Description:

Communication between different networks of a router can either be restricted via firewall rules or via interface tags. For simple scenarios, interface tags are a good choice due to the low configuration effort required.

For more complex scenarios, where communication to another network is allowed or forbidden only for individual members, using the interface tags is not recommended, as in this case an additional firewall rule would be needed to remove the interface tag and set the correct tag.

This article describes, how communication between different local networks on a router without WLAN and without permanent Private Mode on the Ethernet interfaces can be restricted via interface tags.

If you use a LANCOM router with WLAN and want to separate the wireless networks as well please, refer to the following Knowledge Base article:

ARF: Separating local networks by using interface tags for devices with WLAN


Requirements:

  • All routers without permanently active Private Mode on the Ethernet interfaces (all SD-WAN Gateways and SD-WAN VoIP Gateways except 2100EF, 1780EW-4G+, IAP-5G and OAP-5G)
  • LCOS as of version 9.24 (download latest version)
  • LANtools as of version 9.24 (download latest version)


Scenario:

The aim is to restrict access between the networks NETWORK1, NETWORK2and NETWORK3 on the LAN side of the router.

  • NETWORK1 with the Interface LAN-1 (ETH 1) has the Network ID: 172.16.1.0 and as a employee network should provide access to all other local networks and to the Internet.
  • NETWORK2 with the Interface LAN-2 (ETH 2) has the Network ID: 172.16.2.0 and as a guest network should provide access to the Internet only.
  • NETWORK3 with the Interface LAN-3 (ETH 3 and ETH 4) has the Network ID: 172.16.3.0 and as a server network should not have active access to any other network; however, NETWORK1 should have access to these servers.

Scenario graphic of a LANCOM router with three networks with different IP address ranges



Procedure:

  • Interface tags can be allocated to the IP networks. This gives you control over the communication between the networks. Routing tags can be allocated in the routing table.
  • When combined with the interface tags, these make it possible to control which route may be used by which local network.

1) Assigning the interfaces to the networks:

1.1) Open the configuration of the router in LANconfig and edit the Ethernet interfaces ETH 1 to ETH 4 in the menu Interfaces → LAN → Ethernet ports.

Edit the physical interfaces ETH 1 to ETH 4 in the menu Ethernet ports

1.2) Assign the logical interface LAN-1 to the physical Ethernet interface ETH 1.

Assign the logical interface LAN-1 to the physical interface ETH 1

1.3) Assign the logical interface LAN-2 to the physical Ethernet interface ETH 2.

Assign the logical interface LAN-2 to the physical interface ETH 2

1.4) Assign the logical interface LAN-3 to the physical Ethernet interfaces ETH 3 and ETH 4.

 Assign the logical interface LAN-3 to the physical interface ETH 3 Assign the logical interface LAN-3 to the physical interface ETH 4

1.5) Go to the menu Interfaces → LAN → LAN bridge.

Open the menu LAN bridge

1.6) Open the menu Port table.

Open the menu Port table in the LAN bridge

1.7) Make sure, that for the Bridge group of the logical interfaces LAN-1 to LAN-3 the option none is selected.

Check, that no bridge group is assigned to the logical interface LAN-1 Check, that no bridge group is assigned to the logical interface LAN-2 Check, that no bridge group is assigned to the logical interface LAN-3



2.) Assigning the logical interfaces and interface tags to the IP networks:

  • IP networks with the interface tag 0 can access all other networks.
  • IP networks with an interface tag in the range 1-65534 can only access IP networks that use the same interface tag.

You can check the assignment of the IP addresses to the interfaces via the CLI command show ipv4-addresses.

2.1) Go to the menu IPv4 → General → IP networks.

Open the menu IP networks

2.2) Click Add and subsequently create three new networks.

The entries INTRANET and DMZ should not be removed. As these are also referenced in other menus (e.g. in the DHCP networks) without additional configuration changes this would result in the configuration no longer being able to be written via LANconfig!

Add new networks

2.3) Modify the following parameters for the employee network:

  • Network name: Enter a descriptive name for the network (in this example NETWORK1).
  • IP address: Enter an IP address for this network (in this example 172.16.1.1).
  • Netmask: Enter a subnetmask for this network (in this example 255.255.255.0).
  • Interfaces assignment: Make sure, that the interface LAN-1 is selected.
  • Interface tag: Make sure, that the tag 0 is selected. This means, that members from this network can access all other local networks.

Enter the IP parameters and the logical interface for the employee network with interface tag 0

2.4) Modify the following parameters for the guest network:

  • Network name: Enter a descriptive name for the network (in this example NETWORK2).
  • IP address: Enter an IP address for this network (in this example 172.16.2.1).
  • Netmask: Enter a subnetmask for this network (in this example 255.255.255.0).
  • Interface assignment: Select the interface LAN-2 from the dropdown menu.
  • Interface tag: Enter the tag 1. This means, that members from this network cannot access any other local network.

Enter the IP parameters and the logical interface for the guest network with interface tag 1

2.5) Modify the following parameters for the Server network:

  • Network name: Enter a descriptive name for the network (in this example NETWORK3).
  • IP address: Enter an IP address for this network (in this example 172.16.3.1).
  • Netmask: Enter a subnetmask for this network (in this example 255.255.255.0).
  • Interface assignment: Select the interface LAN-3 from the dropdown menu.
  • Interface tag: Enter the tag 2. This means, that members from this network cannot access any other local network.

Enter the IP parameters and the logical interface for the server network with interface tag 2

2.6) The list of the IP networks should now appear as follows.

Overview of the created networks in the table IP networks 



3) Creating the routing entry:

As of LCOS 10.40 there is an own table in the FIB (Forwarding Information Base) for each routing tag.

  • Routing entries with an Internet remote site and the routing tag 0 are copied to all tables in the FIB. This means, that communication from all networks via an Internet connection with routing tag 0 is possible.
  • Routing entries with an Internet remote site and a routing tag unequal 0 is only copied to the table in the FIB with the corresponding routing tag. this means, that only the network with the corresponding tag can communicate via this routing entry.

Additional information regardíng the routing behavior can be found in the LCOS reference manual:

https://www.lancom-systems.com/docs/LCOS/reference-manual/#topics/informationen_zum_routingverhalten.html

3.1) Go to the menu IP Router → Routing → IPv4 routing table.

Open the menu IPv4 routing table

3.2) Adjust the routing tag of the default route to your needs. In this example the tag was left at 0, so that all networks can communicate with the Internet via this routing entry.

You can also copy the default route and enter a routing tag unequal to 0. In this case only a network with the same interface tag can communicate via this routing entry.

Adjust the routing tag of the default route if needed



 

All LANCOM products and software versions are subject to LANCOM Software Lifecycle Management.
You can find information on our website at https://www.lancom-systems.com/products/firmware/software-lifecycle-management

© 2025 LANCOM Systems GmbH