G3100 Guest Network VLAN - suitable for wired devices, IoT devices, no cap observed
Observer1
Enthusiast - Level 3

TL;DR - The G3100 and E3200 use a VLAN to isolate Guest traffic from the primary network. Knowing the VLAN ID allows one to add wired devices to the Guest VLAN.  Also, if a Guest device limit is encountered (reported by someone wishing to add a large number of IoT devices), it should be possible to "address" knowing the VLAN ID.

This posting was prompted by an earlier problem I had with a G3100/E3200 pair connected via Ethernet through a switch, and the Guest network.  Using the port mirroring feature on my managed switch (Netgear GS716) and Wireshark on my iMac I found Guest packets were tagged with VLAN ID 10.

I configured VLAN 10 in my switch and included the G3100 and E3200 ports as tagged members with PVID = 10.  By ensuring all traffic passed between the G3100/E3200 (I think the connection between them is referred to as a "trunk"), wireless devices associating with the E3200 Guest SSID worked properly (else they associated with the AP, but couldn't receive packets).  Before making that configuration change, my Guest devices only worked when associated with the G3100, or when the intermediate switch was bypassed (G3100 and E3200 directly connected via ethernet cable).

I configured another port on my switch to be a member of VLAN 10, which allowed me to attach a hardwired device to the guest network.

The G3100 DNS server allocated IP addresses 192.168.200.2-12 (just over the limit of 10 mentioned in another thread -- perhaps no longer a limitation).  The Guest netmask is 255.255.255.0 and I confirmed the G3100 properly routed the entire subnet by spot-testing with manually-assigned IP guest device addresses.  

As expected and desired, Guest devices were not able to access the primary network (whether wireless or wired), supporting other discussions that the Guest SSID was suitable for IoT devices.   (Unfortunately, the new IoT SSID recently added is not isolated -- hopefully an oversight that will be corrected in an upcoming firmware update).

There have been reports that the guest network will only allow 10 devices, but I observed 11 IP addresses dynamically assigned in my testing.  I confirmed that all subnet addresses are routed, so presumably manual IP address assignment could work around any constraint imposed by the G3100 DHCP server responding to the 192.168.200.x subnet.  Also, knowing the VLAN ID makes it easy to include wired devices as members, and it should be straightforward to repurpose an old router to be a second Guest subnet DHCP server, allocating dynamic IP addresses beyond the max configured in the G3100 DHCP server (if that limitation is still present in latest firmware).

Performance testing (device to/from Internet server) showed no difference between guest and primary networks when the devices were wired (>900 Mb/s).  My wireless connections to primary network achieved 500-600 Mb/s, and wireless connections to guest network achieved ~100 Mb/s.  I assume this is because the guest network is limited to 2.4GHz (less throughput, better penetration through structures), and I was close enough to use 5GHz radios when testing the primary network.  Same speeds observed whether wireless connections were to G3100 or E3200.

I hope someone will recreate my results and confirm or correct my findings.  If so, then we might start thinking of the G3100 (with or without E3200) as supporting a high-speed, parallel, isolated network of up to ~250 devices, whether wired or wireless.  A separate, managed switch is required unless/until the G3100 UI is updated to expose advanced VLAN/ethernet port configuration options that allow the spare Ethernet ports on the router/extender to be used instead.

Tags (3)
1 Solution

Correct answers
Re: G3100 Guest Network VLAN - suitable for wired devices, IoT devices, no cap observed
Cang_Household
Community Leader
Community Leader

So I was overthinking this... I am not going to elaborate at this moment because I want to go to sleep... (Don't take as if it is your question that keeps me awake, I was doing troubleshooting something else)

So I just rummaged enough supplies/devices (the ones I thought I need) off the shelf and build a test network with a G3100, an E3200, and a Pi 4B. The network also included a MoCA 2.5 adapter, two extra Ethernet USB dongles connected to Pi, two Cisco switches... These are all extra things unnecessary to the test.

G3100 connected to E3200 via coax. Pi connected to one of G3100 LAN Ethernet ports. Enabled Guest wireless network. I have DHCP disabled on G3100 (both "normal" LAN and Guest network, only one button for both), though this is not necessary.

Guest network is 192.168.200.0/24,  G3100 switches entire subnet, not only the ten dynamic IPs given by its dnsmasq. G3100 is 192.168.200.1 in the Guest network.

Pi eth0 interface (the only Ethernet interface) connected to LAN, pulls a dynamic IP address like normal. It has dhclient enabled for eth0. Added a virtual VLAN interface via parent interface eth0, ip link add link eth0 name eth0.10 type vlan id 10 ----> Translation: added virtual VLAN interface named eth0.10 based on eth0 as parent interface. Assign a static IP within 192.168.200.0/24. I choose 192.168.200.35/24, this can change of course. ip addr add 192.168.200.35/24 dev eth0.10

Connected IPhone SE (2020) to G3100 Guest SSID, setup static IP 192.168.200.242/24 (again this is not necessary), manually setup DNS and gateway IP. Internet access is OK. On IPhone, ping 192.168.200.35 OK. On Pi, ping 192.168.200.242 OK.

Check Pi Internet access via eth0.10 via G3100 Guest net gateway. ....configs... ip route add default via 192.168.200.1 dev eth0.10 ....test.... ping -I eth0.10 verizon.com OK.

So, here you go, once you enable Guest wireless network, device plugged into any of the LAN ports can access the Guest network through VLAN 10. These LAN ports are therefore tagged for VLAN 10 frames, also the LAN MoCA is also tagged for VLAN 10. I am not sure you need to enable Guest wireless network or even need an E3200 to allow the VLAN 10 tagging to work and 192.168.200.1 to accept outgoing traffic.

View solution in original post

Re: G3100 Guest Network VLAN - suitable for wired devices, IoT devices, no cap observed
cheater7
Enthusiast - Level 1

Sorry about reviving this dead thread, but I've been trying to get VLAN setup on the G3100  w/o having to replace the router, and this is the only place which suggests it might be possible. 

Unfortunately, I'm not able to replicate your setup as you described it. I've got a g3100 router and VLAN network switch, but I don't have the E3200 wifi extender.

I set port 1 to be a tagged port w/ PVID 10 and it connects to the router; port 2 is an untagged port also w/ PVID 10 that connects to a server I have set up. However when I do this, neither the switch or server appear in the guest network, and they can't be reached.

With how you described it, it seems like the ports are all configured to be tagged/trunk ports with native vlan configured to allow everything else to pass through on VLAN 1. Perhaps this is only enabled on specific ports.

Which port in the router did connect the switch to?

0 Likes
Re: G3100 Guest Network VLAN - suitable for wired devices, IoT devices, no cap observed
Cang_Household
Community Leader
Community Leader

Well, I got a G3100, E3200, couple coax-Ethernet bridges, couple USB Ethernet dongles, a Cisco layer 3 switch, and a Pi 4B sitting on my test bench. I will replicate the OP's setup and report back.

First, I would just create a link between G3100 and Pi 4B, and adding a VLAN 10 virtual interface to the Pi 4B. Then Wireshark on VLAN 10 to see what kind of traffic do I get.

This is not a dead thread. We just lack trailblazer customers like you to stumble upon rarely used features (or even not the intended features) of G3100.

Re: G3100 Guest Network VLAN - suitable for wired devices, IoT devices, no cap observed
Cang_Household
Community Leader
Community Leader

So I was overthinking this... I am not going to elaborate at this moment because I want to go to sleep... (Don't take as if it is your question that keeps me awake, I was doing troubleshooting something else)

So I just rummaged enough supplies/devices (the ones I thought I need) off the shelf and build a test network with a G3100, an E3200, and a Pi 4B. The network also included a MoCA 2.5 adapter, two extra Ethernet USB dongles connected to Pi, two Cisco switches... These are all extra things unnecessary to the test.

G3100 connected to E3200 via coax. Pi connected to one of G3100 LAN Ethernet ports. Enabled Guest wireless network. I have DHCP disabled on G3100 (both "normal" LAN and Guest network, only one button for both), though this is not necessary.

Guest network is 192.168.200.0/24,  G3100 switches entire subnet, not only the ten dynamic IPs given by its dnsmasq. G3100 is 192.168.200.1 in the Guest network.

Pi eth0 interface (the only Ethernet interface) connected to LAN, pulls a dynamic IP address like normal. It has dhclient enabled for eth0. Added a virtual VLAN interface via parent interface eth0, ip link add link eth0 name eth0.10 type vlan id 10 ----> Translation: added virtual VLAN interface named eth0.10 based on eth0 as parent interface. Assign a static IP within 192.168.200.0/24. I choose 192.168.200.35/24, this can change of course. ip addr add 192.168.200.35/24 dev eth0.10

Connected IPhone SE (2020) to G3100 Guest SSID, setup static IP 192.168.200.242/24 (again this is not necessary), manually setup DNS and gateway IP. Internet access is OK. On IPhone, ping 192.168.200.35 OK. On Pi, ping 192.168.200.242 OK.

Check Pi Internet access via eth0.10 via G3100 Guest net gateway. ....configs... ip route add default via 192.168.200.1 dev eth0.10 ....test.... ping -I eth0.10 verizon.com OK.

So, here you go, once you enable Guest wireless network, device plugged into any of the LAN ports can access the Guest network through VLAN 10. These LAN ports are therefore tagged for VLAN 10 frames, also the LAN MoCA is also tagged for VLAN 10. I am not sure you need to enable Guest wireless network or even need an E3200 to allow the VLAN 10 tagging to work and 192.168.200.1 to accept outgoing traffic.

Re: G3100 Guest Network VLAN - suitable for wired devices, IoT devices, no cap observed
archiebuttle
Newbie

Thanks a ton for the sleuthing!

I am able to use the guest network with a G3100 and E3200.

  • DHCP and DNS are provided by a pihole instance for the 192.168.200.0/24 network.
    • the info on this network was helpful in setting this up. I have a proxmox server on the primary network, and setup a VM to run pihole with a bridge interface to the Guest network using the VLAN ID. 
  • I have not tested the device number limitation, but the IPv4 distribution seems to cover a big range so far.

Is it possible to setup access from the primary network to devices on Guest? Firewall is set to "Normal" level now.

0 Likes
Re: G3100 Guest Network VLAN - suitable for wired devices, IoT devices, no cap observed
Cang_Household
Community Leader
Community Leader

Then what’s the point of using the VLAN separated Guest network if you’re looking for links between the two. Anyway, if there’s really justification for that, G3100 cannot do it because it does not offer interVLAN routing. You need to configure IP forwarding for your pi hole and a trunk link to the G3100.

Then you’re going to either specify static routes on the devices on the guest network or to issue DHCP leases with the pi hole as the gateway option. This essentially is using your pi hole as a layer 3 switch, while reducing the dual router/NAT G3100 into a VLAN 10 aware layer 2 switch.

0 Likes