I’m surprised at how many conflicting opinions are out there on this subject. Just to be clear, I am referring ONLY to Peplink routers (not Cisco, etc.), and only to physical LAN ports (Ethernet). My routers are all B-One models.
Here is my understanding (correct if wrong, please) and questions.
My understanding:
-
Access ports accept and send only untagged packets (no VLAN) externally (to/from the LAN port out on the wire).
-
Packets entering the port from the wire are VLAN tagged as per the port’s configuration for traversing the router (internally) or trunk links (externally).
-
Only packets VLAN tagged per the port’s configuration are passed from the router out to the port/wire, and at that time the VLAN tags are stripped from the packets.
-
Trunk ports can accept or send any tagged or untagged VLAN traffic, as per the port’s configuration.
Questions:
-
What happens if a VLAN tagged packet is received at an access port?
a) Does it matter if the VLAN tag matches the configuration of the port? -
If I have an Ethernet port configured for a VLAN, and I have “Inter-VLAN routing” disabled, can a device on this Ethernet port see ANY device on another VLAN (or the default, “private” VLAN)? Or are their packets routed only to/from the Internet or to/from a properly configured Trunk port/link?
My goal is to connect some IoT devices via the LAN ports rather than WiFi due to their bandwidth requirements (streaming devices). I don’t care if they see each other, although I believe I can set them on separate LAN ports for further isolation. I have used a separate VLAN via WiFi in conjunction with “Block all private IP” in the AP setup with good results, but I want to confirm isolation using the LAN ports as well.
Thank you for your help in furthering my understanding of this concept and the security capabilities of my routers.
Beuford