[SOLVED] Isolate LAN from WIFI through switch

Aug 21, 2020
1
0
10
Good morning,
first post here for me.
I've tried to find some help over the italian tom's hw forum but with no luck (i'm from Italy, sorry for my english).

I've got a 48 port Netgear GS348T managed switch with the following devices connected:
-Port 1: Modem router TIM (italian internet company), gives access to internet
-Port 2: Windows domain server with personal data
-Port 3-11: Client pcs, printers, nas, etc
-Port 12: D-link 2640b access point--> this one create "WifiB"

If a guest comes to my office and connect his laptop to "WiFiB", he can run " \\it-srv-abc" (name of the server) and after Username and Password he can see my documents. What i'd like to do if its possibile (maybe with Vlan) is to isolate the "WifiB" from the rest of the network. So if someone connect to WifiB can only browse internet and nothing else.
I've already tried GuestMode from D-link options, but it doesn't work

By default, all the ports are untagged on Vlan1

I've made some try creating Vlan2 and working over ports 1 and 12 with tag/untag, but with no lock.

If someone could help me, please
Sorry, i'm really noob over vlans

Thank you
 
Solution
You need to think of the problem more how do I accomplish this with actual switches since vlans are just virtual switches.

So you have 2 switches one for your regular equipment and one for your wifi. That part is simple and pretty much all vlans do.

You still have the problem of how do I connect 2 switches to my router but keep them separate. Your router needs a different lan port to connect the second switch to. This is your problem.
Now if your router supported mulitple lan networks it likely also supports vlans. So you would use virtual cables to connect them....ie tagged vlan ports. This is how you can use a switch with vlans and connect it to a router but the router must both support vlans as well as support...
You need to think of the problem more how do I accomplish this with actual switches since vlans are just virtual switches.

So you have 2 switches one for your regular equipment and one for your wifi. That part is simple and pretty much all vlans do.

You still have the problem of how do I connect 2 switches to my router but keep them separate. Your router needs a different lan port to connect the second switch to. This is your problem.
Now if your router supported mulitple lan networks it likely also supports vlans. So you would use virtual cables to connect them....ie tagged vlan ports. This is how you can use a switch with vlans and connect it to a router but the router must both support vlans as well as support the ability to have multiple lan interfaces...ie the layer 3 function.

You likely can not do what you want with your current equipment.

If you requirements are actually as simple as you state you could instead of a AP use a router that has some basic firewall ability.

What you would do is say define a lan for the new ap/router to use say 192.168.200.x. It would get a wan IP on your main network say of 192.168.1.x. You could put in a rules that says 192.168.200.x ip addresses could not go to 192.168.1.x ip addresses. The data still will be allowed to flow to the main router ip to get to the internet because of how things work but not have any access to your internal machines or even the admin pages of the router.
 
Solution
This would work with the Netgear and Trendnet switches I have, which will act as a bridges between subnets, but I cannot guarantee that it will work with your modem router:

Suppose all your devices are on subnet 192.168.0.xyz.
Change the IP address of WifiB to put it on a different subnet, say, 192.168.1.qrs.
Connect WifiB to the modem router with an Ethernet cable. Check to be sure WifiB still gives access to the Internet. If it does not, just put an inexpensive 4-port switch between WifiB and the modem router to act as a bridge between subnets.

Put 2 new firewall rules in your domain controller forbidding all traffic to and from subnet 192.168.1.qrs.
Unless you can put firewall rules in the Netgear GS348T forbidding it, WifiB will be able to interact with your client pcs, printers, nas, etc., as well as the Internet, but it will not be able to see the domain controller.

If all your documents that you do not want quests to have access to are on the NAS, then this will not help unless you can put firewall rules in the NAS forbidding traffic to subnet 192.168.1.qrs, or otherwise denying access to it with, say, permissions. Similar logic applies to the client PCs.

I would love to hear what your ultimate solution is. Ever since the Amanda Knox fiasco, we are desperate for good news from Italy.
 
Last edited:
  • Like
Reactions: SamirD