How come I can ping between 2 different VLANS?

Question

I've been trying to find an answer to this question and even asked a CCNA I worked with but it still is not making sense. Here's the scenario:

I have an office that has multiple rows of computers that only need to talk within each row. The entire subnet space that is needed is well below a full /24 so multiple subnets aren't needed. However, we don't want people in row 1 being able to ping or access computers in row 2 but we DO want them to be able to reach the NAS. So, my thought was that I would create multiple VLANs on the same /24 and tag each port with the correct VLAN according to what row they sit in, then place the NAS on the management VLAN which would allow all of the various VLANs to communicate with the NAS and nothing else. The setup I'm using has a layer 3 security gateway which handles all of the routing attached to a layer 2 switch (router on a stick). The problem is that when I create the VLANs and tag the ports on the switch I can still ping hosts on the other VLANs. What am I doing wrong?

NOTE: I'm using a Ubiquiti USG for attached to a Ubiquiti UniFi 48 port switch

Answer 1

I'm not sure what you are trying to achieve will work with management VLANs but leaving that aside, the reason you can see all the other computers is that I suspect that your computers are not configured to send tagged packets and so are sending untagged packets.

In that case the VLAN the packets are assigned to will be based on the PVID of the port they are connected to. Note that this is different to what VLANs the port is a member of. Most switches have different config pages for membership and PVID

Without knowing what switch you are connected to it I cant comment on exactly how you need configure it but see if you can see a setting for the PVID for the ports and check it is set to the VLAN you want. That will restrict the traffic as you need.