Netgear GS108E v3 Switch Configuration for VLAN

Stacks Image 48594
Because we now kind of live in a wireless world I've never dabbled that much in wired networks (since the 80's) so my knowledge is somewhat limited.

However, I am back in the game and learning some new tricks. First of all there is a new (to me) standard with router switches called 802.1Q.

In the good old days you plugged a switch into your network to add more devices and they were all on the same network.

Now you can assign individual ports to have individual addresses and segment your network.

Let me say that in English. Your computer which has your entire life on it is on the same network as your teenagers. Your brand new washing machine that emails you and your brand new refrigerator with a camera and your thermostat that connects to God knows who is on the same network as the computers that contain the contents of your private life.

See where I'm going with this? In the new "Internet of Things" it makes sense to keep devices like that away from your trusted network.

All you need is one weak device that is easily hacked and someone is on your network. Put all the crap on another network that can't talk to your network but still has internet access.

Here is a simple setup to illustrate.
Stacks Image 48597
Internet comes in via your cable modem. I am hooked to a PFSense firewall connected to a switch. From the switch I configure two of the 8 ports to have Virtual LAN (VLAN) networks which cannot "see" each other.

For simplicity you could connect one router to the switch and one router to a VLAN port. Same same. Two separate networks that do not see each other.

I bought this switch for a couple of reasons. One is that I am all Mac and Linux at my home. There are no Windows computers here. Most of these "Smart" or "Managed" switches have configuration software that is Windows only.

This particular switch has a web based configuration built in. Set your Mac up like this under Networking. Plug the router into the wall and hook a computer to the switch via ethernet. The web config is on

Once you configure your network as below open a browser and go to
Stacks Image 48603
password = password

Go to the maintenance page after you get in and change that. Someone takes your switch and they own your network.
Stacks Image 48605
Once logged in go to the VLAN tab, then the 802.1Q entry under that, then Advanced and enable it. It'll warn you that will wipe everything out. Don't worry. It'll remain exactly as it is until you change something.
Stacks Image 48609
I'm going to configure 2 ports. One for each Virtual Network.

What we have to do, and this is NOT very intuitive is:

-Add VLAN Group 10 (port 8)

-Add VLAN Group 20 (port 7)

-Put Port 8 in VLAN group 10

-Put Port 7 in VLAN group 20

-Change PVID of port 8 to 10

-Change PVID of port 7 to 20

-Set up Group 10 ports

-Set up Group 20 ports.

Sounds terrible, right? It's not so bad.

Set up VLAN 1 like this. Clicking the boxes brings up a T, U, or clears the box. First click where it says VLAN1 in the drop down box and make two new VLAN ID's. One for VLAN10 and one for VLAN20. If you try to clear the boxes in port 7 and 8 it may bark at you and tell you that you can't do that. Just follow the pop ups directions to navigate around. Like I said, "It isn't very intuitive".
Stacks Image 48615
PVID Settings below. Click the box next to 7 and type in 20. Do the same for 8 only make it 10.
Stacks Image 48619
VLAN 10 config. Note the T on port 1.
Stacks Image 50092
VLAN 20 config. Note the T on port 1.
Stacks Image 48627
This is what the config looks like when you are done. Note that 1 and 7 are together and 1 and 8 are together. 7 and 8 are not together.
Stacks Image 48631
Lastly you have to configure this from your firewall. Your ports are now tagged like this.

Port 8 = VLAN 10
Port 7 = VLAN 20

Config your firewall to find the tags (I'll add a pfSense config tutorial later).

Now lets see what happens when I plug my Mac into port 7 (after my firewall VLAN tags are configured).

As you can see I pulled an IP address of from the switch which is
Stacks Image 48635
And hooked to port 8 to the Wi-Fi router you can see I'm pulling an IP from the 192.168.10 range. Perfect.
Stacks Image 48645
And Bob is your Uncle. Sweet Success.

Ok, now on to configuring this in pfSense. Go to Interfaces > Assign > VLAN
Stacks Image 51555
Stacks Image 51557
Mine are already there but let's work through this. Click Add. Select LAN device from parent interface dropbox, put 10 in the VLAN tag box and give it a descriptive name. Then save. Do the same for VLAN 20.
Stacks Image 51561
Now click on VLAN10 on the left side of Interfaces > Assign

Enable the interface, Set it to Static IPV4, then in the IPV4 address line type

Scroll down and save. Repeat for VLAN 20 only name it
Stacks Image 51565
Stacks Image 51567
Now your interfaces are saved. Go to Services > DHCP Server
Stacks Image 51571
Click on the VLAN10 link.
Stacks Image 51575
Fill it out as below and then NOT DEPICTED IN THE PHOTO type in the gateway line.

Repeat for the VLAN20 interface only make sure to use 20's instead of 10's.
Stacks Image 51579
Now go to Firewall Aliases and lets make an RFC1918 Alias
Stacks Image 51583
Click Add then populate as per the picture below and save.
Stacks Image 51587
Now I'm going to show you how to make your VLAN Internet Only. The purpose of having a segregated network here is so that when you connect to it that it cannot see your trusted network. We want to give our guest user or stupid Internet Of Things devices an internet connection, and that's all.

Click Firewall > Rules
Stacks Image 51591
We're going to make 3 entries. Click on VLAN10

As you add these rules make sure you apply them as well.
Stacks Image 51595
Click Add then fill out as below. Scroll down a little then hit save.
Stacks Image 51599
Now make a second rule and be sure to click the Add button that points down. Rule order is important.
Stacks Image 51603
Now the second rule.
Stacks Image 51607
Finally the third. Make sure it goes below as well.
Stacks Image 51611
Will look like this when you are done. Make sure it is exact.
Stacks Image 51615
Duplicate on VLAN20 making sure dropdown boxes are populated with VLAN20 stuff and use 20's instead of 10's where applicable.

Once the rules are applied, that is it. VLAN10 and VLAN20 should be internet only. Slap a Wi-Fi router on your VLAN10 or 20 port and you can serve up a true guest network that can only access the internet. Not see any other computer on your trusted network.