Anyone using VLANs?

Jessie.slimer

BIT Beta Team
Joined
Aug 23, 2019
Messages
1,627
Reaction score
4,657
Location
Illinois
I asked in the other router thread, but I don't want to hijack it with any further questions.

I'm in the process of switching internet providers, and I'm trying to isolate all of my IoT and non trustworthy devices from my main network. Before, I had my AT&T dsl modem/router combo in bridged mode passing everything to my Asus 86u. The guest network on my AT&T router is where I put IoT, and it seemed to work great. Everything was wifi. My Asus handled everything else including VPN inbound connections. House guests used my Asus guest wifi.

With my new isp, I am only using the Asus router. I'd like to keep guests seperate from the Iot devices so I'm looking at either getting a router with VLAN capability, or setting up some sort of multi router configuration that will keep 3 networks seperate.

Most of my IoT devices are wifi, but a couple are not, such as a couple of 4k tvs (which I don't want to use wifi since now I have internet speeds that will support 4k), and my Hubitat (which does not have wifi connectivity).

I'm looking at the Edgerouter stuff, which seems to have VLAN support that can be configured in a gui instead of command line (which is important for me).

Anyone used these in a similar setup, or any other ideas?
 

wittaj

IPCT Contributor
Joined
Apr 28, 2019
Messages
24,431
Reaction score
47,552
Location
USA
Many here do. Some use a simple managed switch with VLAN capabilities just after the Asus router to do this.

Others as I mentioned in your other post use one of the guest wifi to mimic VLANs, but as you point out does not work with IoT that are hardwired.

Many use the Edgerouter stuff, and a member here made it simple:

 

The Automation Guy

Known around here
Joined
Feb 7, 2019
Messages
1,376
Reaction score
2,736
Location
USA
Yes. It's easy to come up with lots of Vlans too.

Best practice is probably to set up two IOT Vlans: one for stuff that needs to connect to the internet (like streaming devices and smart TVs) and one for IOT stuff that shouldn't connect to the internet (wifi switches, plugs, etc). Another Vlan for your main network, one for guest network, and one for CCTV as well. We also have one dedicated for gaming consoles (can allow UPnP or other services needed for online gaming, etc for this VLan only) and I have one for my digital phone system. It's kind of crazy, but once you start down this path, you suddenly realize how important it is to isolate parts of your network.
 
Last edited:

Jessie.slimer

BIT Beta Team
Joined
Aug 23, 2019
Messages
1,627
Reaction score
4,657
Location
Illinois
Many here do. Some use a simple managed switch with VLAN capabilities just after the Asus router to do this.

Others as I mentioned in your other post use one of the guest wifi to mimic VLANs, but as you point out does not work with IoT that are hardwired.

Many use the Edgerouter stuff, and a member here made it simple:

Perfect, exactly what I need. Thanks.
 

Cold-Lemonade

Pulling my weight
Joined
Apr 1, 2021
Messages
156
Reaction score
134
Location
Boston
If your old router is compatible with DD-WRT, you could flash your router with it and then set up a vlan. Then you could use iptables to set up rules on what the vlan can access.
 

Cold-Lemonade

Pulling my weight
Joined
Apr 1, 2021
Messages
156
Reaction score
134
Location
Boston
I dont believe it is. I know it's compatible with Merlin firmware though.
Here's the list of supported routers for the latest version of DD-WRT. I'm not sure the exact model number of your ASUS, but there are about 15 of them.
 

Jessie.slimer

BIT Beta Team
Joined
Aug 23, 2019
Messages
1,627
Reaction score
4,657
Location
Illinois
After a bunch of vendor cancelled orders on a new ER-x , I've discovered they are on backorder. I didn't want to pay gouged prices, so I bought a used one on ebay that I will do a factory reset on.

For anyone with vlan experience, will I need seperate access points off my edgerouter for each vlan or can I get a single AP such as a Unifi Nano hd and it will broadcast all of them?
 

ARAMP1

Pulling my weight
Joined
Feb 13, 2018
Messages
242
Reaction score
171
Location
Memphis, TN
I use pfSense with a 10GbE connection. These are my VLANs.

Interfaces Sanatized.jpg

Though I'm not using a Unifi router, I'm using Unifi access points throughout the house and you can set up in each access points which VLANs you want to run in each access point. For instance, my kids VLAN is only on 2.4 GHz, therefore I only need it in a couple access points since it covers more area. I can also regulate tiers of speed within the access points. For instance, I don't need full speed for my thermostats, doorbell, alarm, hubitat, etc, so I've put it on the slowest tier.

Unifi Network 3.jpg
 

The Automation Guy

Known around here
Joined
Feb 7, 2019
Messages
1,376
Reaction score
2,736
Location
USA
For anyone with vlan experience, will I need seperate access points off my edgerouter for each vlan or can I get a single AP such as a Unifi Nano hd and it will broadcast all of them?
It may depend on the hardware, but I suspect most of the decent APs will allow you to have multiple unique wireless networks being broadcast from a single AP- one for each VLAN. This is how I do it with my Ubiquity APs. If you need more than 2 or 3, you have to turn off a particular setting, but honestly I can't remember what it is. But it is clearly marked in the set up section and wasn't anything important IMHO. As noted above, I have a decent number of VLANs and 5 of them are being broadcast as unique wireless networks via the Ubiquity gear without any issues.

I would suggest that you check the specs of any AP before purchasing it just to make sure you know if there is a limit in the number of concurrent networks it can broadcast.
 
Last edited:

th182

BIT Beta Team
Joined
Sep 11, 2018
Messages
689
Reaction score
1,204
Location
Minnesota
I use pfsense with smart/managed switches, and Unifi AC Lite access points. I'm up to 9 different VLANS! It makes it so easy to isolate traffic and implement access rules!

For instance, my CCTV network is blocked from having any internet access or access to other VLANS. My HOME network where all my PCs are is allowed to reach any other VLAN. So I can get to camera GUIs without needing to be on that VLAN.

I originally started with the edge router x but grew frustrated pretty quickly. I was new to firewalls and networking at the time and found all the guides and forums to be too technical when they explained stuff. My buddy pointed me to pfsense and I haven't looked back! Plenty of resources and it helped I had my buddy to lean on if I got stuck on something. Plus there are plugins for ad blocking and VPN was much easier to configure via GUI.


Sent from my iPhone using Tapatalk
 

OICU2

BIT Beta Team
Joined
Jan 12, 2016
Messages
821
Reaction score
1,330
Location
USofA
Another pfS user here. Installed it on a HP T730 thinclient with a 4 port NIC. Also fleabay cheap used Netgear smart switches that support VLANs and Ruckus R500 WAPs in stand alone unleashed mode.
 
Top