VLAN Questions

[KeithAbbott]

Hello, I'm hoping that some networking guru can answer a few questions about setting up VLANs in my home environment. I currently have a wired Ubiquiti EdgeRouter and an unmanaged switch, along with a Netgear Orbi wireless router set up as a wireless access point (connected to my unmanaged switch). Right now, it's just one big happy network. However, I would like to split it up via VLANs so that I have a completely separate guest wifi network, and a completely separate IOT network, with none of those devices being able to get to devices outside of their VLAN. My questions:

• Can I set up the VLANs entirely within a managed switch, or will I need to also configure the router?
• I see that you can configure the VLANs by switch port (all devices connected to that port are included on that VLAN), or by individual MAC addresses. For the guest wifi, I am thinking that I would need to connect an additional WAP to a port on the switch, and define that port as a VLAN. Is that the best way, or is there a better way to do it?
• Once I get the VLANs set up, is there a way that a "master" workstation could have access to all devices, whether they are isolated on a VLAN or not?
• Does each VLAN require it's own IP address range or subnet, or can all devices have IP addresses within the same subnet?
• Does the switch only require one wired connection to the router, or does each VLAN require it's own wired connection between the switch and the router?
• If only one wired connection to the router is required, wouldn't the router resolve connections between different VLANs? In other words, wouldn't the router ruin the isolation between VLANs?

I've tried to find some sort of "VLANs for Dummies" guide out on the internet, but I haven't been able to find anything out there yet that does a good job connecting the dots for a VLAN beginner like me.

[emveepee]

I actually have an Edgerouter Lite with an WAP with VLAN access for guest account with its own SSID and subnet and another set for a Nest thermostat and finally one for my private LAN (not on a VLAN) all on one wire. You'd have to see how you Netgear WAP handles VLAN tagging since every setup will be a little different.

I can't put one of my IoT light switches on the IoT VLAN because it is too far away and the bedroom access point doesn't support VLAN. Also it is a pain configuring some IoT devices when the private network control device can't find them on the same subnet.

At the end of the day a dummies guide is a pretty bad idea for implementing any form of advanced security since bad configuration could end up giving you a false sense of security I mainly did this for guests because I still like SMB1. My system is working bug I don't have anyway of testing if it is really done properly.

Martin

[wayner]

If you put IOT devices on a separate VLAN then doesn't that isolate them from the rest of your network? And if that's the case how do you integrate them into everything else in your house, which is often the point of having IOT devices in the first place.

I have a Control4 Home Automation system and it can (and in my case, does) work with all sorts of separate IOT devices, but it has to be able to talk to them, either via LAN or Zigbee.

[KeithAbbott]

Quote:

Originally Posted by wayner

If you put IOT devices on a separate VLAN then doesn't that isolate them from the rest of your network?

So that's one of the things that I don't understand yet about VLANs. Let's say I have 192.168.1.10 on VLAN1, and 192.168.2.20 on VLAN20. Since the router knows about both devices, if 192.168.2.20 tried to access 192.168.1.10, wouldn't the router just forward the request back to the internal network? I must be missing something here.

Quote:

Originally Posted by wayner

And if that's the case how do you integrate them into everything else in your house, which is often the point of having IOT devices in the first place.

I have a Control4 Home Automation system and it can (and in my case, does) work with all sorts of separate IOT devices, but it has to be able to talk to them, either via LAN or Zigbee.

The devices that you are describing don't sound like good candidates for isolating in a separate VLAN. However, there are plenty of IOT devices out there that do all of their communication to an external site on the internet, and then provide a web interface to configure and operate the device from.

[sic0048]

Quote:

Originally Posted by wayner

If you put IOT devices on a separate VLAN then doesn't that isolate them from the rest of your network? And if that's the case how do you integrate them into everything else in your house, which is often the point of having IOT devices in the first place.

I have a Control4 Home Automation system and it can (and in my case, does) work with all sorts of separate IOT devices, but it has to be able to talk to them, either via LAN or Zigbee.

A VLAN that is blocked from communicating with other VLANs will still respond to communication from other devices on those other VLANs. When set up like this, think of it as if your VLAN is "blind". It literally doesn't "see" any other aspect/device of your network. But if a device starts communicating with it, the IOT device will "talk" to it just like normal. But as soon as that communication ends, the IOT device is still blind and cannot see or communicate with other devices on its own.

This means you can have your IOT devices all on one VLAN (I would actually suggest two IOT VLANs - one for IOT devices that don't need internet access, and one for IOT devices that do need internet access) and you Control4 controller can sit on another VLAN and it will still be able to communicate with the IOT VLAN like normal.

Hopefully that helps explain how VLANs can work and why they are helpful in segmenting your network into smaller groups of devices that you can then specify different firewall rules to. This helps secure your network by preventing every device from being able to communicate with every other device and also makes it very easy to limit access to the internet to an entire VLAN rather than trying to do this at the device level (which works, but is harder to manage).

[sic0048]

Quote:

Originally Posted by KeithAbbott

Hello, I'm hoping that some networking guru can answer a few questions about setting up VLANs in my home environment. I currently have a wired Ubiquiti EdgeRouter and an unmanaged switch, along with a Netgear Orbi wireless router set up as a wireless access point (connected to my unmanaged switch). Right now, it's just one big happy network. However, I would like to split it up via VLANs so that I have a completely separate guest wifi network, and a completely separate IOT network, with none of those devices being able to get to devices outside of their VLAN. My questions:

• Can I set up the VLANs entirely within a managed switch, or will I need to also configure the router?
• I see that you can configure the VLANs by switch port (all devices connected to that port are included on that VLAN), or by individual MAC addresses. For the guest wifi, I am thinking that I would need to connect an additional WAP to a port on the switch, and define that port as a VLAN. Is that the best way, or is there a better way to do it?
• Once I get the VLANs set up, is there a way that a "master" workstation could have access to all devices, whether they are isolated on a VLAN or not?
• Does each VLAN require it's own IP address range or subnet, or can all devices have IP addresses within the same subnet?
• Does the switch only require one wired connection to the router, or does each VLAN require it's own wired connection between the switch and the router?
• If only one wired connection to the router is required, wouldn't the router resolve connections between different VLANs? In other words, wouldn't the router ruin the isolation between VLANs?

I've tried to find some sort of "VLANs for Dummies" guide out on the internet, but I haven't been able to find anything out there yet that does a good job connecting the dots for a VLAN beginner like me.

1) If your switch is L3, then you can set up the VLANs completely within the switch and the router/firewall will not handle this. For a large network, this is important because it takes away the potential bottlenet that is created by having hundreds or thousands of devices on VLANs having to send their data through the firewall. However on a normal size home network, this probably isn't a big concern. It is certainly much easier to set the VLANs up on the firewall/router because you don't have to learn any of the L3 level stuff to make it work.

2) Many WiFi Access Points can broadcast multiple networks at the same time. Most of the time, the AP controller will allow you to set up VLANs for these multiple networks. This means you don't have to have a physical AP for each wifi network. I have Ubiquity APs at my house (although they are the only Ubiquity gear I use) and I have 6 different wireless networks being broadcast from the same devices at the same time and they are all on different VLANs. (Networks = Main, Guest, IOT with Internet, IOT without internet, Gaming systems, CCTV). I have no idea if the Netgear Orbi has this ability or not.

3) Having a "Master" access can be done by having a VLAN that is granted access to all VLANs. I have my "Main" VLAN set up to be able to access everything. You can set which VLANs can access other VLANs via your firewall rules. You might have VLANs that cannot communicate with any other VLAN, but you can also set it up where a certain VLAN can communicate with some or all of the other VLANs.

4) Yes, each VLAN requires it's own subnet/gateway as far as I understand it. But I'm also a self taught home user, so perhaps there is a way around this. However most home users are going to set up a gateway for each VLAN which will have it's own DHCP server and subnet of addresses.

5) Only one wire is required. The switch will pass all information from all VLANs over that one connection.

6) Isolation is created via your firewall rules. The router/firewall will not allow traffic to pass between VLANs if that is what is desired. It depends on your firewall how this is accomplished. I use pfSense and it by default blocks all traffic, so I would have to create a firewall rule that allowed connections to be made. I believe Ubiquity is the opposite - it allows all traffic, so you would have to create firewall rules to block the traffic between VLANs as needed.

Hopefully that helps. Again, I am self-taught (not an IT professional), but I've been running my network like this for years now and I am certainly willing to answer any questions you might have.

[sic0048]

Here is how I would set up a home network using VLANs today. My network doesn't look exactly like this because I have picked up a few tips since I created my network and it's a pain to go back and redo your base level network architecture - which is why it is so important to get it right the first time.

1) Admin network (has internet access and access to all VLANs). This would be for a small set of trusted devices only (which doesn't include your families cell phones or mobile devices). You main computer(s) is about all that would be on this VLAN. Think of it as an "administrator" level VLAN.

2) Guest network (has internet access, no access to other VLANs, optionally you can even isolate each device so that individual devices cannot see other devices on the guest network) - This is obviously just for guests in your home. Normally there wouldn't be any devices on this network

3) Main Network or IOT Device With Internet Access (has internet, by default devices have no access to other VLANs) - This is where your cell phones and mobile devices go. Your SageTV system would sit on this VLAN and also any smart TVs, streaming devices like Firesticks, Roku, etc. Basically anything that needs the internet, but is not an "admin" level device goes here.

4) IOT Devices without Internet (no internet, no VLAN access) - "smart" devices that you want off the internet go here - wifi plugs and switches, appliances, etc (You should be using a VPN connection to access your network, including these devices, while away from home. You should not be relying on the cloud to do this, nor allow devices to connect to the cloud (which is simply a computer in some unknown location/country that you have no control over).

5) Printers (no internet, no VLAN access) - any network printer should be on this VLAN. You can grant access to this VLAN on an individual device basis - for example you will want your family's laptops/computers (which should be on VLAN 3) access to print things. You can also temporarily grant access to entire VLANs if needed - for example you might want to grant access by the Guest network if you have a guest that needs to print something. This is the primary reason to have the printers on their own VLAN - so you can easily give access to them without having to grant access to other devices.

6) Gaming Consoles (like XBox, etc) (Internet, but no VLANs) You generally need to open more ports and services for these devices in order for online gaming to work well. These are things that you generally don't want to open for other devices, so put all of these on their own VLAN. It makes it super easy to hook up a friends device that they brought over.

7) CCTV Cameras (No Internet, no VLAN) - these devices should be isolated from your network/other devices. You can give access to this network for specific devices as needed to be able to view the cameras, etc.

8) PBX Phone system (No Internet, no VLAN) - same concept as the CCTV VLAN.

Tip - Create aliases for groups of devices to make management easier. (Perhaps this is a pfSense concept, but this is what they call it). I put all my families cell phones and mobile devices in a single alias group and can create firewall rules that allow the group of these devices into the Printer VLAN and CCTV VLAN for example. When we get a new device or get rid of a device, I only have to add/remove it to the alias group and I don't have to modify each firewall rule.

Of course this is just my opinion. There is no true right or wrong way of doing this. If you want more VLANs (perhaps breaking apart the main network (families devices) from the true IOT devices that need internet) or less VLANs, then do it. My only recommendation is that you send a decent amount of time thinking about this - what devices do you have now (and think you will have in the future) and why do they need to connect to other devices? Again, it is easy to execute whatever overall network architecture you want to use in the beginning. It is much harder to go back and change things after everything is set up.