Help Needed Setting up VLANs!

Atima2142 · November 19, 2014, 8:11am

I am trying to set up a VLAN and not having any success. I have gone through the manual a number of times and it does not help. I have not been able to find a solution on these forums either. Rather than trying to describe every single thing I have tried (as it is obviously wrong) please let me explain what I am trying to do and what I thought the basic steps were and perhaps someone can offer some advice.

I have a peplink balance one with the newest 6.1.2 firmware (which says it supports VLANs) and want to be able to segment devices on the LAN (ex: computers on one, printers on another, cameras on a third). I would like all VLANs to be able to access the internet and for now I am fine with all vlans communicating with each other but I would also like to know if there is a way to restrict inter vlan routing to specific hosts or one-way in the future (so one machine could access any machine anywhere but not vice versa - I have looked in the firewall settings for that but it all seems to apply to incoming and outgoing connections only not intra-lan ones but perhaps I’m just confused - but anyways my pressing issue is getting the VLAN set up for partitioning)

Here is what I am trying so far just as a proof of concept.

MODEM -> BALANCE ONE (192.168.4.1) -> Computer 1 (192.168.4.2xx as assigned by DHCP)
-> Computer 2 (192.168.6.100 - static, gateway 192.168.6.1)

I enabled VLANS per the manual.

Primary:
192.168…4.1 /24
inter vlan routing, checked
dhcp server on

Second:
192.168.6.1 /24
IVR checked
dhcp server on

Doing this, I can connect to the router from the DHCP assigned address in 192.168.4.x on both 192.168.4.1 and 192.168.6.1 but not the static machine on 192.168.6.100.

The second machine to the cannot ping 192.168.6.1 at all (or 4.1).

I looked all over but I can’t see that VLANs are assigned to a specific port on the router so I assume any port on the router should be able to use any VLAN I create? But this is not working.

One other question - I see I can create wireless SSIDs and associate them with a VLAN but aside from that how can have a machine take advantage of the DHCP server on the 192.168.6.x subnet from a wired connection? With no hard-port association I am at a loss.

I really appreciate any help anyone is able to give me - I have spent hours trying to fix this (and searching the internet for answers) but am so far out of luck.

TK_Liew · November 19, 2014, 4:15pm

Hi,

if there is a way to restrict inter vlan routing to specific hosts or one-way in the future (so one machine could access any machine anywhere but not vice versa
You may restrict this by using Outbound Firewall Rules. For example:-

Protocol: Any
Source IP & Port: Single Address, 192.168.4.2
Destination IP & Port: Single Address, 192.168.6.2
Action: Deny
Based on this rule, 192.168.4.2 can’t access 192.168.6.2. However 192.168.6.2 able to access 192.168.4.2.

To support multiple Vlans and tagging, please connect your devices as below:-

Hope this help.

Atima2142 · November 28, 2014, 11:56pm

Thank you for the reply! The firewall rules help but I am still confused - do I require additional hardware? In the diagram you show the balance going to a switch - does this need to be a layer-3 switch or is an unmanaged switch fine?

Do all switches need to be layer-3 or can the balance route vlans to unmanaged switches to dish out from there?

I still can’t get the non-primary vlan to connect - when I configure the settings the balance will respond on 192.168.6.1 (the secondary IP for it) even from 192.168.4.x but any device manually configured to 192.168.6.x and plugged into the network cannot see the balance whether it is directly connected or through a switch.

Also if I wanted to use the 192.168.6.x DHCP server how do I do that? Plugging in to the balance always goes with the default .4.x vlan and I don’t see a way to tag ports to use the other vlan instead. Does your diagram mean I need a layer-3 (or at least vlan aware) switch to sit after the balance and use that switch to tag ports for one vlan or the other?

Thank you!

Tim_S · November 29, 2014, 3:19am

The Balance supports 802.1Q VLAN’s, so you will need a switch that also supports this to tag the actual ports. It does not need to be a L3 switch, but it does need to support 802.1Q VLAN tagging. Once you have it setup and configured the Balance will handle all DHCP for each separate VLAN.