New to VLAN's - could not figure it out...
Hi,
Under covid-19 conditions, where every family member is at home (work & education), I wanted to redesign my home-office network. I've got two Zyxel GS1200-8 switches and have the following design in mind:
* VLAN 1 - outside towards Internet / will not be used unless emergency
* A dual NIC SBC based router/firewall connecting VLAN 1 to Internal-user-network (public WiFi et.al.)
* VLAN 64 - Internal-user-network ("semi-militarized-zone")
* An Ubuntu 20.04 box (office file etc server) with 3 NIC's (w. router, firewall). One connected to VLAN 64, the other two forming a "bond" and 4 VLAN's / subnets on that bond (VLAN 128 / admin, VLAN 160 / admin devices, VLAN 192 / users, VLAN 224 / user accessible devices). These vlans are prioritized/routed, where VLAN 128 should access all others, 160 can access 192 and 224 etc.
* One of the GS1200-8 switches is server-side, the other on the other office room side. They are connected with LAG2. The server-side switch is connected to the server with LAG1.
* I have a controller PC (Win 10) in server room with 3 NIC's: I want one to connect to VLAN 128, second directly to VLAN 1 (in case the server is down/updated etc). Third NIC is floating for test/support purposes.
Something like this:

As the title says, I'm new to VLAN's (I only saw them in my ADSL modems-routers). Although I read a lot on VLAN's, I failed to configure the switches on multiple trials, where I lost my connection to the server/switch and sometimes I needed to reset the switch(s). Mixed terminology does not help either. I know this setup is an overkill for an home-office but this is how I learn (i.e. as a 57 years old computer engineer)...
To my understanding I need this:
a) I need to create VLAN's 1, 64, 128, 160, 192, 224 in both switches
b) LAG2 (ports 7&8 - "trunk" connecting two switches) must be tagged (Tag egress member) in all VLANs on both side.
c) LAG1 on server-side switch (connected to bonded NICs on Ubuntu box) must be Tagged on 1, 128, 160, 192, 224, but be Non-Member (disabled?) on 64.
d) Controller PC's one NIC (VLAN 128) is connected to port 1 of the server side switch, thus I need to set PVID of port 1 to 128. I need to make port 1 Untag for VLAN 128, for all other VLANs it must be set as Non-Member.
e) That NIC has capability of setting VLAN, but I do not touch it (as I can handle it [:)] on the switch).
f) PVID tags of all "public" wireless should be set to 64.
Are these assumptions correct?
In which net segment should I put Zyxel switches?
Any help and comment is much appreciated.
Bülent
Under covid-19 conditions, where every family member is at home (work & education), I wanted to redesign my home-office network. I've got two Zyxel GS1200-8 switches and have the following design in mind:
* VLAN 1 - outside towards Internet / will not be used unless emergency
* A dual NIC SBC based router/firewall connecting VLAN 1 to Internal-user-network (public WiFi et.al.)
* VLAN 64 - Internal-user-network ("semi-militarized-zone")
* An Ubuntu 20.04 box (office file etc server) with 3 NIC's (w. router, firewall). One connected to VLAN 64, the other two forming a "bond" and 4 VLAN's / subnets on that bond (VLAN 128 / admin, VLAN 160 / admin devices, VLAN 192 / users, VLAN 224 / user accessible devices). These vlans are prioritized/routed, where VLAN 128 should access all others, 160 can access 192 and 224 etc.
* One of the GS1200-8 switches is server-side, the other on the other office room side. They are connected with LAG2. The server-side switch is connected to the server with LAG1.
* I have a controller PC (Win 10) in server room with 3 NIC's: I want one to connect to VLAN 128, second directly to VLAN 1 (in case the server is down/updated etc). Third NIC is floating for test/support purposes.
Something like this:

As the title says, I'm new to VLAN's (I only saw them in my ADSL modems-routers). Although I read a lot on VLAN's, I failed to configure the switches on multiple trials, where I lost my connection to the server/switch and sometimes I needed to reset the switch(s). Mixed terminology does not help either. I know this setup is an overkill for an home-office but this is how I learn (i.e. as a 57 years old computer engineer)...
To my understanding I need this:
a) I need to create VLAN's 1, 64, 128, 160, 192, 224 in both switches
b) LAG2 (ports 7&8 - "trunk" connecting two switches) must be tagged (Tag egress member) in all VLANs on both side.
c) LAG1 on server-side switch (connected to bonded NICs on Ubuntu box) must be Tagged on 1, 128, 160, 192, 224, but be Non-Member (disabled?) on 64.
d) Controller PC's one NIC (VLAN 128) is connected to port 1 of the server side switch, thus I need to set PVID of port 1 to 128. I need to make port 1 Untag for VLAN 128, for all other VLANs it must be set as Non-Member.
e) That NIC has capability of setting VLAN, but I do not touch it (as I can handle it [:)] on the switch).
f) PVID tags of all "public" wireless should be set to 64.
Are these assumptions correct?
In which net segment should I put Zyxel switches?
Any help and comment is much appreciated.
Bülent
0
Sign In to comment.
9
Who's Online
9 Guests
All Replies
Welcome to Zyxel community
Based on your description and topology, it seems like your assumptions are correct.
Therefore, may I know do you still encounter the problem after configuring switch based on your assumption?
Thanks
Best regards,
Zyxel_Derrick
One side note: I was assuming the switches would be aware of the VLAN/segment they are in. The managed switches were on .128.* segment and whenever I configured VL 128 as described I lost connection. I had to take them out... I assumed they would be secure on VL 128 in my design, I confirmed I was right, even I couldn't reach them
Best regards
With regards to your switch configurations...
To interconnect routers and VLAN-aware switches together,
you'll need to decide which VLANs are being carried between them.
You'll usually have a default VLAN, typically VLAN1,
plus any other VLANs that you define.
On managed switches, each port will need to be set up to some extent,
to define how you want the port used, and for what VLANs.
In your case, your SBC Gateway will be
the router for your admin and office sub-nets.
When you have a true VLAN-aware router, you will typically
define each port, based on the function they are performing.
One (or more) of your ports will be defined as a WAN port,
and the others are typically treated as LAN ports.
Let's say you pick LAN4 to be your LAN port.
If you assign 192.168.128.1/24 as an IP address for that port,
it will most likely be set up as VLAN1, PVID1 by default.
Anything you plug into that port that has an IP address
within the 192.168.128.x subnet, whether it is VLAN-aware, or not,
will be able to communicate with your router.
Now, create a VLAN/virtual interface on your router.
Give it an IP address of 192.168.192.1/24, and call it VLAN192.
Then, assign it to LAN4.
Your router should now serve-up VLAN1 for untagged traffic on LAN4,
and will allow TAGGED VLAN192 traffic on the same port as well.
You'll need to configure your SBC Gateway to provide firewalled
internet access to each of those sub-nets, as well as defining
the DHCP servers, and DNS servers for both.
If you want certain traffic to move between those two subnets,
you'll have to put in static routes, and allow your router to
pass the data between the two VLANs.
------------------------------------
If you try to connect an unmanaged switch to LAN4, then anything
connected to that switch is only going to be able to reach VLAN1.
Unmanaged switches aren't VLAN-aware, so it won't pass VLAN tags,
and your router won't accept untagged traffic to VLAN192.
So, you'll be connecting one of your GS1200 switches to LAN4.
But first, you'll need to set up the GS1200 switches.
Grab one of them, and set the IP address to something either
on the high end, or low end of your IP address range.
You'll want to keep them out of the range of your
DHCP server's address pool.
Let's say you configure your first switch with 192.168.128.250/24,
and your second switch with 192.168.128.251/24
If the rest of your switch is at its default settings, then all of your ports
will most likely be on VLAN1, with PVID1, so anything that you plug into them
tagged or otherwise, can communicate with your 192.168.128.0 sub-net.
Port 1 SBC Gateway
Port 2 Admin switch
Port 3 Office access point
Port 4 Empty
Port 5 LAG to server
Port 6 LAG to server
Port 7 LAG to office GS1200
Port 8 LAG to office GS1200
Most of those ports, with the exception of Port 2
change your view to display VLAN192.
Your admin switch is unmanaged, so it can only carry one VLAN.
Even if you installed a managed switch for your admin switch,
your admin sub-net still couldn't communicate directly with VLAN192,
without using a router, or a Layer 3 switch.
In your case, the bridge between your admin sub-net,
and your office sub-net will be your SBC Gateway router.
With that said, set your Port-to-VLAN settings for VLAN192
to TAGGED access on ports 1 and 3, and change port 2 to FORBIDDEN.
I don't recall off the top of my head what needs to be done
with the LAGs. Either you'll set ports 5-8 to VLAN192 TAGGED,
or you'll set LAG1/LAG2 to VLAN192 TAGGED. Or perhaps you'll need
to set both the ports and LAGS. You can try poking around with it,
to see what works, or just consult the user guide.
That should be the basics for your backbone switch.
On your second (office) GS1200 switch, you'll want to choose
two ports for your LAG to connect with your backbone switch,
and configure them identically.
If you decide that you want your office access point
hanging off of your office GS1200, then select a port
for the access point, and set it to VLAN192 TAGGED as well.
As for the other ports on your office GS1200 switch,
I am assuming that none of them will need (direct) access
to your admin network, so you should change the rest of
your ports, accordingly.
First, go into Port-to-VLAN, and for your remaining open ports,
change the entries under VLAN1 to FORBIDDEN
Then, select VLAN192, and change your ports to UNTAGGED.
When you are done, your open ports will have been set to VLAN192 PVID 192.
Anything you plug into those ports, will be assumed to be part of the
VLAN192 sub-net, and will be moved as tagged traffic across the LAG
to your switch, and to your SBC Gateway. They will not be able to
communicate (directly) with VLAN1, so if those ports need access
to your admin sub-net, you would have to create a firewall rule
on the SBC Gateway to allow it.
And, finally, assuming that you create your firewall and NAT rules
similarly for both your admin, and office sub-nets, then I would imagine
that BOTH of those subnets SHOULD be able to see devices on your HOME network,
but not the other way around.
I hope this helps.
It seems I need to redesign it completely, your comments and diagram helps a lot... But, before I move, I want to make some comments and need some clarifications, if you have time and don't mind:
Comments:
* In my previous setup I had that 4 level segments (office side) and related routing. I upgraded to Ubuntu 20.04 lately and with these new managed switches I wanted to introduce trunking and VLANs. On that server I have 80+ TB storage and to be fair, I don't want to build another server/NAS etc. for home use.
* Whatever served from the server to home network will be served through web services (like media server, CUPS, personal cloud etc running on it). I thought the third port on the server as a service port for home-network.
* I have some 50+ devices on this network and I'm adding a couple more every month (mainly more SBCs and IoT). So it is becoming troublesome to manage it on the main router. I thought dividing them into subnets would help.
* I have two kids on home network who will start to get remote/video education, this may be a hit on the SBC as you suggested, I need to test it, but multiple Youtube videos and a single Zoom meeting does not cause problems on SBC as far as I see (used only htop for now). I see your diagram solves that problem completely
* I want to use that SBC because I want to run PiHole (DNS+DHCP) on it to prevent ads. That was the reason I wanted to put home-network behind it, but I can already serve DNS from the home-network side port. Thus, I also thought the server as another "gateway" to separate home and office network (the server already does run DNS/DHCP as it is also a web server). But latency hits...
* About your comment on latency: Yes, I saw it last night, ping times got added when I go deeper, I need to flatten it as you suggested. But this is a two story building with network reaching 6 different rooms/places. Family does not stay on the first floor of course, they want wifi everywhere
Questions:
* In every advice I read they were saying to avoid VLAN 1, so I wanted to put the "home network" to another VLAN (and behind gateway) for added security / segmentation. Similarly if I need to put the backbone/admin devices to VLAN 1, will they be secure?
* I wanted separate collision domains. E.g. I wanted to put the security devices (cameras etc), IoT devices, 3D printer into separate segment/VLAN to limit congestion. I don't want them to be exposed to everyday users. It this not the right way?
* In my previous setup I had trouble to manage broadcast traffic and opened/routed a lot to let the NFS, WSD, media server DLNA etc to reach their destinations. This time I want to limit them - it is a compromise, I know... What do you suggest for this setup?
* Would it be wise to upgrade my router (which is 10 years old) to overcome the possible problems you mentioned? What do you suggest as router capabilities (it is connected to a DOCSIS 3 cable modem)?
* With this network, would you suggest more managed switches to be bought?
I know this became more than a vlan related support.
Thank you in advance, I really appreciate it.
Bülent
One quick Q... If I want to extend my (say) office network with an unmanaged switch:
- I plug the unmanaged switch to port 1 of managed switch
- Set PVID of the managed switch port 1 to VLAN 192
Will all computers connected to the unmanaged switch behave like they are in VLAN 192?Just so that you're aware, I'm not a networking expert.
Most of what I've learned has been through trial-and-error,
online reading, and by observing the various network installations
that I've come in contact with over the years.
Advanced routing techniques, and things like data encapsulation,
packet sizes, and multicasting are a bit over my head.
Basic VLANs and subnets, I'm generally OK with.
-------------------------------------------------
Avoidance of VLAN1
This was news to me, however it looks like there is alot of
conversation online about the subject. The gist of the comments
seem to revolve around some type of VLAN exploit that hackers can use
to redirect traffic to other VLANs.
However, many people have made a few comments about this exploit.
Some have stated that they would have to be physically plugged into
Others have pointed out that the exploit involves untagged traffic.
Since you'll always have a portion of your network handling
untagged traffic, then using a different VLAN is only going to
shift the problem to the new VLAN.
I guess the reason that Cisco made the original comment on it
was that because the exploit exists, and nearly every device
on the market comes with VLAN1 set up by default.
One creative fellow left VLAN1 in place, and set up a
DHCP server on VLAN1, which essentially assigned a non-relevant
IP address, and bogus gateway information. That created a
"black hole" for anyone that managed to plug into a port
that was set for VLAN1.
Then, he moved all of his other stuff over to different VLAN(s).
In any event, I don't really see the VLAN1 issue as a
significant security risk in a home environment, since again,
someone has to be physically plugged into your network switch
to make the exploit work.
However, if you are still concerned, then I see nothing wrong
with shifting your VLANS away from VLAN1. Just be certain to
update your "management VLAN" settings on all of your equipment.
-------------------------------------------------
Separation of IoT devices
Keeping those on a separate network is an excellent idea,
as from what I've read, they come with their own security risks.
I wouldn't expect to see much bandwidth in those devices, and the
combination of the separate VLAN and firewalling rules should be
adequate from a security standpoint.
-------------------------------------------------
Security cameras
Best practice with IP cameras, especially those that are
continuously recording, is to run the cables from the cameras
back to a separate, central switch, to keep the traffic
away from your office network. Sometimes that isn't practical
and a single ethernet cable back to your in-house network
allows you to manage the DVR.
Hint: Unless you need direct web access to individual cameras,
set the default gateway of your IP cameras so that they
point to your DVR's IP address, instead of your router.
That way, the camera traffic will be directed at the DVR,
and shouldn't ever touch your router.
You'll still be able to view individual cameras
via your DVR web interface or app.
-------------------------------------------------
Separation of printers and scanners
Probably not necessary. If they are primarily being used in your office,
If you put your printers on a separate VLAN, then your printer traffic
will traverse every network switch inbetween the PC and your router,
hit the router, and then get sent back through your network,
(again, traversing one or more switches), before reaching your printer.
This will double the amount of data flow for your print job.
-------------------------------------------------
Broadcast traffic
Not my area of expertise.
At the office a few years ago, I noticed an uptick in
broadcast traffic on the network, and determined it was
multicast traffic from a newly-installed video conferencing system.
There didn't seem to be a way to turn that off in the web interface,
so I just blocked multicast traffic on that port.
There are alot of different network gadgets out there that
spam the network with various types of broadcast data.
To my annoyance, many of them have no way of turning them off,
even if the device isn't going to be using them.
For example, my *AHEM* Zyzel WiFi router, which is currently
set up in access-point mode, keeps sending out HomePlug advertisements.
I reached out to Zyxel, and was told that disabling OneConnect
should turn off those broadcasts, but it didn't.
I could probably filter them out before they reached my network
if I were using a more advanced switch, but that isn't the case.
So, every few seconds, there it is. Grrrr.
-------------------------------------------------
Your router(s)
10 years is getting up there.
The older it gets, the more likely it will be to fail
as its electronic components (such as capacitors) start to age.
If your kids are doing video sessions for school,
then a StreamBoost-capable router might not be a bad idea.
Most of them are consumer-grade routers, with 802.11ac WiFi.
They're available from Zyxel, Trendnet, DLink, and possibly others.
A Zyxel Armor Z2 might not be a bad choice for your (internet) gateway,
since it will support multiple simultaneous WiFi users.
Sadly, hardly any of the consumer-grade routers are advanced enough
to deal with multiple VLANs and routing options, so you'll end up
using a separate router for the rest of your network.
A question about your SBC Gateway device -
What kind of sustained throughput can it handle,
from a routing standpoint?
At home, I have a Ubiquiti EdgeRouter X.
It has a dual-core 880mhz processor, but isn't
powerful enough to *route* at gigabit speeds.
So, if I had gigabit internet, it wouldn't be up to the task.
(Still, for a $65 router, it has a heck of alot of advanced features,
including VLANs, L2TP/IPSec/OpenVPN options, QoS, etc.)
That is why I caution about using several VLANs
to segregate your PCs from your servers, scanners, and printers,
especially if you are expecting alot of interaction with those devices.
However, if you are intent on multiple VLANs, and you're expecting
large amounts of sustained data between the VLANs, you'll want a router
with alot of oomph, such as a Ubiquiti ER-4 or ER-12 router.
You could certainly try starting with the lower-cost EdgeRouter X,
and if it doesn't give you the performance that you're expecting,
upgrade to one of the more powerful models.
-------------------------------------------------
Do you need more managed switches?
That depends on your needs, where your devices are located,
and how many ports you need to plug everything in to.
You'll need a managed/VLAN-aware switch or router anywhere that
you need wired access to more than one VLAN.
You'll also need a managed/VLAN-aware switch or router
anywhere that you need to use a LAG.
But, you don't necessarily have to create a VLAN for every subnet.
The only time you'll need a VLAN, is when you intend to carry
multiple subnets to another device, across a single physical
Subnetting vs VLANs
You can do some intersting things with subnetting, by using the
Class A (10.x.x.x) or Class B (172.16.x.x) address range
instead of the Class C address range (192.168.x.x)
Consider this Class A example -
VLAN 192 10.10.192.0/23
The /23 will give you an address range of 10.10.192.0 thru 10.10.193.255
You could set up DHCP to provide the 10.10.192.x ip address to your PC's.
Then, you set up your printers, scanners, etc, at STATIC ip addresses of
10.10.193.x/23
Essentially -
Subnet for office PC's 10.10.192.0/23
Subnet for office Printers 10.10.193.0/23
By using the /23 mask, your printers and PC's can communicate
with each other directly, without having to hit your router first.
VLAN192 will carry the entire address range to your other managed switches.
If you want to create a firewall rule to allow internet access to the PC's,
but deny internet access to the printers and scanners, then you'd simply refer
to the PC-portion of the ip address range with the /24 address instead.
10.10.192.0/24 in this example.
From what I learned I can deduce the following:
- Existing two managed switches are sufficient, as they can be extended by unmanaged switches.
- A new AC router will be nice, I'll check the options. On the other hand, we only have 100 Mbps cable here, nothing higher is possible nowadays.
- Some of the existing AP's currently installed are repurposed WiFi capable ADSL modem/routers. Two of them are Airties modems, also a Airties extender, and all have VLAN capability. Although they are lower end, they can handle a couple of users, and they also have "public" wifi channel. I can use them behind the first firewall (SBC gateway with pihole) and provide guest and home-network WiFi access. I also can program them to VLANx on wired ports, in case I need access from non-office areas (only 100 Mbps).
- One misconception I had: Having VLAN for every subnet. I don't need them (but see the Q below). Office network will be behind 2 firewalls (3 if you count the one on the router) and If I only TAG office computers it will be enough as you suggested.
- I'll keep IoT's and security devices in their own subnets as in my original design. But move the printers etc to the home-network area. There is only a single printer I'll keep where I have invoices in tray and connect it to an office machine / unshared. I'll need to route printer connections between office and home networks (I'll check CUPS first).
I'm not sure how much the SBC gateway can handle, but it is a 4 core 1.3 GHz H5 running Armbian (Ubuntu 20.04 based), and it did not have any hick-ups until now. I need to solve the DNS resolution, DHCP and routing on it (last night I failed because of package incompatibilities). And I need to solve cooling, it becomes hot on load (during test).FYI: I'm already using non /24 subnetting for firewall/routing rules. I was not sure how I can combine them with VLANs...
I think I can implement this now so that I can test the performance, throughput and security.
One last question (if you know Ubuntu & netplan):
I use bond on the server and split the throughput to vlans/subnets. I don't know any other method of doing it, i.e. without VLAN definition in netplan or any other nw manager.
If there is none, how will this perform: I define VLANx on the server with subnet 192.168.x.0/24 but do not use any VLAN capable devices on that subnet. Say these are IoT's. Will that VLAN definition on the server hinder anything?
Thank you again and be safe...