Quote:
Originally Posted by masraum
The thing is that if you have 3 VLANs on one switch, and that switch also has the layer 3 interfaces for those VLANs (basically that switch is the "gateway" for all 3 VLANs), then the switch will route between them. VLANs are a layer 2 segregation, so as soon as you add layer 3, your segregation is no longer applicable, but then most layer 3 devices support access lists.
|
Right. If you send traffic from 3 VLANs into a normal switch, the switch will send that all traffic from all 3 VLANs out on any port.
However, as described in the article below, some switches allow you to explicitly control which VLAN traffic goes on which port. The article sums it up by saying:
The end result of this example is devices in VLAN 2 can access the Internet and each other and devices in VLAN 3 can access the Internet and each other. But devices in VLAN 2 cannot access devices in VLAN 3 and vice versa.
https://www.smallnetbuilder.com/lanwan/lanwan-howto/how-to-segment-a-small-lan-using-tagged-vlans/
Quote:
Originally Posted by masraum
In a normal home device that has a WAN port and a bunch of LAN ports, even if you can put the LAN ports on different VLANs will allow the devices on the various VLANs to talk unless there's some sort of access management specifically to disallow that.
|
Agreed. Only routers and switches with VLAN port access management (as described in the article above) can do what I am suggesting.
I like this approach because a switch that can do this can be had for under $100 (eg Netgear GS108Tv1 from the above smallnetbuilder article) it is very simple to configure, no additional routers are required, the router does not need VLAN support and no other special hardware or configuration would be required to achieve the OP's objective.
That said if I already had two extra routers in hand I would use the multi router approach, and if I already had a router that allowed me to set iptables I would use that approach.