I have some feedback about improving the WAN / LAN port control in the admin panel:
I have an BerylAX which has a 2.5 GBit WAN and a 1 GBit LAN port. Within the current interface the WAN port can be switched from WAN to LAN.
Devices connected to LAN end up in the private VLAN. For me this is far from ideal and here is why:
I often do road trips and travel with friends, where GL.iNet routers are the perfect companion. In a new location I connect the router to the new network and everybody has internet access afterwards, me using the private WLAN, my friends using the Guest WLAN. I use the two WLANs because that way I can have a VPN connection to my home network, while my friends have a direct connection to the internet. What I do not want is my friends accessing my home network, or even someone e.g. a cleaner in an accommodation.
To solve this I want more control over the ports.
For each port I want to choose the usage:
- Private LAN
- Guest LAN
In addition it would also be nice to be able to have different VPN connections assigned to the private VLAN and the guest VLAN at the same time to be able to bypass internet filters.
Will your friend connect to your router via cable? Cables are usually a secure connection, so glinet’s network cables are private.
Yes, friends could connect to the router with wires, just like cleaning staff in a hotel room. We sometimes travel in large groups of over 20 people, so I don’t know everyone that well. I agree that wiring in a household can be considered a secure connection. In a travel environment I would disagree. If you’re staying in a large house, you typically place the router in a central location, which is often the hallway or a common room.
It would just be good if you could configure the Lan ports to restrict or prevent access.
At present, we do not support adding ethernet port to guest network.
You are the first user to propose this requirement, we will consider it.
Can the LAN ports be disabled? I was thinking the same recently. I was using the device at an event.
The device is great, allowing me to securely tunnel over public networks. Yes I do my best to physically secure the device, but at the same time I can’t break the network and take the device away with me when I can’t keep my eyes on the device all the time.
I agree that this feature would be useful. I can restrict wifi with password but I cannot protect eth port in a similar way.
For example, I have a router at my office that connects through VPN to my home network. The wifi is protected so nobody can connect but, when I’m not there, someone could plug an ethernet cable into the ethernet port and they would have access to the home network.
I start using also Beryl AX(GL-MT3000) recently and I fully support @Noki feature request. I do not feel safe to leave the device unattended in a hotel room or a public space having VPN tunnel activated. A minimum implementation should allow disabling the LAN/WAN ports.
You can put locks on the Ethernet ports:
These are commonly used in places where Ethernet jacks are exposed to the public. In retail stores that accept payment cards, they are required for PCI Compliance that is audited regularly.
I do not work for and I do not have formal association with GL.iNet
It might be a solution when you want to completely lock the ports, but if you forgot the special key at home and you really need to use one of the ports than you have a problem. It doesn’t solve the problem when you need the LAN port(s) to be connected to the Guest LAN.
Another idea, which might be easier to implement, in order to limit access to LAN/WAN ports and still being able to connect with your private/trusted devices and maybe avoid lockdown in case you forgot the wifi pass, would be to implement a port security feature, so only whitelisted MAC addresses can connect.