The Zynstra server has tagged VLAN 802.1Q support on the LAN port. This allows segmentation of the local network into separate L2 Ethernet domains using the same physical cabling. It also allows the separate LAN networks to all be protected by the security features of the server, as well as allowing control in terms of what traffic is allowed to route to and from the various networks/VLANs on the local network.
The physical LAN network interface on the server is configured as a trunk port in the underlying virtual switch on the server, so will accept untagged as well as tagged traffic. By default, the router/security VM in the layer above (which is configured using the Gateway Control Console web interface) has a single LAN interface configured for untagged traffic. However, multiple 802.1Q tagged VLAN interfaces can be defined to also share the physical LAN interface. Each of these are separate networks that just share the single physical LAN port. They have the same capabilities as a standard interface - each can have its own IP range, DHCP can be enabled and disabled individually for each, network ACLs (firewall rules) can be defined to allow or disallow routing between them, and the security features will also apply to all traffic to and from these interfaces. This is all managed from the Gateway Control Console web UI.
To create a VLAN, click on "Add Tagged VLAN Interface" in the Interfaces tab of the Network section of the Gateway Control Console:
You can then configure the properties of the VLAN, as shown in the example below:
- Interface Name: VLAN100 (can be any text string, but usually it is helpful to have the VLAN number)
- Is VLAN (802.1q) Interface: Ticked (this must be ticked)
- Parent Interface: Customer (which is the LAN interface of the server - if you have a requirement for a VLAN on an another interface, please contact Support first)
- Config Type: Addressed (this must be addressed, the other options are not supported)
- Address: IP address of the Zynstra server on this VLAN network (the new network must not overlap with any other networks defined)
- Netmask: Network mask of the VLAN network
- NAT traffic coming from this interface (and bridged peers): Unticked
- DHCP Configuration: further down, there are options to enable/disable DHCP on the new VLAN, and to define DHCP options such as the gateway (if different), the size of the DHCP pool and other DHCP options as normal
By default, the Zynstra server will route between all non-WAN networks, including tagged VLAN networks. It will NAT any traffic leaving the WAN interface (ie. Internet traffic). The Firewall rack application in the Gateway Control Console can be used to flexibly define rules to restrict, or block entirely, traffic from a VLAN interface by clicking on Settings and defining one or more rules as desired: