How to have more subnets in one LAN profile (for Vigor3900/2960)

Vigor3900 and Vigor 2960 supports multiple subnets within one VLAN profile, to let Network Administrator separate the LAN hosts into different IP subnets without setting up either tag-based or port-based VLAN. This article demonstrates how to configure this feature. However, traffic between these subnets will pass by default. It's needed to set up firewall rules if the traffic is forbidden.

1. Go to LAN >> General Setup, and click Edit to configure LAN profile.

2. Click Add in More Subnet field

  1. Specify the router's IP in this subnet at IP
  2. Select Mask of the subnet in Subnet Mask
  3. Select 'NAT' for Mode
  4. Disable DHCP if there is another DHCP server in the LAN profile
  5. You may modify the DHCP start IP and End IP if DHCP is enabled
  6. Click Apply to save

Now, hosts can decide which subnet to belong to by using DHCP and obtain IP in subnet or manually configuring static IP in subnet.

Block the host from accessing each other

Assume there are two LAN hosts, and their IP are and They can access each other by default, which can be verified by ping command.

To block the traffic between them, we will need to configure firewall rules. To set up a firewall rule:

1. Go to Objects Setting >> IP Object, and add two IP objects, one for the subnet, and the other for the subnet.

  1. Give a profile name
  2. Select "Subnet" for Address Type
  3. Type Network IP in Start IP Address
  4. Specify Subnet Mask
  5. Click Apply to save

2. Go to Firewall >> Filter Setup >> IP Filter, click Add to create a group, then click Add in Group tab to create two firewall rules:

  1. Give profile name and enable it
  2. Select 'Block' for Action
  3. Select the first subnet in Source IP Object and the second subnet for Destination IP Object, For the second rule, the Source IP Object should be the second subnet, and Destination IP Object should be the first subnet.
  4. Click Apply to save

After finishing the configuration, the firewall setting should be as follows.

Now, we can use ping to verify the Firewall configuration.

Published On:2016-06-29 

Was this helpful?   

book icon

Related Articles