Skip to main content

Ubiquiti EdgeRouter 6p - VLAN Setup with Ubiquiti EdgeSwitch 10x, block inter-VLAN routing

472 words·
VLAN Inter-VLAN routing Router Switch Ubiquiti
Table of Contents

VLAN Setup
#

Prerequisites
#

This is a quick blueprint how that set up a VLAN on the rooter and make it accessable on the switch. I have set up a network “192.168.10.0/24” on port eth1 on which the switch is connected. I’ll create a VLAN with the VLAN ID “30” which I pass on port eth1 to the switch and make it accessable the switch ports 4 and 5 so that clients can be connected.

Network: 192.168.10.0/24
EdgeRouter 6p: 192.168.10.1
EdgeSwitch 10x: 192.168.10.2

Edgerouter 6p
#

Create VLANs
#

Link: https://192.168.10.1/#Dashboard

Go to: Dashboard / Add Interface > Add VLAN


Create DHCP Server
#

Link: https://192.168.10.1/#Services/DHCP/Server

Create a DHCP Server for the VLAN.

Go to: Services / DHCP Server > Add DHCP Server


EdgeSwitch 10x
#

Overview
#

Tagged / Trunk Port
Allows to feed multiple VLAN feeds through the physical port.

Untagged / Access Port
Clients can Access the VLAN network.
VLAN information is removed.

Link: https://192.168.10.2/vlan

Go to: VLANs > New VLAN ID

Default Network

  • Exclude E the default network on port 4 and port 5

VLAN 30

  • Tag VLAN 30 on port 1 to pass it through the port

  • Set VLAN 30 on ports 4 and 5 to untagged U so that the clients connected to the ports can only access the VLAN network.


Connect Host to Switch
#

To check if the setup is working, connect a host to the Switch on port 4 or port 5 and check the IP.

I use a Windows 10 as host: ipconfig

Should Output:

Ethernet adapter Ethernet 4:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::4851:e7fd:f24:2a80%18
   IPv4 Address. . . . . . . . . . . : 192.168.30.200
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.30.1

Block inter-VLAN routing
#

Now I have created the following VLAN setup:

With the default settings inter-VLAN routing is enabled, that means it’s possible to communicate from one VLAN to another. Let’s block inter-VLAN routing for a specific VLAN network, so that it is isolated.

EdgeRouter
#

Go to the “Firewall/NAT” section of the Edgerouter 6p GUI and add a rule for the VLAN that you want to block, in my case it’s VLAN 50. The default action is “Accept”:

Next create a group for the IP ranges that you want to block. I choose all private IPv4 ranges, that means VLAN 50 will not be able to access any other network:

Now I edit the rule that I have created for VLAN 50 so that it drops all packages that are dedicated to the IP ranges within the firewall group:

Save the rule:

Select the interface with the associated VLAN and the direction “in”: