Can I hand pick which devices to put into a vlan? (not physical based but logical based)

Comments

11 comments

  • Avatar
    Firewalla

    If you can freely move around between VLAN's, then the protection (segmentation, isolation) provided by VLAN is likely not working, is this what you want?

    0
    Comment actions Permalink
  • Avatar
    maximus

    Sorry let me reclarify. I want to make 1 vlan from "SOME" of my devices in my network. As you can see from my diagram everything ends up being plugged into the FWG but with different ports.

    I dont want to make a entire particular port on FWG a vlan. I want to be able to pick "SOME" of my devices spread out from my network into a vlan.

    Example, could I make 1 vlan with the following devices..
    *my cameras (located on port 1 FWG)
    *my xbox (located on port 2 FWG)
    *my thermastat (located port 3 FWG)

    notice these devices are spread amongst the FWG ports. Can I make those devices onto 1 vlan? Currently they are NOT physically located on the same FWG port.

     

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    Why do you need to make one VLAN? you can just link all the 3 port (1,2,3) together as your LAN.  Is that what you are after?

    0
    Comment actions Permalink
  • Avatar
    maximus

    no, I want to make 1 vlan and add "SOME" of my devices (I dont want to have 1 big flat network).   My question is, can I mix and match wired/wirless devices and put them on a vlan?  Agian, my devices are NOT physically located on the same port, they are spread apart on my network. 

     

    I was reading your docs, looks like I need to some SSID to vlan mapping.  What do I do about wired devices? and can I have a vlan which consists of both wired and wireless devices?

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    Do you want to dynamically add devices to the VLAN you created?  If that's the case, it is not possible, since the membership of VLAN is controlled by your physical device.

    • if you use a switch to connect, then the port your device connecting to dictate the VLAN ID.
    • if you use an AP to connect, the membership is usually the SSID to VLAN mapping 
    0
    Comment actions Permalink
  • Avatar
    maximus

    if by dynamically you mean the ability to select (cherry pick) my devices at will then yes.  Kinda a bummer because my devices are not ideally physically located in my network.

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    your devices need to have a physical relationship (at least in the consumer world). 

    Example

    1. a physical device, needs to connect to a managed switch port x, and that port x needs to be configured with a VLAN tag, and the switch itself connects to firewalla and it will send all VLAN information to Firewalla.

    2. a wireless device, needs to connect to an access point, and based on the SSID it connecting to, the traffic will be tagged to the right VLAN by the wifi access point, that traffic is fed into firewalla directly, or via an untagged port on a switch.

     

    1
    Comment actions Permalink
  • Avatar
    Kevin Smeltz

    Some consumer-grade managed switches also allow you to assign to VLAN by MAC ID.

    0
    Comment actions Permalink
  • Avatar
    prophetse7en

    So it is not possible to create a group with devices and put those devices into one vlan?

    It is either all devices connected to port xx or all devices connected to ssid xx that will be added to a vlan?

    0
    Comment actions Permalink
  • Avatar
    Rich T.

    For SSID, as far as I know, yes. There may be APs that let you tag individual devices by MAC, but nothing I know of. Many don't even allow mapping of an SSID to a VLAN, but if it does, then you can create multiple SSIDs and have each mapped to a VLAN. So Create SSID "Cameras" add the cameras and give it a VLANID 10, the create an SSID "Guest" and give it a VLANID 20 etc.

    For physical ports, a single port can carry many VLANs. The incoming and outgoing packets just need to be tagged (you need some way to say "device A" should be tagged as VLANID 10 for instance). To do that, if the device itself supports it, you can do that at the device level (some computer network cards allow it), if not, most managed switches support it, so in the picture, if your netgear switch supports it, you could plug the cameras on the left into port 4 and tag them as VLANID 20 and plug the ones on the right into port 5 and tag them as VLANID 30, and then connect port 1 of the Netgear to port 1 on the FWG and add both VLANID 10 and 20 as tagged to port 1 of the Netgear and the FWG, and the FWG will keep them in different VLANs with different IP spaces.

    0
    Comment actions Permalink
  • Avatar
    Eric Flores

    See more information here:

    https://www.orbit-computer-solutions.com/vlan-trunking-protocol-vtp/

    0
    Comment actions Permalink

Please sign in to leave a comment.