B One to Smart Switches to Devices - intervlan routing and firewalling

Wondering how inter-vlan routing / internal firewall works with smart switches. Specifically the Netgear GS305/308 products.

I’m new to Peplink, Smart switches, and Vlans (at home). I’ve worked in technology and IT for more than 30 years and my dba job is very technical in nature. But I haven’t been able to work this out and I want to have a plan.

Here’s a semi accurate current picture. I currently do not allow inter-vlan routing for any vlan.

B One Router
Port 1 > Trunk (all vlans permitted) - Downlink GS308Ev4

GS308Ev4
Port 1 > Trunk (all vlans permitted) - UplinkToRouter
Port 8 > Trunk (all vlans permitted) - Downlink GS305E

GS305E
Port 1 > Trunk (all vlans permitted) - UplinkToGS308Ev4
Port 2 > Untagged Access vlan 11 - Iot device
Port 3 > Untagged Access vlan 13 - Security camera
Port 4 > Untagged Access vlan 12 - Roku Ultra
Port 5 > Untagged Access vlan 12 - Tivo mini

I don’t know if I did all this correct, I didn’t ask anybody, kinda just read and worked it out myself, and it works just fine so far. These devices (and others) on vlans 11, 12, and 13 do get assigned dhcp correct addresses and can see / communicate with each other. And when I put my laptop on a vlan 11 wifi, I can’t connect to vlan12 devices, and the like.

But I’d like to understand more about inter-vlan and firewalling for the wired devices that live on/through these switches.

The way I understand it now is if the Tivo Mini on vlan12 wants to talk to the Roku on vlan12, it can, and the traffic never leaves the GS305E switch. And if the Roku on vlan12 tries to talk to the Security camera on vlan 13, the switch drops the traffic as not allowed.

But what if I wanted to allow that? I enable inter-vlan routing for vlan 12 and 13. And do some internal filewall rules, like deny all, then allow this device, to that device. I get that part. What I don’t get is how does that traffic look? Doesn’t the GS305E still just drop the packets? It doesn’t know about the firewall rules or inter-vlan? Or does the trunk ports somehow pass that information down to the switches? Or am I required to wire each of those devices direct all the way back to the B One?

The switch wouldn’t be dropping the packets unless it’s a layer 3 switch with routing and firewall/access lists (really dumb firewalls) enabled. Devices on the same vlan can talk because they’re on the same broadcast domain, to talk between broadcast domains you need to go through a router.

Ok, thanks, that helps. So for the same example that I’m thinking about:

B One Router => GS308Ev4 => GS305E => Roku Ultra (vlan12) says hey I want to talk to the Security camera.

The switches carry that all the way back to the router, the B One does it’s thing (assuming I have inter-vlan enabled, firewall allows in place) and pushes that all the way back through the switches now tagged for Security camera (vlan13)?

Sorry if that’s too simplified, I haven’t been exposed to this level of networking before.

Yes, that’s basically how it works. Think of a vlan as essentially a virtual switch, everything on that vlan can talk to everything else, but to talk to anything else (another vlan, the Internet, VPN peers, etc ) it has to communicate through the router. The one exception to that is wireless clients, the default on Peplink is to isolate wireless clients so even though they’re on the same vlan they can’t talk, but that can be disabled.

the default on Peplink is to isolate wireless clients so even though they’re on the same vlan they can’t talk, but that can be disabled.

And there you are referring to the “layer 2 isolation” setting for each SSID?

Yes, that’s the one.