VLAN not working

I want to use vlans to create a segregated management network for administration of the device. Like the dedicated management port on most business class devices.

The goal is to have 3 vlans: lan - wan - admin Only the admin vlan should be able to connect to the router web ui or ssh. The admin vlan should not be able to connect to wan.

These are the steps I did:
add the new vlan 3
set physical port 1 to tag vlan 3
Create a new interface eth0.3 for vlan
Set static ip and dhcp server on eth0.3 interface
Create a new firewall zone bound to eth0.3
Firewall rules input allow, output allow, forward reject.

The problem is the new vlan does nothing. When I connect to port 1 I get assigned an ip address from the lan vlan not the new admin vlan. If I set firewall rules to block acces from lan zone it just locks me out regardless of which port I connect to. Am I missing something? Are there any instructions somewhere on how to set this up? Could it be vlans just don't work on this model device?

Take a look at setting up a guest network on the wiki, while not quite what you're looking for, it does describe the procedures to add a new VLAN (for swconfig based switches, which I assume your unnamed device to use) - the rest is merely a question of configuring the default firewall rules for your new guest^wadmin zone (bridging a dedicated wireless BSSID to this VLAN is optional).

--
Just as personal advice, keep it simple in step 1 - dedicate one of your switch ports exclusively/ untagged for this new guest^wadmin VLAN. Once you have that tested and working, you can try to mix tagged- and untagged VLANs to the same port; warning not every hardware switch (respectively its drivers) supports mixing tagged and untagged VLANs on the same port.

port 1 must be untagged on vlan 3, off from vlan 1. Also CPU must be tagged on vlan 3.

2 Likes

@slh I've read the instructions on setting up guest wifi. They didn't mention vlans at all.

@trendy Thanks. I'll try that.

That worked. It's confusing how the port I want to be in the vlan is labeled untagged, but that seems to be the right way to do it. Thanks again.

If it is tagged, then the host connecting to that port must also tag, which is not the default or usual.

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.