple SSID’s, up to 16 according to the AP One AX documentation, and associate a VLAN with each of the SSID’s you create. Note: Each SSID takes a portion of airtime for broadcasting. Best practice is 3, maximum 4 SSID’s.
@fortisy, VLAN’s are configured on Network->LAN Network Settings. Next click on the “?” in the up right hand corner of the IP Address in the IP Settings area if my memory serves. Then click on New Lan to add VLAN’s. Example: Add VLAN2, VLAN ID 2, disable Inter-VLAN routing, IP Address, 192.168.2.1, IP Range 192.168.2.33 - 192.168.2.132 (allowing static IP’s above 200)
Network->LAN Port Settings is where you associate VLAN’s with Ethernet ports. You will set Port Type to Access rather than Trunk unless you have a managed switch or some other need for tagging Ethernet packets with VLAN ID’s.
Edit 6/5/22: Network->LAN Port Settings needs to be Trunk, not Access for the Port Type on your router port to allow VLAN tags through.
Mark:
I was able to get to the New LAN screen , but then I am stuck there.
How does one know what IP address to put in; what IP range; and how to associate this VLAN with the 3 TVs and their IP addresses?
I don’t see how creation of a VLAN accomplishes the purpose of segregating 3 devices from the wired Ethernet LAN?
@Your TV’s will get their IP address dynamically assigned via DHCP (Dynamic Host Configuration Protocol). The VLAN configuration specifies the IP range. In my example, it was 192.168.2.33 - 192.168.2.132 with an implied mask of 255.255.255.0 (/24). The mask says you can have 256 devices from 0 to 256, the usual configuration for a home network subnet. My example limited dynamically assigned IP’s to 33-132, but you can expand it if you want to something like 10-250 if you have lots of devices.
The gateway IP Address is for devices to communicate with the router which in turn will communicate through the WAN to your ISP.
You are carving up your IP address ranges between your Untagged LAN which is probably 198.168.1.1 with mask 255.255.255.0 and the example VLAN which is 198.168.2.1 with mask 255.255.255.0. You can add another VLAN. It might be 198.168.3.1 with mask 255.255.255.0. Just make sure there is no overlap!
You are purposely restricting this VLAN not to talk with other subnets being used for your LAN and other VLAN’s by disabling “Inter-VLAN routing”.
Mark,
Your high level expertise and generosity is greatly appreciated. I see the goal of creating the VLAN, but cannot see how to implement it with the proper IPs for the VLAN.
Assume my current LAN uses IP address 192.168.2.3 with range 192.168.2.4 to 192.168.2.99 and further assume that the 3 TVs use IP addresses 192.168.2.5 to 192.168.2.7 on wifi SSID Alphonse441. (These aren’t actual but examples.)
Then in creating the VLAN, what IP address should I use and what range?
Thanks, Art
@fortisy, you can create VLAN3 with the gateway IP Address of 192.168.3.1 and range of 192.168.3.4 to 192.168.3.99 (mask 255.255.255.0). That won’t conflict with your current 192.168.2.xxx LAN. Just change “2” in my example above to “3”.
Connect the AP One AX with an Ethernet cable to a Port on the router with Trunk as the Port Type (not Access as I stated earlier and will correct). Trunk is the default Port Type as I remember.
Then configure the AP One X with a newly created SSID (“Alphonse441”) and associate it with VLAN3. Connect your 3 TV’s wirelessly to Alphonse441. The Alphonse441 SSID will use DHCP to dynamically obtain their IP addresses using what you defined in VLAN3. Those addresses will be in the 192.168.3.XXX range. (I am assuming that your TV’s are defaulting to DHCP. I doubt they have an option to statically assign an IP address. But if they do and you are using it, then change their static IP address to something like 192.168.3.200, 201 and 202 so they aren’t in VLAN3’s dynamic range of 4 to 99.)
At this point, you will have two SSID’s on the AP One AX. The default and Alphonse441. The default SSID packets will be untagged and the Alphonse441 SSID packets will be tagged with VLAN ID 3. Since you have disabled “Inter-VLAN routing” on VLAN3, the TV’s won’t be able to talk with your LAN which is using untagged devices or your default SSID which is untagged. The TV’s will be able to talk to each other unless you enable Layer 2 Isolation on the Alphonse441 SSID.
The untagged devices on your LAN and the untagged devices on your default SSID will be able to talk to each other.
If you ever need to add a managed switch in between your router and your AP One AX, see Balance 20x & AP One AX Lite: VLAN question.
Mark,
I pretty much understand your excellent reply except for this:
“Connect the AP One AX with an Ethernet cable to a Port on the router with Trunk as the Port Type (not Access as I stated earlier and will correct). Trunk is the default Port Type as I remember.”
When you say “connect”, I just have one Balance 20X router with 4 LAN ports going to 4 computers; router also broadcastings WIFI, so I don’t know what you mean by “AP One AX”.
@fortisy, you are correct that you only have a 20X. @Bob_P is the one with a 20X and an external AP One AX. So the comments about the AP One X connection and about Trunk mode on a port can be ignored when configuring a 20X’s built in WiFi SSID.
Thanks again, Mark, for your topnotch tech support.