1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

WRV200 and VLAN Configuration

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by DocLarge, Feb 4, 2007.

  1. DocLarge

    DocLarge Super Moderator Staff Member Member

    Has anyone tried the VLAN functionality on the WRV200 yet, or have we all been consumed with vpn, voip, and ftp? :)

    Jay
     
  2. CalledToConstruct

    CalledToConstruct LI Guru Member

    Yep. :D

    It is working quite well actually. I have two SSIDs, the first with a larger, more random psk, the second only has access to the WAN port (devices cannot see each other)

    My only complaint... I cannot designate a VLAN for an incoming VPN connection. Hopefully that will become an option in a (near) future firmware upgrade. ?? :D

    // Joe
     
  3. DocLarge

    DocLarge Super Moderator Staff Member Member

    Excellent... How about port-based vlan? I've tried the wireless vlan also and it works nicely..

    Has anyone else tried the vlan functionality of the wrv200, specifically port-based? I figure it's time to focus on other aspects of this router than just VPN and FTP...

    Jay
     
  4. Walrus78

    Walrus78 LI Guru Member

    I've tried using the VLAN functionality - both port based and SSID based. They really both work pretty well for separating network devices from each other - but not the VPN. It is a nice feature, but not very useful in the situations thus far.

    Now, if the feature could be added to only pass vpn traffic over certain VLANS - wow, that woud be awesome.

    Assigning anSSID and port to the same VLAN has also worked flawlessly for me. Guess there isn't too much else to say about that. :)
     
  5. DocLarge

    DocLarge Super Moderator Staff Member Member

    Thanks for replying, Walrus. Would you mind taking a minute to illustrate for some of the users how you were able to configure portbased vlan?

    Jay
     
  6. Walrus78

    Walrus78 LI Guru Member

    Sorry I didn't explain more - I guess I go into it more. Its been a few months so I'm going from memory on this.

    All of the VLAN functionality just separates the traffic of your hosts from each other but not from the internet or vpn. From what I remember, you can configure up to 5 different VLANs, which should be more than enough for most people consider you can assign ports and each distinct SSID to one or multiple VLANs.

    If an example helps:
    Host A = Outside vendor wanting wired internet access - on Port 1
    Host B = Company Workstation - on Port 2
    Host C = Network Printer - on Port 3
    Host D = Company Server - on Port 4
    Host E = Outside vendor wanting wireless internet access - on SSID2
    Host F = Company Wireless Laptop - on SSID1

    In this example - to make sure we keep it simple there is no vpn and it just a simple network accessing the internet. Hosts B and F need to access company resources - mostly meaning Hosts C and D. There is no security issue of Hosts A,B, and F seeing each other. Host E needs to have internet access, but nothing else.

    In order to do this with the WRV200, here is a way you could set this up.
    VLAN1 is assigned to Ports 2, 3, and 4 and SSID1. Lets make VLAN one the company internal network. VLAN2 (guest network) is assigned to port 1 and SSID2, for VLAN2 is the guest network.

    So, based on how the hosts are connected, Hosts B, C, D, and F can access each other and the internet, but not hosts A and E. Hosts A and E are also on their own independant connections, but they only see each other and the internet. If you want an example of a port of SSID being on more than one VLAN, if you needed to give these outside vendors access to your network printer (HP Jetdirect printer for example), you can assign VLAN2 to port 3 as well. Everything can get DHCP from the WRV200 and can access the WRV200 itself.

    So in the WRV200, all you do is assign
    VLAN1 - Ports 2,3,4 and SSID1
    VLAN2 - Port 1 and SSID2

    What I don't know but have been assuming is that if an unmanaged switch that is unaware of 802.1Q is plugged into a port, those switch ports assume all of the VLANs of the port it is plugged into.

    Hopefully this explains better what can be done so far. I don't have this in production in any of our sites with a WRV200, but I believe we are going to be doing this to some extent in the near future.

    Like mentioned above, the only way known now to limit traffic from access resources across a VPN established by the WRV200 is to limit the subnet that you are tunneling to not include those computers that you not wanted. The only feasible thing i've come up with is to make DHCP reservations for the those computers that need VPN access within the scope and make sure everything else is not inside of it. So, it works, but at any time someone could put in a static ip address within the range and gain access to VPN traffic.
     
  7. DocLarge

    DocLarge Super Moderator Staff Member Member

    Thanks for the contribution. I'll look at making this either a sticky or a tutorial. Good lookin' out!

    Jay


    Whoops, I have no idea what I was thinking when I locked the thread; it's open now, so questions will be fielded.

    Jay
     
  8. hudr

    hudr LI Guru Member

    Ok, so is there any Linksys device that WILL let you designate VPN traffic to a certain VLAN? I need to set up a VPN between two locations. Then at one location we would like a secure wireless LAN w/ VPN access and an open wireless connection for customers w/o VPN access.
    And if Linksys doesn't offer something like that who does? Of course I would rather stay out of the price range of actual Cisco equipment if possible.
     
  9. Walrus78

    Walrus78 LI Guru Member

    I have a workaround that basically makes this happen but you have to know the mac addresses of the machines that are going to be secure and give them DHCP in a certain range based on those addresses. If you are giving some people the secure key/some not and managing the dhcp reservations by mac address is unrealistic (or over 20 devices) then it won't work for you. Let me know if you want this info and i'll create a new thread for it or I can PM you.

    Once again, this would be a very nice feature on the WRV200.
     
  10. TomSweet

    TomSweet LI Guru Member

    VLAN success

    Success with VLAN's since day one, firmware 1.06, around July 2006.

    VLAN 1 - ports1-4, SSID1, wpa2, wireless hosts on same SSID can see one another
    VLAN 2 SSID2, wpa2, wireless hosts on same SSID _cannot_ see one another

    Wireless | Advanced | AP Isolation:Enabled - (From the help) It keeps wireless hosts on different SSID's in different VLANs from seeing each other.

    VLAN 1 is the internal network. VLAN 2 is for visitors and is internet access only. No access to each other or the internal network.

    A question: Are these tagged (802.1Q) VLANs? I didn't see Q support in the data sheet, whereas I did see it explicitly mentioned in other Linksys switch data sheets. I haven't launched the sniffer and decoded the frames to tell.

    Thanks for the great site, and close work with Linksys. Your efforts are to be applauded.:thumbups:
     
  11. eric_stewart

    eric_stewart Super Moderator Staff Member Member

    I don't think they're tagged since the ports are "native VLAN" meaning that workstations and not other switches are meant to be connected to them. 802.1Q is a different frame format and wouldn't be "understood" by the workstations and other nodes connected to those ports.


    By all means use a sniffer and let us know what you find out.


    /Eric
     
  12. reiichiroh

    reiichiroh LI Guru Member

    Stupid question, but dug through everything without answer.
    Can the VLANs/BSSIDs have seperate encryption schemes? WEP for one, WPA2 for the other for example.
     
  13. DerToob

    DerToob LI Guru Member

    Short answer:

    yes, they can.
     
  14. ccbadd

    ccbadd Network Guru Member

    I really wish Linksys would add seperate dhcp scopes per vlan like it does on the RVL200. Other then that, vlans work great.
     
  15. eric_stewart

    eric_stewart Super Moderator Staff Member Member

    I found how to solve this issue. How about this for a workaround!

    http://www.breezy.ca/?q=node/216

    /Eric
     
  16. woodmouze

    woodmouze LI Guru Member

    I also would like to have VLAN added to VPN.
    I share my internet with my neighbours, but have a VPN to the office...

    Currently I have two routers, one for me, and one for them... but would like to add my neigbours onto the WRV200 on a separate SSID and VLAN... and so for hiding the VPN's as well - this would really be a nifty feature :)
     
  17. _c4_

    _c4_ Guest

    So here's a VLAN question for you:

    Is it possible to configure the VLAN feature such that:

    VLAN1: Internal network
    VLAN2: External wireless network

    VLAN1 and VLAN2 are isolated and computers cannot see each other, but:

    Set up the WRV200 VPN feature such that a computer connected to VLAN2 may connect to a computer in VLAN1 via a VPN client??

    Currently, I can set up the VLANs, but because the both VLANS use the same range of addresses in the same subnet, the VPN cannot differentiate them and create the connection..

    Is there some way of playing with subnet masks or something to fool the system into working this way?
     
  18. s1216

    s1216 Guest

    Hi I am bumping an old thread here

    I am thinking about buying this router for a small office I am setting up.

    I don't have this routere yet so I cannot test it. Am I missing something here or could I force a VPN user to a specific VLAN simply by creating a tunnel limited to the IP range of that VLAN and then just assign that tunnel to the VPN user I want to stay in that VLAN?


     
  19. shane523

    shane523 Addicted to LI Member

    I have tried this and still get access to the VPN. The secure side is a 10.xxx.xxx.xxx setup where the customer access point is a 192.168.xxx.xxx setup. I could still access the VPN tunnel and access the intranet at the other end of the tunnel. This is not a good thing.
     

Share This Page