I have a mk3 soho and this is the first router I have actually really experimented with. I want to prevent devices communicating so that if something gets infected it doesnt spread.
I have successfully set up vlan’s and have my pc on one, most other devices on another and a guest vlan for sporadic usage by guests.
I have prevented the vlans comminucating and I want to restrict some ethernet ports to only use certain vlans, this keeps crashing my wan but I have found in the forum this is fixed in firmware 7 so I will try updating this which should protect my pc from the other devices but this then made me think if it was possible from prevent communication between the other devices on one of the other vlans?
Thanks, so the layer 2 isolation would prevent wireless networks devices talking to each other but to prevent something on the same network but connected via ethernet I would need a firewall rule configured as above?
Sorry I am new to this so these a probably very simple questions.
Without inter-vlan routing enabled devices will have a path out to the web and be able to communicate with other devices on the same network segment provided neither of these other items are in place.
As a follow up to this I think it may be important to note the following:
If there is a switch involved, same network segment devices will not traverse the router and miss the rule.
There is a possibility that devices attached directly to the SOHO will not be scrutinized as they are not traversing layer 3. Testing this would be advisable.
The best and most secure method to accomplish your objective of device isolation is to place each device on its own VLAN without inter-vlan routing enabled. For WLANs the layer 2 isolation will accomplish this as previously discussed.
DHCP reservations for each device can be utilized to avoid the need to statically assign IPs to all the client devices.
Please follow up with any other feedback or questions that you may have. Thank you.
So if I explain my current setup and if you could confirm exactly what is and isnt protected that would be great.
I have one ethernet cable connected directly from the router that is used on my computer, this port is restricted to use one vlan (This now works correctly now I have upgraded to fireware 7), nothing else uses this vlan.
I have another ethernet cable connected to a switch that then have a few different devices connected to it, again this is now limited to a specific vlan. I also have other devices connected to this vlan wirelessly.
I then have another vlan used for guest devices wirelessly.
As I understand it the devices shouldnt be able to communicate between the different vlans, so my pc should now be secure but the devices that share a vlan either wireless or by ethernet can communicate if they are use the ethernet switch?
If this is correct and you suggest the only way to prevent this would be to have a different vlan for each device that use the ethernet switch ( Is there still a limit of three on firmware 7?) and fireall rules to prevent devices communicating wirelessly?
With inter-vlan routing off for this VLAN, the devices connected will have a path out to the internet and no connectivity to devices on other VLANs.
Everything associated with the same VLAN, and attached to the switch, will be able to communicate with each other without traversing the router - save for any configurations in the switch that would prevent this.
You can utilize the layer 2 isolation feature to limit communications between devices connected to the SOHO’s WiFi.
With inter-vlan routing disabled, and a unique network for every “permanent” LAN client, each client would be isolated from one another and have a path out to the internet.
With a dedicated VLAN for guest WiFi users, inter-vlan disabled and layer 2 isolation enabled the WiFi guests would also have only a path out to the internet. I hope this helps to clarify things for you.
Can you confirm what advantage of having all the permanent devices on separate vlans would give, if any, if they are all using wifi only and I have layer 2 isolation enabled?
Not keen to do this unless needed, I may add one more vlan so the two devices that are connected to the switch can only communicate with each other (It doesnt look as though it is possible to prevent them communicating from your previous answer) rather than being on the same vlan on as the other wifi devices though.
This is my first router that I have ever had that I have done anything with but I am very impressed with the flexibility, the only thing I wish it had was bandwith control for specific vlan’s but undertsnad this is only available on more advanced routers sucg as the balance 20.
Layer 2 isolation prevents communications via WiFi but would allow devices to communicate through the switch if on the same network segment (VLAN) so if you do not want these devices to communicate with each other then a VLAN for each is necessary.
I am unclear as to what you are asking in the second paragraph. Hope this helps
Thats great, thanks. The second paragraph was referring to the slowdown I have on some devices when one of my other devices is streaming from netflix, this can be controlled apparently on other peplink routers but not on the surf soho.
