uPNP NAT-PMP Ethernet VLAN and internal firewall rules

I have a gaming machine on my network. Previously, their machine was set up on the Guest WiFi which I run on a separte VLAN. Worked OK, but the WiFi performance wasn’t always perfect.

So we decided to move the machine to ethernet. Given physical wiring configurations, the only ethernet port available connects to a switch which connects to the main (untagged) LAN.


  1. Is there any way to have a device physically connected to the main (untagged) ethernet port, but have the peplink route it as if it was connected to a VLAN? In other words, sort of a virtual VLAN? Something like “For this one particular MAC address, force it to VLAN, but for all others treat them normally”

  2. Assuming #1 is not true. Is there a way to let the gaming laptop stay on the main untagged ethernet LAN, but highly firewalled? I want the gaming laptop to have full WAN access (and be able to do UPnP and NAT-PMP) but not be able to see anything else on the untagged LAN. In other words, I think I’m asking for layer 2 isolation, but only for a single device.

I had thought I could accomplish this using internal firewall rules, but upon further reading it sounds like these don’t function for devices on the same subnet? In other words, if I set up an internal firewall rule:

Internal Firewall Rule:
GamingPCIsolation: Protocol Any, Source: [IP of laptop] Destination: Any: Deny

Does that rule actually do anything?

No you can’t use firewall rules on the gateway device to deny traffic between devices connected (likely directly to each other via a switch) on the same lan segment. Firewall rules only work between VLANs / LANs / WANs when traffic has to go via the gateway device to get from one network segment to another.

I assume the switch is unmanaged? ie you can’t add a VLAN at a switch port level?

If it is unmanaged, then the only possibility is setting a VLAN ID on the network card on the gaming machine itself and hoping that those tagged packets are passed through the existing switch ok.

Then you could set up a VLAN on the gateway just for the gaming machine and use firewall rules to deny access to it from other devices.

1 Like

It might be nice if the Peplink could give us a warning when we set up a nonsensical firewall rule.

My switch is definitely unmanaged, so I’ll check on other options, thanks!