    Using VLAN to divide into two locations behind a router but both have internet access?

    I have purchased some TL-SG108E swithces. I have one router in the house connected to the internet, then a second router is being used as an AP for the rental out unit. I do not wish that they can reach my network (they can now since they're behind my router and use my router as DHCP.

    Can I, using the TL-SG108E's, divide into two VLAN's, where the two VLAN networks cannot reach each other but both can reach internet and the DHCP? See the attached drawing for reference. Any tips would be highly appreciated!

    You can refer to this FAQ for help.

    Thanks for link, but my problem not solved.
    Iīm directly make this configuration, but i canīt access internat. only my PVID all on 1 and all members in VLAN1 can access internet.
    whats wrong?

    I connect 3 SG-108E with a T1600-2424, the 3 108E connect to 2424 on port 21,22,23 , tagged.
    Port 1 on all SG108E also tagged, and all the clients in VLAN 10. PVID on port 1 is "1", all other "10".
    Port 21-23 on 2424 also "1", port 1 is going to internet and also "1" in VLAN 10.

    whats wrong? i read any manuals, always same tips, but it doesnīt work by me.


    You need to create an isolated guest subnet in addition to your internal network. There are different ways to achieve that, I usually create such guest networks on the router. VLANs are then used to just transfer data for two subnets over the same physical connection (one cable). I'm not sure wether subnet isolation can be implemented with the T1600 L2+ functions (you will need routing, access control and probably DHCP services), but if they can as it's the case, for example, with the T-2x00 series, then you would either need a router with multi-net NAT capability to connect several subnets to the Internet or two separate routers which are both connected to the Internet.

    IMHO, the most easy way is to use a router capable of splitting the LAN into an internal LAN subnet and a guest subnet. Many SOHO devices have this capability. Wether you connect those two subnets with your T1600 over two cables or use VLANs to just use one cable depends on wether the router is VLAN-capable. Of course, you can use VLANs for both subnets between the T1600 and the SG108 switches. For step-by-step instructions on how to create a guest subnet on a cheap OpenWRT/DD-WRT/LEDE-based router, see http://forum.tp-link.com/showthread.php?94159-Status-LEDs-on-active-ports-always-flashing-synchronously-SOLVED&p=194548&viewfull=1#post194548

    f you use multi-net NAT-capable routers from TP-Link, see the FAQ section for creating a guest network (IIRC there is an application example for how to do this with EAPs, but it shows the way how to set up the switches and routers, so it's applicable to other scenarios, too).
    It works !
    But only with another configuration. I get the tip from netgear members, the means follow:
    If you like 2 or more VLANS you must make this, port 1-24 all PVID1, VLAN2 port 2-4 PVID2, VLAN3 port 5-8 PVID3. This allow all ports from 2-8 to connect with port1, router, but port 2-4 not allowed to conect with port 5-8 or 5-8 with port 2-4.
    And if i try port 21 connect with my SG108E in tagged mode, also nothing works with members of VLAN2 or VLAN3. I must set port 1 PVID1, port 2 in VLAN2 PVID2 and then i can connect to T1600 port1-4 also. i didnīt know why the examples with vlan from tp-link not works. i try 1 week to get a correctly vlan config, but the memebers with netgear switches have the solution.

    Quote Originally Posted by satfee View Post
    If you like 2 or more VLANS you must make this, port 1-24 all PVID1, VLAN2 port 2-4 PVID2, VLAN3 port 5-8 PVID3. This allow all ports from 2-8 to connect with port1, router, but port 2-4 not allowed to conect with port 5-8 or 5-8 with port 2-4
    So you tag ingress traffic on ports 2-4 with VLAN ID 2 and ingress traffic on ports 5-8 with VLAN ID 3. Egress traffic to port 1 will have the tags stripped, but port 1 has to be a member of VLAN1, 2 and 3 to have the switch forward packets arriving on ports 2-4 or 5-8 to port 1.

    Ingress traffic arriving on port 1 is tagged with VLAN ID 1 and forwarded to all ports if they are in the default VLAN 1. On output, the tags are removed if ports are untagged.

    Now on the SG108E a device on port 2 will reach any other device on all ports of the T1600, no matter which PVID is set by the SG108E if you use untagged output on port 1 connected to port 21 of the T1600. Try it.

    Yes, ports on the same switch are isolated if in different VLANs, but ports on different switches are not unless you use tagged ports to interconnect the switches. Also any device connected to the router directly will be able to reach any other device through VLAN 1.

    If this is what you call "isolated virtual networks", then yes, it works this way, but they are actually not "isolated" except for devices sharing the same switch.

    From my router i connect 4 cables to the 1600, each for one extra vlan, 1-4. Port 1 on 1600 is vlan1 to port4 vlan4. Port 21 go to first sg108e vlan1, port 22 to next sg108 und part 23 to last sg108. all of them can reach internet. If i create vlan2 on each sg108 and i tagged the ports to t1600 all can reach intrnet, but not the other vlan.only the member of vlan1 can reach all other because this vlan is member off all ports (default vlan). Problem: if on the sg108 i set pvid to vlan i canīt reach this port. only pvid1 is working. why?
    From my router i connect 4 cables to the 1600, each for one extra vlan
    That's possible, if - and only if - the DrayTek supports two or more networks. IMHO, you are too much focussed on VLANs alone. VLANs are just a method to transfer data for two or more subnets over the same physical connection between routers, switches and servers. VLANs are a part of the internal network topology between all those devices which support VLANs and exist only for passing data through those devices over tagged connections. At the endpoints of the network - where data packets from/to client devices or from/to the Internet are leaving/arriving in the network - VLANs don't exist anymore; that's achieved by untagged connections to the outside devices.

    So, if I did understand your first post correctly, what you want is this: two networks, one for internal machines, one for guests. Both are isolated against each other, have own IP ranges, have own routers, have own NAT processing, would need own switches and separate cables:

    Now, to use the same cables, switches, routers for two independent networks, you can use VLANs, but you still need two networks. Therefore you need a router capable of supporting two independent NAT-capable networks for routing, two DHCP servers for IP assignment and two firewall zones for isolation. With your L2+ switch T1600 the switch can take over some functions of a router such as isolating two networks using access control lists and even routing those two networks to the Internet router - but then the Internet router still need to provide NAT for several networks (called Multi-nets NAT) like TP-Link's routers do. Alternatively, if isolating and routing the networks is done by the Internet router, it can use either VLANs (if supported) or it can use multiple single connections (if VLANs are not supported) to communicate with the switch.

    BUT: wether you use VLANs for the connection from the Internet router to the switch or not, the Internet router must be capable of routing data to/from two isolated networks to the third network, the Internet. As long as the router (your DrayTek) doesn't support separate networks it is not possible to deploy two isolated networks.

    Let's assume your DrayTek can provide a guest network to which its port 4 could be assigned to, then yes, one cable for each network (port 1: internal network / port 4: guest network) to the switch would be o.k. if the DrayTek does not support VLANs. If it also supports VLANs, you would need only one cable between the switch and the router. If the DrayTek doesn't support a guest network, all bets are off even with separate cables from the (single) LAN network of the DrayTek to the switch.

    Consider use of OpenWRT/DD-WRT/LEDE/Gargoyle or whatever Linux system for your router, it's supported on many cheap SOHO devices. You could even use an older, unused PC with Linux or some single-board server to work as a router. This gives you the freedom to set up as many networks as you wish, each supporting NAT, VLANs and a firewall to isolate the networks.

    With VLANs alone you can't set up two separate, isolated networks sharing the Internet, except you use two separate Internet routers or only one switch all devices are connected to.
    thx for information.
    DrayTek 2130n works with PrivateVlan well. And i can reach all my equipments with portforwarding. but only my problem is, that i cannot set pvid with same at vlan id.
    for me, Draytek handle the ports with any switches more, and only on 1600 and 108e i will seperate the traffic.
    maybe one of my hardware will not works well with vlan.

    thx for information.
    DrayTek 2130n works with PrivateVlan well. And i can reach all my equipments with portforwarding. but only my problem is, that i cannot set pvid with same at vlan id.
    Not sure what you mean. But to connect 4 subnets from DrayTek to T1600 as in your picture, assign 1/0/1 VLAN 2 PVID 2 untagged, 1/0/2 VLAN 3 PVID 3 untagged, 1/0/3 VLAN 4 PVID 4 untagged and 1/0/4 VLAN 5 PVID 5 untagged and connect the 4 ports of DrayTek to those 4 ports of T1600. Avoid VLAN 1 at all because it's fixed default VLAN on SG108E. Make sure that every port of the DrayTek is assigned to its own subnet, own IP range and does not carry VLAN tags in Ethernet frames.

    Connect ports 1/0/22, 1/0/23 and 1/0/24 of T1600 to the three SG108E. All three ports on T1600 connected to SG108E and every port on SG108E connected to T1600 need to be members of VLAN 2,3,4 and 5, all must be tagged and PVID can be set to 1 (doesn't matter for tagged Ethernet frames). Then assign remaining ports of SG108E to the subnet of your choice, for example ports 2 and 3 to VLAN 2, PVID 2, untagged, ports 4 and 5 to VLAN 3 PVID 3, untagged and so on.


