InterVLAN Routing on the Grandstream GWN7000 Rou

This article explains how to setup a Grandstream GWN7000 router with multiple VLANs/Networks. In this example we will have a total of 3 networks, Corporate, Voice and Guest. We will enable interVLAN routing on the Corporate and Voice Networks so they can communicate freely with each other, while the Guest Network will be isolated and allowed to communicate with the internet only.

1. Setup your WAN1 interface and ensure you have internet connectivity from the default LAN network.
2. Edit the default network under the Router > LAN section and change the name to Corporate and then Save:
   
3. Click Add to create a new network and populate the following and then save:
   LAN Name: Voice
   Enabled: Yes
   Destination: WAN1, Corporate (This will allow Voice Network to access WAN1 and Corporate networks and create forwarding rules in the firewall automatically).
   VLAN: Enabled
   VLAN ID: 2
   Enable IPv4: Yes
   DHCP Enabled for IPv4: Yes
   
4. Create another network which will be the Guest Network and save:
   LAN Name: Voice
   Enabled: Yes
   Destination: WAN1, Corporate (This will allow Voice Network to access WAN1 and Corporate networks and create forwarding rules in the firewall automatically).
   VLAN: Enabled
   VLAN ID: 2
   Enable IPv4: Yes
   DHCP Enabled for IPv4: Yes
   
5. Edit the Corporate Network again and allow it to communicate freely with the Voice Network:
   
6. Apply Changes at the top of the page.
7. Next we will setup the following ports under Router > LAN > Switch for simplicity however you can Tag/Untag the appropriate ports and pass to your VLAN switch if required.
   LAN 1: Untag Corporate
   LAN 2: Untag Voice
   LAN 3: Untag Guest
   
8. Save and Apply Changes.
9. Testing:
   1. Connect to LAN1 (you should receive a 192.168.1.x address on the Corporate network) and be able to ping/communicate with devices on the Voice network but not the Guest network.
   2. Connect to LAN2 (you should receive a 192.168.2.x address on the Voice network) and be able to ping/communicate with devices on the Corporate network but not the Guest network.
   3. Connect to LAN3 (you should receive a 192.168.3.x address on the Guest network). You should not be able to access the other networks, only the internet.
      Note: At this point you will still be able to ping the gateway address of each network whether Destination forwarding has been set or not as input rules are not automatically created.
      
10. Navigate to Firewall > Traffic Rules > Forward Rules and review the rules which have been automatically created based on the 'Destination'feature under the LAN network settings.
    
11. Optional: If you wish to restrict input traffic to the gateway (i.e. At this point, Guest Network traffic can ping 192.168.1.1 and 192.168.2.1 which are the gateway addresses on the router) you will need to add the following input rules:
    
12. Save and Apply changes.
    Note: If you have an existing test running, stop it and retest as sometimes the firewall rules may not affect established connections (only new ones). i.e. you have a ping to 192.168.2.1 from the guest network which should be dropped as soon as these rules are in place but is still succeeding as the ping test started before the rules were implemented.