Client Isolation on Switch and Router

[Denna]

Configuration:

LAN clients are connected to a single switch. Each client switch port is setup with a Private VLAN where they are allowed to communicate with the Internet, but not each other.​

The switch's uplink port is connected to the router (RT-AC88U) that acts as the DHCP and DNS server and gateway to the Internet. No other router port is used except the WAN port.​

The router, switch and clients are on the same IP network.​

Does anything have to be configured on the router side to maintain client isolation that is configured on the switch's VLANs ?​

 

[eibgrad]

If you expect the router to manage DHCP and internet access on behalf of these VLANs, then it's going to be tougher than you might expect since the router will also have to be VLAN aware in order to disambiguate each VLAN for these purposes. But like most other ASUS routers using oem/stock firmware, the RT-AC88U probably does NOT support VLANs natively (I don't own one). You'd probably have to install third-party firmware like Merlin and manage it at the command line, which is a NON trivial task for anyone who has to ask this question in the first place.

Even if you could conquer the above hurdles, the fact you have VLAN capabilities on your separate (managed) switch basically becomes irrelevant. You could just as well establish the VLANs on the router alone and treat the separate switch as unmanaged. Not unless you had the need to locate that switch at some significant distance from the router, giving you the ability to establish the VLANs at that distance.

 

[Denna]

@eibgrad,

Thanks for your reply.​

The goal is to isolate clients from each other.​

According to Trendnet, the clients connected to the switch should not be able to see each others' traffic.​

If the router, switch and clients are all on the same network, what benefit would VLAN configuration on the router add ?​

How would DHCP, DNS and Internet access be affected in this configuration ?​

 

[Denna]

When a LAN client on the switch requests a DHCP address and the router replies with a DHCP offer, is that offer broadcast to every VLAN on the switch ?
Or does the switch maintain port isolation and not allow that DHCP offer to be broadcast to ports in different private VLANs ?
I'm trying to figure out what benefit VLAN support on a router adds when trying to maintain client isolation.

 

[eibgrad]

If the router, switch and clients are all on the same network, what benefit would VLAN configuration on the router add ?

Good question. But YOU are the one that mentioned all of the VLANs being on the same network. I wasn't sure whether by that statement you meant the same *IP* network.

In theory, separating your switch into multiple VLANs that are each connected to their own individual routers upstream, each w/ its own public IP from the ISP, and even having the same IP network, would work. IOW, you'd have complete and total isolation for each VLAN, up to and including router and internet. And like you and the rest of your neighbors who might also be using the same IP network (e.g., 192.168.1.0/24), there would be no conflicts or issues.

However, if you expect *one* router to manage access between all these VLANs and through a single ISP, then you would typically configure each VLAN w/ its own unique and non-overlapping IP network. You'd then define a trunk port between the switch and the router over which all your VLANs would have their traffic routed and tagged. The router's DHCP server is then responsible for discriminating among the VLANs and properly responding w/ configuration details specific to those VLANs. IOW, the DHCP server on the router has to be aware and configured to handle multiple VLANs.

As I alluded to before, this is a NON trivial task on the router since the oem/stock firmware has no provisions for VLANs, handling/configuring multiple DHCP servers, etc. Even the Merlin firmware has no such provisions. But at least w/ Merlin, you can probably do it using the CLI, provided you know what to do.

In short, you may have bitten off more than you can chew if your intent is to support multiple VLANs w/ a single router given the hardware/firmware you're presently using.

FWIW, I recently helped someone on the FT (FreshTomato) forums to configure their router and secondary switch/AP w/ VLANs. I only offer it as a means to illustrate how you would typically deal w/ multiple VLANs between such devices.

Guest VLAN spread across multiple routers

I have two routers connected with an Ethernet cable LAN to LAN. I have made a Guest network on one of the routers following instructions here: https://learntomato.flashrouters.com/setup-guest-network-guest-wifi-tomato-vlan/ except on the second router I did not specify DHCP for the VLAN so...

www.linksysinfo.org

If you ignore the fact it's FT, and that the second device is more than just a switch, it's basically doing what you want. The big difference is that the router in that case is fully VLAN aware and capable! IOW, the ability to define and configure the VLANs, configure each w/ its own DHCP server, etc., ALL OF IT, is native to the FT firmware on the router. That is NOT the case w/ your RT-AC88U! And why you face an uphill battle to achieve the same results as in that link.

 

[Denna]

@eibgrad ,

Thanks for the detailed reply.​

The router's ability to manage the switch's VLANs and assign different DHCP servers based on VLAN membership isn't needed.​

Given the scenario in the first post, could client isolation configured on the switch be circumvented as traffic crosses the router ?​