Assign and isolate ports on an RV160 - baffled, I am.

Mahmood01 · ‎01-03-2021

I'm trying to set up an RV160 so three physical ports are assigned to specific IP ranges via VLAN settings. I've set up three VLANS named 2, 3 and 5, which correspond to the ranges 192.168.2.0/24, 192.168.3.0/24, and 192.168.5.0/24. I've assigned VLAN 2 to port two, VLAN 3 to port 3, and VLAN 5 to port 4. I'm sure a big problem is how I've set up the "Assign VLANs to ports" section and the Inter-VLAN Routing entries. Ultimately, ports three and four will hit the internet and see each other, but not port 2. Port 2 can hit the internet, but not see ports three and four. All VLAN’s are DHCP’d, but eventually I plan to set port three without DHCP and static the only device that will be in that range and connected to that port.

The tagged, untagged, and excluded bits are confusing me. I’ve been webbin’ the heck out of this, and one page said that I’d also need to do something to the Firewall/NAT settings, as well. It’s enabled. The Inter-VLAN Routing options were all enabled so I could do some testing, but I have since changed VLAN two's setting. If I plug in to port one, two, three, or four, I can still ping the 1.1, 2.1, 3.1, and 5.1 gateways from each port.

At this time, the correct DHCP'd IP’s pull from each port, but I cannot determine the settings to forbid the devices on ports three and four from seeing the 192.168.2.0/24 range on port two. I don’t plan on having anything on port one of the router.

Any assistance would be appreciated.

Georg Pauwen · ‎01-03-2021

Hello,

it is unclear from your description what the actual problem is. Do you want port 2 (Vlan 2) to communicate with the other ports/Vlans, and that is not working ?

In general, all non-default Vlans should be tagged. The untagged Vlan is typically Vlan 1 (or any Vlan you want to use for just management)...

Mahmood01 · ‎01-09-2021

Thank you for replying. I want port two to be isolated so no networks on other ports can see it. Port two, 192.168.2.0/24, is the line that hooks to the work network via a VPN link. I don't want any other VLAN or port see the one computer on the VLAN on port two.

paul driver · ‎01-04-2021

Hello

@Mahmood01 wrote:

The tagged, untagged, and excluded bits are confusing me.

I interpret this as:
excluded = manual prune this specific vlan of the trunk/port
untagged =assign this specific vlan of the trunk/port (untagged packets)
tagged = assign this specific vlan of the trunk/port (tagged packets)

The below would be an example of all 4 ports running as access ports assign to a specific vlan
Access-ports
LanPort1 untagged Vlan1 2-3-5 excluded
LanPort2 untagged Vlan2 1-3-5 excluded
LanPort3 untagged Vlan3 1-2-5 excluded
LanPort4 untagged Vlan5 1-2-3 excluded

Trunks Ports
Port 1 running as a trunk allowing all vlans
LanPort1 tagged vlan1 2-3-5 tagged

Port 2 running as a trunk allowing vlans 1-2-3 with native vlan 5
LanPort2 tagged vlan 1 2-3 tagged 5 untagged

Now excluding a port in one vlan so not be able to communicate with a host in another vlan on this router then you would need to apply some filter like an access list or isolate it in its own dmz network, do you have any options on this router for applying an access-list or creating a dmz?

Edited - RV160 dmz

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Mahmood01 · ‎01-09-2021

Thank you for replying. I am wanting to isolate one VLAN and assign it a specific router port, that one VLAN will be isolated so none of the other VLAN's can see it and can't ping any device on it. The 192.168.2.0/24 range is for work's VPN only, I don't want the PC on that range to see any other VLANs on the RV160.

paul driver · ‎01-10-2021

Hello
After checking the RV160-admin-guide (page 81) you can indeed create a filter to isolate a specific vlan from the other vlans on your network - So please review it.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Mahmood01 · ‎02-27-2021

While the "STFU and RTFM" response is normal from some folks, it doesn't really help a newbie, but thank you anyway. "Community" at its best! Page 81 in the Cisco manual, or Page 81 in the PDF document? Page 81 actual, Goal: Use the source address to let the PC translate to a specific public address while the others will still translate to a WAN address, doesn't seem to help at all, so I'll go with Page 75 of the manual, Page 81 of the PDF file, Firewall Access Rules.

I set up a Deny action rule, the Source Interface of VLAN5, Source Address of Any, to the Destination Interface of VLAN2, Destination Address of Any.

I set up another Deny action rule, the Source Interface of VLAN2, Source Address of Any, to the Destination Interface of VLAN5, Destination Address of Any.

The gateways are pingable from each VLAN, but the PC IP's betwixt two of the VLANs are not. Don't know if both rules are needed. Can the gateway access between the two VLANs be disabled, as well, or is that even necessary?