Router and Switch VLAN Configuration for Isolated Network

Question

I haven't worked with VLANs much in the past and I was hoping if I could get a good explanation of what I need to setup for this to work.

I have a Netgear WNR2000v2 router and a Netgear GS108T smart switch currently in my network. The fourth port on the router connects to port one on the switch. I would like to be able to isolated port 8 on the switch for use as a "guest port" when I bring home malware infested PCs for repair. I figured the VLAN capabilities of the GS108T would be able to do this for me, but I think I have a misunderstanding of how the VLAN actually works.

Port 8 needs internet access but should not be able to communicate with the rest of the PCs on the home network. The subnet for the home network is 192.168.1.0/24 and I would like the guest PC to have A) 192.168.1.64 or B) 192.168.2.2. I am reading a lot of stuff about port trunking and VLAN membership, but I am confused as to which setup needs to be in place to make this work.

Any help is greatly appreciated! Let me know if there is more information I need to provide. Definitely looking to learn something from this project.

Thanks!

score 4 · Accepted Answer · answered Nov 24 '11 at 23:05

This has been answered many times here, but I need practice so I'll have another go at it.

VLANs themselves are pretty easy to understand. Basically, what you are doing is carving up a switch into one or more logical groupings of ports. As an example, let's take an 8-port switch and assign ports 1-4 to VLAN10, and ports 5-8 to VLAN20.

Devices plugged into ports 1-4 can all communicate to each other using like networking configuration. So... 192.168.1.1 which is part of network 192.168.1.0/24 can talk to any IP 192.168.1.1 through 192.168.1.254 as long as those devices are on those ports. If you connected 192.168.1.2/24 to port 5, a device on port 1 would not see that traffic because it is on a different network segment. It would be no different than if you had connected the devices to two entirely separate physical switches.

So, moving forward, think of each VLAN as being a separate switch and with each VLAN should come a different subnet configuration. So... VLAN10 could be 192.168.1.0/24, and devices on VLAN20 could be 192.168.2.0/24. If you overlapped, you might as well just put everything on the same VLAN.

To communicate BETWEEN two VLANs (that can and should be on different subnets), you need a router. Layer 3 capable switches allow for this to be done right on the switch.

However, you have a problem. A consumer grade router like the Netgear is probably not going to support routing more than 2 networks together unless you use DDWRT on it. This is because it's expecting to be connected to a WAN network, and a LAN network, and perhaps maybe a wireless network but they usually just bridge this to the LAN segment.

You need the router to route between two separate LAN segments, as well as perform NAT to the WAN, but it probably doesn't support that.

It appears that the WNR3500 V1 is not supported by DDWRT, I guess I will just work with what I got. — , Dec 04 '11 at 17:57
You could always build your own with some old hardware and Linux, take a look at Smoothwall. — SpacemanSpiff, Dec 05 '11 at 09:18

score 0 · Answer 2 · answered Nov 24 '11 at 23:02

Create 2 VLANs on the switch VLAN 1 Normal Traffic VLAN 2 Dirty Traffic

Set Port 8 on the switch to be VLAN 2 untagged (PVID) Set Other ports to be on VLAN 1 Set port attached to router to have both VLANs Possibly VLAN 1 untagged (PVID) and VLAN 2 tagged

On router Set the port attached to the switch with the same VLAN config Ensure that the router will not route between VLAN1 and VLAN2

Router and Switch VLAN Configuration for Isolated Network

2 Answers2