Welcome to TP-LINK Tech Support Forum
+ Reply to Thread
Results 1 to 2 of 2
  1. #1
    Junior Member Bertl is on a distinguished road
    Join Date
    Nov 2017
    Posts
    1

    T2600G-28MPS how to separate networks?

    Model :

    Hardware Version :

    Firmware Version :

    ISP : [/COLOR]

    Hello Eyerybody,

    im trying to install a hotspot environment in our company. Im using a ER6120 Router, several T2600-G 28MPS Switches and several EAP330 Accesspoints.
    The APs shall provide two SSIDs. One "Internet Hotspot" for the customers and one "Office WiFi" for our service staff. Both SSIDs or networks share the same Internet connection but must be separated internally.
    So i followed the instructions in this guide:
    [h=1]How to configure Multiple SSIDs with Multiple Subnets on EAP products[/h]http://www.tp-link.de/faq-1849.html


    DHCP works fine so far. When i log into the "Internet Hotspot" Network I get an IP of 172.168.0.0 /21 (VLAN20) and when I log into the "Office WiFi" I get an IP of 192.168.128.0 /21 (VLAN10). Also when I attach the Laptop directly to the switch I get the correct IP depending on the VLAN config of the port.
    Now my problem is, that both Networks communicate with each other. So when I log into the "Internet Hotspot" (no difference, if I use WiFi or cable (both VLAN20)) with my Laptop and obtain an IP of 172.168.0.0/21, then I can still access my NAS which is directlly attached to the switch ("Office" VLAN10, fix IP 192.168.128.7 /21).
    To my understanding, this should not be possible for two reasons:
    First: the two devices are in differents subnets (192... /21 and 172... /21)
    Second : the two devices are in different VLANs (20 and 10)
    Do I have to configure an ACL (port or VLAN bound? ) or is the VLAN configuration wrong?
    Im just on my way to get into the advanced networking world, so I hope I dont annoy the experts with my noob questions.
    Thanks for your help.

    Kind regards Bertl

  2. #2
    Members R1D2 is on a distinguished road
    Join Date
    Dec 2015
    Posts
    1,430
    Quote Originally Posted by Bertl View Post
    DHCP works fine so far. When i log into the "Internet Hotspot" Network I get an IP of 172.168.0.0 /21 (VLAN20)
    You better do not use 172.168.0.0, it's part of AOL's official network (netname AOL-172BLK, IP range: 172.128.0.0/10).

    Now my problem is, that both Networks communicate with each other.
    [...]
    To my understanding, this should not be possible for two reasons:
    First: the two devices are in differents subnets (192... /21 and 172... /21)
    Second : the two devices are in different VLANs (20 and 10)
    Third: your router creates two separate networks isolated against each other using firewalling or you use ACLs to allow access from clients in the guest network to your router's gatewaying interface only, but not to other clients in the LAN subnet.

    This third point is obviously missing from your setup, your router therefore does routing and so clients in your hotspot network can reach internal hosts.

    Do I have to configure an ACL (port or VLAN bound? )
    This is one way to isolate the subnets, yes. Another way would be to create two LANs: one is the protected office network, the other one is the public hotspot.
    For the latter you will need what TP-Links calls "Multi-Nets NAT" (NATing for more than one subnet, supported by almost any router).
    Last edited by R1D2; 12-03-2017 at 10:43.


 

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts

Copyright 1996-2018 TP-LINK Technologies Co., Ltd. All rights reserved.