HSA supports multi-VLAN for the LAN switch ports, and can optionally perform inter-VLAN routing between different VLANs. For example, we can assign the 4 GE LAN ports into different VLANs, and restrict host accesses across different VLANs. This will be useful to F&B/retails who want to share the same box for both Intranet and Internet access. With Multi-VLAN support, we can separate Internet and Intranet traffic for better security.
NOTE: please do note confuse Multi-VLAN switching with Multi-WAN trunking (next section).
- Both Multi-VLAN switching and Multi-WAN trunking use the term VLAN, but
- Multi-VLAN switching refers to running multiple VLANs among the LAN switch ports, and group switch ports to each VLAN for LAN access separation
- Mult-WAN trunking refers to running multiple VLANs on the same WAN port (VLAN tagging/trunking), and split the same physical WAN port to multiple logical/VLAN interfaces.
- LAN port 1 is assigned to VLAN-10
- LAN port 2 is assigned to VLAN-20
- LAN port 3-4 are in default VLAN
- Create new VLAN and assign switch ports to respective VLAN
- Create VLAN interface (routed interface/default-gateway) for each VLAN
- Configure firewall to permit/restrict inter-VLAN access
1. Access to HSA through local connection or via mfusion portal. see details.
2. Create new VLAN and assign switch ports to each VLAN (Network --> Switch). Enable VLAN functionality, Create new VLAN10 & 20.
- Don't change default configs for VLAN1 & 2. By default VLAN1 is for default LAN switch ports; VLAN2 is for default WAN ports
- When we want to assign a specific port to a target VLAN, just "untagged" the port to the target VLAN.
- "Tagged" each VLAN 10 & 20 to both CPU Port and Port 1 (WAN). (Note there might be some differences between the physical "Port" labeling and GUI Port numbering. eg. in below screenshot, "Port 1" is actually physical WAN port, "Port 2 & 3" are the physical LAN1 & LAN2.)
3. Create VLAN interface for each VLAN (eg. VLAN10 & VLAN20). This is similar to a typical Layer3 switch. We need to define a logical VLAN interface for each VLAN, and the VLAN interface becomes the default gateway (router interface) for that VLAN.
- Typically we need to define static IP for VLAN interface IP, and enable DHCP for the clients connected to this VLAN.
- The VLAN interface is physically mapped to the WAN interface (eg. eth0,vlanid)
- We need to create a new firewall zone for this VLAN interface so that we can do firewalling between zones (to restrict accesses between different VLANs).
Follow the same steps for VLAN20, and we should have something like this:
4. Configure firewall rules to permit/restrict inter-VLAN access. In this example, we only allow VLAN10, VLAN20 and default VLAN traffic to go out to WAN, we don't permit any inter-VLAN access. We can change the rules to permit inter-VLAN access whenever neccessary.