Could you answer some VLAN based questions please? - eviltoast

Everyone was kind enough to ram my brain chock full of knowledge about switches and I came away feeling like I can explain it to other people. (please don’t test me on this, I’ll fail)

But now I’m trying to figure out how I want my network to look and so it’s best I ask the people smarter than me that actually understand what I’m trying to do.

My house is an average sized, end of terrace in a big city and so while I can get decent Internet speeds, I get lots of WiFi signal congestion with neighbours, buildings, etc.

In my present router, which I really need to replace, I have my NAS and cable box plugged in via Ethernet, everything else is connected via WiFi. That’s a bunch of phones, a couple laptops, and a couple Raspberry Pi’s (including my one with all my home services, like Home Assistant and my Pi-Hole).

The design I’m cooking up, is that my NAS would be on a virtual LAN with no direct access to the Internet, my Raspberry Pis would have Internet access. I don’t need to worry about my smart home devices having Internet access since they’re all Zigbee devices. But I plan to switch my cable box to an IPTV box and I’m also wanting to get a video doorbell and security camera for the garden, so that’s at least three virtual local area networks. Four if I add a guest network.

My questions are really simple ones and you’re probably gonna laugh at how stupid they are… can I do this all with a single switch? Do I need a separate access points for each VLAN or can I have multiple vLANs on a single AP? How many ports should I be looking at on my switch? Would four be enough for my set-up? Also managed is best right?

  • not_fond_of_reddit@lemm.ee
    link
    fedilink
    English
    arrow-up
    4
    ·
    7 months ago

    Segment based on usage, a decent switch kan handle around 4k VLAN.

    • users (Ethernet)
    • users (wlan)
    • iot
    • cameras
    • servers
    • storage
    • media devices
    • phones
    • printers
    • guests

    If you can enable client isolation on WiFi, port protection/isolation on Ethernet and start using 802.1x for network auth… then you are off to a pretty decent start in case of a vendor bug, misconfiguration or some curious individual

    • sabreW4K3@lazysoci.alOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      7 months ago

      Thank you so much. I’ll read up on network authentication because right now I have no clue what that is 😅

  • jet@hackertalks.com
    link
    fedilink
    English
    arrow-up
    4
    ·
    edit-2
    7 months ago

    A switch can pass VLAN tagged packets through it even if it doesn’t understand VLANS itself.

    The switch only has to be VLAN aware if you want the switch port itself to assign the VLAN tag.

    As long as you’re access point is capable of VLAN tagging, that should be sufficient for your scenario. Some access points like ubiquity can handle multiple SSIDs with different VLANs. If your device supports it then it should be fine

    A managed switch will make your life easier, but it’s optional. Especially if the hardware you’re going to plug into the switch can do its own VLAN management like Linux

    Depending on your threat model, you might require the switch itself to be vlan aware so that sensitively tagged packets are not exposed physically to untrusted devices.

    If you’re choosing your switch, how many devices do you want to plug into it, how many devices might you grow into in the future, what throughput requirements do you have, do you want manager unmanaged, does it need to be able to deliver POE? The more things you say yes to you the more expensive the switch

    Depending on how much you want to learn, vs things just working: Most Learning - A linux machine with a bunch of ethernet ports (you can get 4x/8x ethernet pcie cards dirt cheap now) do everything for your switch in linux. The most reliable and hands off “it just works” - A unifi managed switch.

  • August27th@lemmy.ca
    link
    fedilink
    English
    arrow-up
    2
    ·
    edit-2
    7 months ago

    Not stupid questions at all.

    can I do this all with a single switch?

    You could technically do all of this on a cheap WiFi router running dd-wrt firmware. VLANs on ports, multiple WiFi SSIDs, the whole thing. I have. But it is all hacky finicky configuration that is annoying to do, and I will never do it that way again. There is something to be said for owning and using products that “just work”, especially if you have a family that relies on your network and network services being stable.

    To answer your question directly, you can do everything VLAN related except the WiFi portion on one wired switch, but you are going to need a router to do anything meaningful with those VLANs.

    Do I need a separate access points for each VLAN or can I have multiple vLANs on a single AP?

    One AP can serve multiple SSIDs, and can map them each to a particular VLAN. The ability to do this depends on the Access Point.

    How many ports should I be looking at on my switch? Would four be enough for my set-up?

    Definitely definitely definitely get more than you think you need. You are already doing cool stuff, and will likely add more of it over time as you gather more ideas and experiments. I wouldn’t do less than 10 ports in your case. Nothing is more annoying than running out of ports capable of VLANing and having to upgrade the gear and redo the configuration on a new device. Your time has value, and IMO it is more expensive than just spending a few more bucks on the right gear that is nice to configure and just works.

    Also managed is best right?

    Absolutely yes. The term managed is going to have different meanings depending on the age of the gear and the “level” of the gear though. An old Cisco switch would be the traditional definition of managed. New ubiquiti gear with its software defined networking would be managed also. Hacking around with the config on a dd-wrt router would be considered “managed” too, in my book. You can’t really achieve VLANs without some way to configure them, and management is that configuration method, when you boil it down.

    There is more stuff you need to think about, like how to route between your VLANs, and the filtering you will want to apply to that routing for security reasons. You are going to need a router, and picking one that is right for you is probably going to be the trickiest thing, because you seem like the type that isn’t going to be afraid to do more complex things over time, while also keeping budget in mind.

    I’ll cut to the chase. I have the network you are trying to do, and I’ll tell you the gear I’ve settled on, for your reference. I recommend it, but of course I am biased, so really just use this as a reference and make your own decision. I’ve had all kinds of gear over 2 decades, and built and worked on enterprise networks of all kinds, and this is what I’ve settled on for me as good enough for the kind of stuff you and I are into.

    I have a 10 port ubiquiti gigabit managed switch with a handful of PoE ports. It’s got PoE to power a (now lightly outdated) ubiquiti WAP. The WAP and switch are configured by a piece of software from ubiquiti I run on a computer (it can run on a pi, do monitoring and all kinds of cool stuff, but I don’t bother because I just use it occasionally to change config here and there). The software lets me config VLANs on the switch and WAP, which also lets me plop WiFi SSIDs on those VLANs. I have multiple separate WiFi SSIDs served from the single WAP; one for guests, another one for home automation and WiFi cameras, another for everything else.

    My router is a pfSense that I built from gear from pcEngines, because the official pfSense gear is 3 times the price, and the affordable hardware of theirs is not the most reliable. I chose pfSense because it is a good balance between cheap, and does almost any networking thing possible while being easy enough to achieve it. Updates are also free, which is a big deal. You could pay through the nose to get the simplicity of a ubiquity router, and it still not be able to do everything you want to do that you could with a pfSense. That said, the ubiquity does a lot with ease, you just pay a premium for that convenience. If you like to learn and tinker, I recommend pfSense, because it’s easy enough to mostly point and click, but it doesn’t stop you from making something really intricate just the way you want, if you like. It’s a BSD box under the hood, after all.

    Anyway, long story short, my router lets me reach my WiFi cameras and home automation gear that are on their own isolation VLANs from my main VLAN, but those cameras and stuff can’t reach back into my main VLAN nor reach the Internet because of the filtering rules I’ve defined on the router.

    You will probably have more questions now. Never fear though, this stuff is doable.

    • sabreW4K3@lazysoci.alOP
      link
      fedilink
      English
      arrow-up
      2
      ·
      7 months ago

      I don’t know if it was because it’s 420, but your reply was like the clouds opening and an angel stepping out. Thank you so so so so much. I spent the hour after you posted this looking at Ubiquiti switches and access points and decided on the 8 Lite and 6+, but then I watched the reviews and realised that they’re cloud managed and that kinda bothers me, I want to be able to control my devices no matter what and the auto updating of firmware is also concerning. But the thing is, all the locally managed switches I’ve seen pale in comparison in regards to UI when compared to UniFi, so I think I’m going to have to spend a bit of time learning about the pros and cons of cloud managed versus locally managed and if there’s anything that compares.

      • August27th@lemmy.ca
        link
        fedilink
        English
        arrow-up
        2
        ·
        edit-2
        7 months ago

        I’m the same way, I don’t do any of the cloud stuff. I run the MGMT software in a docker container, and when it asks to hook up the cloud, I just skip it. It means I have to back up the config by hand, but I’m ok with that. I also turn the auto update off in the config. I am pretty sure the updating needs the MGMT software to be running all the time anyway, but I don’t keep that going, I just shut it down when I’m done configuring things. I don’t use any of their routers, maybe those need cloud stuff?

        You know what? Just try downloading their management software right now, it’s free, and see if you can get into the config portion without signing up for their cloud stuff. I’d try it with the latest version of their software myself (I haven’t updated in a while), but I’m not near my gear right now.

        • sabreW4K3@lazysoci.alOP
          link
          fedilink
          English
          arrow-up
          2
          ·
          7 months ago

          Thank you again. This has been a super fruitful conversation. I guess I’ve found my switch and AP.

          • August27th@lemmy.ca
            link
            fedilink
            English
            arrow-up
            2
            ·
            7 months ago

            No problem! Have fun with your VLANs and WAP. It’s the most stable Wi-Fi I’ve ever owned. I used to have to reboot my ISP Wi-Fi router once a month or so because it would just stop serving Wi-Fi for no reason. I’ve never had to reboot my ubiquiti gear ever for that reason, and it’s been years.

            Let us know what you pick for a router when you get there.

            • sabreW4K3@lazysoci.alOP
              link
              fedilink
              English
              arrow-up
              2
              ·
              7 months ago

              Don’t get me started on the router. I really want an ARM router and was dead set on a NanoPi but got swayed by the Banana Pi BPi-R4, but I’ve been reading the support thread on the OpenWRT forums and things aren’t where they need to be yet. Luckily I can sort out everything else first and leave the router for last, if the worse comes to the worst, I’ll just get an n100 machine.

              • August27th@lemmy.ca
                link
                fedilink
                English
                arrow-up
                2
                ·
                7 months ago

                Nice. I dunno if I’d do ARM again for me personally, I always found the throughput lacking, but I suppose there’s newer faster stuff now, and it’s hard to complain about the low power consumption.

                If you have any old x86 gear laying around, or even the means to make a VM, consider installing and playing around with pfSense or opnSense. I suppose your goal may be to get into the OpenWrt ecosystem and tinker in there, which I totally get.

                For me, I’ve taken to shying away from an “everything device” that can be a router and NAS and server and whatever else device (not to say that’s your intent with OpenWrt), and instead choosing something that is focused on the networking. Do one job and do it well, kinda thing. For instance my spouse would be mad if a video call with friends was jittery because the router was busy transcoding video from its media server to play a show on the TV. Also if the device gives up the ghost years down the line, you don’t have to find some unicorn hardware in a hurry that can do 5 different things; you can just get a router and drop it in. Food for thought.