RT-AX88U Pro - TL-SG108E managed switch and VLAN

[clouless]

Looking for Guru how to configure my Ethernet cable going downstairs, I can only have one cable. So I need to have my main intranet plus one or two Vlan with no access to intranet to the second switch, the Wi-Fi config was easy got two IOT in guest network, but I am not completely sure about the wired situation I saw this post https://superuser.com/questions/943312/how-to-securely-run-two-lans-on-a-single-ethernet-cable
which is similar to my Case, so because of that got two pieces of TL-SG108E
. So now I confess got a little bit lost how to configure them plus the vlan tab on the router firmware .0.0.4.386_51665-g8072e52?

 

[PunchCardBoss]

How to configure 802.1Q VLAN on TP-Link Easy Smart/Unmanaged Pro Switches - https://www.tp-link.com/us/support/faq/788/​

 

[clouless]

I was looking for something more detailed specially about the VLAN connection of the router but thank you anyway.

 

[PunchCardBoss]

more detailed specially about the VLAN connection of the router

First step is to configure your switch VLAN. This step includes defining the VLAN ID.

Second step is to configure your router. You would do this in the "Guest Network Pro" section. Use "Custom Network" and turn off 2.4 & 5 Ghz band by selecting "None". This step means you will be using a wired connection. Fill in the rest of the fields making sure you use the same VLAN ID as you used in your switch for the router LAN IP field in the "Custom Network" . Follow the directions that Asus shows in their FAQ page here: https://www.asus.com/us/support/FAQ/1049415.

The second step will set up a VLAN profile which is found on the LAN > VLAN page. On this page you can make adjustments that affect how your router interacts with your VLAN.

IF you have configured all ports on your switch to be a single VLAN, then you can assign a port on the router for that VLAN only. In this case, your entire switch would be assigned a separate sub-net. In my use case, only a few of the switch ports are VLAN. So, I am not sure of the setup for a switch if all ports are to be on a separate sub-net.

IF you have configured some (not all) ports on your switch to be a VLAN, then you should leave "Mode" on LAN > VLAN > VLAN set to "Default".

 

[clouless]

I understand your explanation, And I am going to make myself a little bit clearer.
What I want to achieve is to have the network downstairs (still from one cable) on a separate subnet except (B) one or two ports with should be able to reach the main intranet (A) but also I would like to keep control from the same main intranet (A)to the one on the separate subnet same way I can control my clients on my wireless IOT Network

 

[PunchCardBoss]

Sometimes a picture helps others understand what you are trying to do. I think you are trying to connect 2 switches to one router port. Is this correct?

If my understanding is correct, then your setup would look something like this...

In general, it is not recommended to connect a switch to another switch. Rather, it is better to purchase a switch with enough ports to satisfy your connections or run 2 ethernet cables, one to each switch.

However, in theory, it is possible to connect two switches together. I am not sure how to configure your switches for this type of network topology. Others with more experience may correct me. It may be that you don't need to declare a VLAN on your TL-SG108E #2 switch if all #2 switch ports are to be VLAN ID20. I would try this first to see if it works before declaring a VLAN on #2 switch.

Now, in your OP and in your clarification above, you want to:

• Isolate your VLANS from accessing the INTERNET
• Be able to reach VLAN clients from the default (router) sub-net (INTRANET).

All my suggestions are based on Firmware Version:3.0.0.6.102_21514.

If you want to be able to access VLAN clients from a device connected to your router sub-net (primary WiFi or router ports or ports 2, 3 on TL-SG108E #1), you MUST turn on "Access intranet". This function is on your Guest Pro Network > Custom Network > General screen. And, If I remember correctly, you MUST NOT check the "Port Isolation" box on LAN > VLAN > Profile screen.

The above steps will assure that a device on your router sub-net can connect to devices on your VLANs. BUT, it also means that all devices on your VLANs can connect to the INTERNET. To restrict VLAN access to the internet and with older Firmware, you would use Firewall > Network Services Filter screen and add restrictions of certain LAN IP address to use WAN 80 & 443. However, I have played with the Network Services Filter and it does not appear to work to restrict a single IP address on Firmware Version: 3.0.0.6.102_21514.

Instead, you must use your Network Map and restrict internet access for each device. This works for devices that are on your router sub-net or VLAN. From my limited testing, it appears that the AX88U-PRO performs some kind of internal filtering by MAC address when this "Block Internet Access" switch is turned on.

This is the only way I have found to maintain INTRANET access to VLAN devices AND restrict INTERNET access.

 

[clouless]

First big thank you for trying to help me and I know I am aware I am absolutely not clear, and I should apologize for it.
Anyway, I do not mind and need my clients to get internet. With the first switch alone according to your schematic I connect my main wire untagged from the router and port 2and 3 got the complete intranet and port 4567 still got internet but no intranet which is basically what I need. Port 8 is a little bit a mysterious since If connect a Pc to it got nothing no Internet and no connection.?

 

[deveals]

Hello and good day! Template for VLAN setup appreciated! Sorry I missed it earlier, but is Asus Merlin VLAN support available for RT-AX88U Pro and if so, what's the link for the firmware?