Configuring Security Groups (VLANs)

Configuring Security Groups (VLANs)

Security Groups (VLANs)

To create a new Security Group (VLAN) choose the  button on the lower left of the Gateway's Overview page.
Clicking the Add Group button will present you with the following options to specify the name of the new Security Group.

Here you will input the desired name of the VLAN as the group name and can specify the subnet. 


To configure the Security Group and assign it resources in the Wifi, Ethernet, and Storage sections of the Portal. 


Reserved VLANs

The following VLANs are strictly reserved and should not be modified:

  1. VLAN 1: System device management (hidden)
  2. VLAN 10: WAN ports
  3. VLAN 11: VPN backbone
  4. VLAN 12: WAN ports

Notes
VLAN 1 is used for device management due to historical design decisions. While a higher VLAN ID (e.g., 1001) would have been preferable, this cannot be changed as deployed switches and APs expect management traffic on VLAN 1.

Default VLANs

The following VLANs are set up as defaults in the portal with preset attributes, but can be modified in :

VLAN 2: Employees (Default Configuration)

  • Accessible by all users
  • Cannot initiate access to other VLANs

Ideal for:

  • General staff access
  • Printers
  • Universally visible shares

VLAN 3: Guest (Default Configuration)

  • Firewalled from internal network
  • Internet access only
  • Bandwidth throttling enabled
  • Designed for customer/visitor use

VLAN 4: Boss (Default Configuration)

  • Not accessible by default
  • Can initiate access to all VLANs
  • Designed for administrative access

Available VLANs

  • VLANs 5-9 are open for general use

Important Configuration Notes

Default VLAN Modification

Despite their default configurations, VLANs 2-4 (Employees, Guest, and Boss) can be modified through the Portal > Firewall > Inter-VLAN settings to function as regular groups, similar to VLANs 5-9.

Tagged vs Untagged Traffic

Tagged Trunks

  • VLAN IDs must match between connected devices for tagged traffic

Untagged Ports

  • VLAN ID matching is not required

For untagged configurations, VLAN numbering conventions can be disregarded Example: You can assign VLAN 1 on the LAN for general use (like "Employees") and connect the switch uplink port to a gateway port assigned to the Employees group. This works because tags are stripped in both directions Internal VLAN ID differences are hidden from end devices (e.g., VLAN 1 in LAN devices can connect to VLAN 2 in gateway)


    • Related Articles

    • Security Groups - InterVLAN Routing

      Summary Your Uplevel Gateway's firewall implements firewall rules that govern traffic flow between security groups (VLANs / subnets) on the LAN. Devices in Guest are completely isolated and can only reach the Internet Devices in Boss can reach all ...
    • LAN Subnet and DHCP Server Configuration

      Manage the DHCP Sever on on the Uplevel Gateway Map Mac Addresses to IP Addresses in the DHCP Pool
    • WAN Mapping - Multiple Static IPs

      Introduction This article describes the configuration, and mapping usage, when multiple Static IPs are added to the Primary or AUX WAN Ports. WAN Static IP Capabilities: Up to 4 Static IPs may be configured for each of the WAN Ports. Each Static IP ...
    • Setting Static IPs on the WAN Ports

      Setting Static IPs from your ISP (WAN) Login to your Portal and navigate to the Overview section for the Site you would like to configure Click Set WAN Static IP Select Static IP from the drop down menu Enter the IP Address, Gateway Address, and ...
    • Best Practices for Managing Client Networks

      Network Security and Equipment Protection Best Practices Overview This document outlines critical best practices for securing network assets and protecting equipment when managing client networks. Following these guidelines helps ensure network ...