New to VLAN's - could not figure it out...

bozden

Hi,

Under covid-19 conditions, where every family member is at home (work & education), I wanted to redesign my home-office network. I've got two Zyxel GS1200-8 switches and have the following design in mind:

* VLAN 1 - outside towards Internet / will not be used unless emergency
* A dual NIC SBC based router/firewall connecting VLAN 1 to Internal-user-network (public WiFi et.al.)
* VLAN 64 - Internal-user-network ("semi-militarized-zone")
* An Ubuntu 20.04 box (office file etc server) with 3 NIC's (w. router, firewall). One connected to VLAN 64, the other two forming a "bond" and 4 VLAN's / subnets on that bond (VLAN 128 / admin, VLAN 160 / admin devices, VLAN 192 / users, VLAN 224 / user accessible devices). These vlans are prioritized/routed, where VLAN 128 should access all others, 160 can access 192 and 224 etc.
* One of the GS1200-8 switches is server-side, the other on the other office room side. They are connected with LAG2. The server-side switch is connected to the server with LAG1.
* I have a controller PC (Win 10) in server room with 3 NIC's: I want one to connect to VLAN 128, second directly to VLAN 1 (in case the server is down/updated etc). Third NIC is floating for test/support purposes.

Something like this:



As the title says, I'm new to VLAN's (I only saw them in my ADSL modems-routers). Although I read a lot on VLAN's, I failed to configure the switches on multiple trials, where I lost my connection to the server/switch and sometimes I needed to reset the switch(s). Mixed terminology does not help either. I know this setup is an overkill for an home-office but this is how I learn (i.e. as a 57 years old computer engineer)...

To my understanding I need this:

a) I need to create VLAN's 1, 64, 128, 160, 192, 224 in both switches 
b) LAG2 (ports 7&8 - "trunk" connecting two switches) must be tagged (Tag egress member) in all VLANs on both side.
c) LAG1 on server-side switch (connected to bonded NICs on Ubuntu box) must be Tagged on 1, 128, 160, 192, 224, but be Non-Member (disabled?) on 64.
d) Controller PC's one NIC (VLAN 128) is connected to port 1 of the server side switch, thus I need to set PVID of port 1 to 128. I need to make port 1 Untag for VLAN 128, for all other VLANs it must be set as Non-Member.
e) That NIC has capability of setting VLAN, but I do not touch it (as I can handle it [:)] on the switch).
f) PVID tags of all "public" wireless should be set to 64.

Are these assumptions correct?
In which net segment should I put Zyxel switches?

Any help and comment is much appreciated.

Bülent

Zyxel_Derrick

Hi @bozden

Welcome to Zyxel community
Based on your description and topology, it seems like your assumptions are correct.
Therefore, may I know do you still encounter the problem after configuring switch based on your assumption?
Thanks

Best regards,
Zyxel_Derrick

TiggerLAS

As you mentioned in your post, the VLANs are overkill.

"The more they overthink the plumbing,

 the easier it is to stop-up the drain." - Montgomery Scott

VLANs are great for isolating networks,

or to carry multiple sub-nets over a single cable.

However, unless you're using Layer 3 devices,

you'll take a performance hit, when it comes to VLANs.

Since the GS1200's are Layer 2 devices, all of your

inter-vlan traffic will have to traverse your router.

In your diagram for example, anything on VLAN 194

will need to hit your router in order to reach VLAN224.

So, print jobs, scanning jobs, etc, will all pass through your router,

rather than being efficiently moved via the network switches

that they are attached to.

This can create a bottleneck at the router,

and slow your network performance down considerably,

depending on the level of traffic you are expecting.

In a home network, you may or may not notice it.

In a mid-sized business, most likely.

In a larger office, most definitely.

You can successfully configure your network by using only TWO VLANs.

The default VLAN1, for use with your Admin sub-net.

You'll be on the default VLAN, so will be able to manage

your gateway router, switches, etc., as well as having

general internet access, etc.

Then use VLAN128, for use with your home-office equipment,

and set up your firewall rules to permit/deny access to

the rest of your network.

Your internet router will isolate your entire home from prying eyes.

With your SBC Gateway in between your router, and the rest of

your Admin / Office network equipment, you Admin/Office network

will also be firewalled against your "guest network".

It is generally assumed that your office equipment is "trusted",

as are the PC's and scanners in the office. 

They're behind your firewall, right?

And, you probably don't have over 250 devices on your network,

so your office sub-net isn't hurting for address space.

With your office PCs, scanners and printers on the same sub-net,

they can communicate efficiently with one-another, without the need

for alot of attention from your SBC Gateway device.

I'm not sure what your "admin devices" are.

If they are printers, scanners, etc, they can coexist happily

on your Admin sub-net.

If they are IoT devices, then I recommend keeping them

on their own subnet, switch, etc., and firewalled from your

in-house network.

As far as your diagram, your SBC Gateway device is on the

wrong side of that unmanaged switch.  At least if it is your intent

to isolate your Admin/Office network from your "guest network".

Here's what I think it should look like -

TiggerLAS

As you mentioned, the VLANs are overkill.

"The more they overthink the plumbing,

the easier it is to stop-up the drain". - Montgomery Scott

Looking over your diagram (which is quite nice, actually),

It seems like your intent is to create something along these lines -

1.)  An isolated network for your every-day in-house items,

      such as cellphones, streaming media devices, laptops, etc.

      This network may need access to your server.

      In your diagram, it is referred to as the DMZ, but

      I'll refer to this as your "Home network"

2.)  An isolated network for your at-home office,

      to support a mix of PC's, printers, scanners, etc.

      This network will need access to your server.

      I'll refer to this as your "Office network"

3.)  An isolated Admin network that can communicate with your,

      home network, office network, your server, and all of your

      network switches, access points, and routers.

      I'll refer to this as your "Admin network".

I did see a few quirks with your network topology.

1.)  There are several switches between some of the LAN segments.

      For example, if one of your office PC's wants to browse the internet,

      it traverses through 4 separate switches, just to get to your gateway,

      which then appears to go through another router, and then off to the internet.

      That increases latency, makes troubleshooting more difficult,

      and in some cases, can introduce unexpected network behavior.

      While multiple switches are sometimes unavoidable,

      generally speaking, the fewer switches, the better.

2.)  In your diagram, the unmanaged switch in your DMZ (home network)

      and your SBC Gateway device are transposed.

      Unmanaged switches will not pass multiple VLANs.

      So, anything on VLAN128, 160, 192, and 224 probably

      won't be able to communicate consistently with the SBC Gateway.

3.)  Your diagram shows a total of 6 VLANs.

      If you were using switches with Layer 3 capabilities,

      this wouldn't be of any concern.

      However, the GS1200's are Layer 2 switches.

      That means, all of your inter-vlan traffic is going to need to

      traverse your SBC Gateway router, in order to get where it is going.

      Depending on how busy your network is, that can place a noticeable

      burden on your SBC Gateway router, since it will have to route all of

      that extra traffic, in addition to its regular duties.

      To be fair, in a home environment, you may or may not notice it.

      In a mid-sized office, you will probably notice it.

      In a large office, you would definitely notice it.

You should be able to achieve the same results with only TWO VLANs.

The default VLAN1 for your admin sub-net, and VLAN192 for your office sub-net.

1.)  Put all of your admin devices (PCs, routers, switches, etc.) onto VLAN1

      Your admin PC will be able to easily reach and manage all of your network gadgets.

      Most consumer-grade devices have VLAN1 enabled by default, and, in some cases,

      you can't entirely disable them, so, you may as well utilize it.

2.)  Put all of your office PCs, printers and scanners onto VLAN192.

      Devices within your office sub-net will communicate freely via the switch.

      (You can also assign your server LAG to VLAN192 as well.)

3.)  By adding routes and/or firewall rules to your SBC Gateway,

      you'll be able to reach you office sub-net from your admin sub-net.

4.)  Your home network doesn't need a VLAN assigned to it,

      since it is already firewalled from your office network by the SBC Gateway.

      Your home network won't be able to peer into the inner workings of your office network

      because of the firewall, BUT, your admin network should be able to reach out to gadgets

      on your home network, as your SBC Gateway should allow outbound traffic to reach

      your home network sub-net.

      If you need devices on your home network to be able to reach your office network,

      you can tailor firewall rules on your SBC Gateway to allow it.

See the attached block diagram of one possible way to configure your network.

Note that your office access point could easily be attached to either of the GS1200

switches, and, if close and convenient, would offer better performance if it were

connected to your "backbone GS1200" switch, versus your "office GS1200" switch.

You may have noticed greyed out link between your 3rd server port,

and your home network.

I am assuming that you want to give the home network access to your server.

If you fully trust the devices on your home network, then you should be able to

place the 3rd server port onto the 192.168.64.0/24 sub-net, and then plug it in

to your unmanaged network switch with the rest of your home network devices.

If you're not sure, or you want to restrict access to certain ports or services,

then don't use the 3rd port on the server, and instead, create port-forwarding rules

on your SBC Gateway, to allow your home network to reach the server via your LAG.

bozden

Zyxel_Derrick said:

Hi @bozden

Welcome to Zyxel community
Based on your description and topology, it seems like your assumptions are correct.
Therefore, may I know do you still encounter the problem after configuring switch based on your assumption?
Thanks

Best regards,
Zyxel_Derrick

Hi Derrick, thank you for your time and confirmation. I applied this setting last night and found the problem I was dealing was related to firewall / routing on the server (at least I think, too many tries).

One side note: I was assuming the switches would be aware of the VLAN/segment they are in. The managed switches were on .128.* segment and whenever I configured VL 128 as described I lost connection. I had to take them out... I assumed they would be secure on VL 128 in my design, I confirmed I was right, even I couldn't reach them

Best regards

TiggerLAS

With regards to your switch configurations...

To interconnect routers and VLAN-aware switches together,
you'll need to decide which VLANs are being carried between them.

You'll usually have a default VLAN, typically VLAN1,
plus any other VLANs that you define.

On managed switches, each port will need to be set up to some extent,
to define how you want the port used, and for what VLANs.

In your case, your SBC Gateway will be
the router for your admin and office sub-nets.

When you have a true VLAN-aware router, you will typically
define each port, based on the function they are performing.
One (or more) of your ports will be defined as a WAN port,
and the others are typically treated as LAN ports.

Let's say you pick LAN4 to be your LAN port.

If you assign 192.168.128.1/24 as an IP address for that port,
it will most likely be set up as VLAN1, PVID1 by default.

Anything you plug into that port that has an IP address
within the 192.168.128.x subnet, whether it is VLAN-aware, or not,
will be able to communicate with your router.

Now, create a VLAN/virtual interface on your router.
Give it an IP address of 192.168.192.1/24, and call it VLAN192.
Then, assign it to LAN4.

Your router should now serve-up VLAN1 for untagged traffic on LAN4,
and will allow TAGGED VLAN192 traffic on the same port as well.

You'll need to configure your SBC Gateway to provide firewalled
internet access to each of those sub-nets, as well as defining
the DHCP servers, and DNS servers for both.

If you want certain traffic to move between those two subnets,
you'll have to put in static routes, and allow your router to
pass the data between the two VLANs.

------------------------------------

If you try to connect an unmanaged switch to LAN4, then anything
connected to that switch is only going to be able to reach VLAN1.
Unmanaged switches aren't VLAN-aware, so it won't pass VLAN tags,
and your router won't accept untagged traffic to VLAN192.

So, you'll be connecting one of your GS1200 switches to LAN4.

But first, you'll need to set up the GS1200 switches.

Grab one of them, and set the IP address to something either
on the high end, or low end of your IP address range.
You'll want to keep them out of the range of your
DHCP server's address pool.

Let's say you configure your first switch with 192.168.128.250/24,
and your second switch with 192.168.128.251/24

If the rest of your switch is at its default settings, then all of your ports
will most likely be on VLAN1, with PVID1, so anything that you plug into them
tagged or otherwise, can communicate with your 192.168.128.0 sub-net.

Go into the VLAN settings of each switch, and create VLAN192.

Most switches won't ask for the sub-net, because it doesn't matter.

Now would be a good time to assign your ports,

and define your LAG ports as well.  For example -

Port 1     SBC Gateway
Port 2     Admin switch
Port 3     Office access point
Port 4     Empty
Port 5     LAG to server
Port 6     LAG to server
Port 7     LAG to office GS1200
Port 8     LAG to office GS1200

Most of those ports, with the exception of Port 2

are going to need access to VLAN192.

Go into your Port-to-VLAN settings, and
change your view to display VLAN192.

Your admin switch is unmanaged, so it can only carry one VLAN.
Even if you installed a managed switch for your admin switch,
your admin sub-net still couldn't communicate directly with VLAN192,
without using a router, or a Layer 3 switch.

In your case, the bridge between your admin sub-net,
and your office sub-net will be your SBC Gateway router.

With that said, set your Port-to-VLAN settings for VLAN192
to TAGGED access on ports 1 and 3, and change port 2 to FORBIDDEN.

I don't recall off the top of my head what needs to be done
with the LAGs.  Either you'll set ports 5-8 to VLAN192 TAGGED,
or you'll set LAG1/LAG2 to VLAN192 TAGGED.  Or perhaps you'll need
to set both the ports and LAGS.  You can try poking around with it,
to see what works, or just consult the user guide.

That should be the basics for your backbone switch.

On your second (office) GS1200 switch, you'll want to choose
two ports for your LAG to connect with your backbone switch,
and configure them identically.

If you decide that you want your office access point
hanging off of your office GS1200, then select a port
for the access point, and set it to VLAN192 TAGGED as well.

As for the other ports on your office GS1200 switch,
I am assuming that none of them will need (direct) access
to your admin network, so you should change the rest of
your ports, accordingly.

First, go into Port-to-VLAN, and for your remaining open ports,
change the entries under VLAN1 to FORBIDDEN

Then, select VLAN192, and change your ports to UNTAGGED.

When you are done, your open ports will have been set to VLAN192 PVID 192.
Anything you plug into those ports, will be assumed to be part of the
VLAN192 sub-net, and will be moved as tagged traffic across the LAG
to your switch, and to your SBC Gateway.  They will not be able to
communicate (directly) with VLAN1, so if those ports need access
to your admin sub-net, you would have to create a firewall rule
on the SBC Gateway to allow it.

And, finally, assuming that you create your firewall and NAT rules
similarly for both your admin, and office sub-nets, then I would imagine
that BOTH of those subnets SHOULD be able to see devices on your HOME network,
but not the other way around.

I hope this helps.

bozden

@TimThom , thank you ! Very good points and directions. I very much appreciate your time.

It seems I need to redesign it completely, your comments and diagram helps a lot... But, before I move, I want to make some comments and need some clarifications, if you have time and don't mind:

Comments:

* In my previous setup I had that 4 level segments (office side) and related routing. I upgraded to Ubuntu 20.04 lately and with these new managed switches I wanted to introduce trunking and VLANs. On that server I have 80+ TB storage and to be fair, I don't want to build another server/NAS etc. for home use.
* Whatever served from the server to home network will be served through web services (like media server, CUPS, personal cloud etc running on it). I thought the third port on the server as a service port for home-network.
* I have some 50+ devices on this network and I'm adding a couple more every month (mainly more SBCs and IoT). So it is becoming troublesome to manage it on the main router. I thought dividing them into subnets would help.
* I have two kids on home network who will start to get remote/video education, this may be a hit on the SBC as you suggested, I need to test it, but multiple Youtube videos and a single Zoom meeting does not cause problems on SBC as far as I see (used only htop for now). I see your diagram solves that problem completely
* I want to use that SBC because I want to run PiHole (DNS+DHCP) on it to prevent ads. That was the reason I wanted to put home-network behind it, but I can already serve DNS from the home-network side port. Thus, I also thought the server as another "gateway" to separate home and office network (the server already does run DNS/DHCP as it is also a web server). But latency hits...
* About your comment on latency: Yes, I saw it last night, ping times got added when I go deeper, I need to flatten it as you suggested. But this is a two story building with network reaching 6 different rooms/places. Family does not stay on the first floor of course, they want wifi everywhere Maybe bigger switches and more cabling can solve it

Questions:

* In every advice I read they were saying to avoid VLAN 1, so I wanted to put the "home network" to another VLAN (and behind gateway) for added security / segmentation. Similarly if I need to put the backbone/admin devices to VLAN 1, will they be secure?
* I wanted separate collision domains. E.g. I wanted to put the security devices (cameras etc), IoT devices, 3D printer into separate segment/VLAN to limit congestion. I don't want them to be exposed to everyday users. It this not the right way?
* In my previous setup I had trouble to manage broadcast traffic and opened/routed a lot to let the NFS, WSD, media server DLNA etc to reach their destinations. This time I want to limit them - it is a compromise, I know... What do you suggest for this setup?
* Would it be wise to upgrade my router (which is 10 years old) to overcome the possible problems you mentioned? What do you suggest as router capabilities (it is connected to a DOCSIS 3 cable modem)?
* With this network, would you suggest more managed switches to be bought?

I know this became more than a vlan related support.

Thank you in advance, I really appreciate it.
Bülent

bozden

Sorry saw your last post after my late-posting, now reading it...

One quick Q... If I want to extend my (say) office network with an unmanaged switch:

• I plug the unmanaged switch to port 1 of managed switch
• Set PVID of the managed switch port 1 to VLAN 192

Will all computers connected to the unmanaged switch behave like they are in VLAN 192?

TiggerLAS

Thanks for the added details, they definitely help clarify things.

Just so that you're aware, I'm not a networking expert.

Most of what I've learned has been through trial-and-error,
online reading, and by observing the various network installations
that I've come in contact with over the years.

Advanced routing techniques, and things like data encapsulation,
packet sizes, and multicasting are a bit over my head.

Basic VLANs and subnets, I'm generally OK with.

-------------------------------------------------

Regarding your last question -

Yes, if you connect all of your office equipment via an unmanaged switch,

and then plug the unmanaged switch into a port on your managed switch

that is set for VLAN192, PVID192, your office devices will behave

as though they are part of the subnet associated with VLAN192.

-------------------------------------------------

Avoidance of VLAN1
     This was news to me, however it looks like there is alot of
     conversation online about the subject.   The gist of the comments
     seem to revolve around some type of VLAN exploit that hackers can use
     to redirect traffic to other VLANs.

     However, many people have made a few comments about this exploit.

     Some have stated that they would have to be physically plugged into

     one of your network ports to implement the exploit, which limits your risk.

     to people who have direct physical access to your network.

     Others have pointed out that the exploit involves untagged traffic.
     Since you'll always have a portion of your network handling
     untagged traffic, then using a different VLAN is only going to
     shift the problem to the new VLAN.

     I guess the reason that Cisco made the original comment on it
     was that because the exploit exists, and nearly every device
     on the market comes with VLAN1 set up by default.

     One creative fellow left VLAN1 in place, and set up a
     DHCP server on VLAN1, which essentially assigned a non-relevant
     IP address, and bogus gateway information.  That created a
     "black hole" for anyone that managed to plug into a port
     that was set for VLAN1.

     Then, he moved all of his other stuff over to different VLAN(s).

     In any event, I don't really see the VLAN1 issue as a
     significant security risk in a home environment, since again,
     someone has to be physically plugged into your network switch
     to make the exploit work.

     However, if you are still concerned, then I see nothing wrong
     with shifting your VLANS away from VLAN1.  Just be certain to
     update your "management VLAN" settings on all of your equipment.

-------------------------------------------------
Separation of IoT devices
     Keeping those on a separate network is an excellent idea,
     as from what I've read, they come with their own security risks.
     I wouldn't expect to see much bandwidth in those devices, and the
     combination of the separate VLAN and firewalling rules should be
     adequate from a security standpoint.
-------------------------------------------------
Security cameras
     Best practice with IP cameras, especially those that are
     continuously recording, is to run the cables from the cameras
     back to a separate, central switch, to keep the traffic
     away from your office network.  Sometimes that isn't practical

     in which case you'll just have to deal with the added bandwidth

     on your other in-house network switches.

     Your DVR would also connect to the centralized switch,
     and a single ethernet cable back to your in-house network
     allows you to manage the DVR.

     Hint:  Unless you need direct web access to individual cameras,
              set the default gateway of your IP cameras so that they
              point to your DVR's IP address, instead of your router.
              That way, the camera traffic will be directed at the DVR,
              and shouldn't ever touch your router.
              You'll still be able to view individual cameras
               via your DVR web interface or app.
-------------------------------------------------
Separation of printers and scanners
     Probably not necessary.  If they are primarily being used in your office,

     then put them on the same subnet and VLAN as your office computers,

     and plug them into the same switch.

     By design, the network switch will move all of that network traffic

     internally, with only a minimal amount of interaction with your router.

     (The network switch won't even break a sweat.)

     If you put your printers on a separate VLAN, then your printer traffic
     will traverse every network switch inbetween the PC and your router,
     hit the router, and then get sent back through your network,
     (again, traversing one or more switches), before reaching your printer.
     This will double the amount of data flow for your print job.
-------------------------------------------------
Broadcast traffic
     Not my area of expertise.
     At the office a few years ago, I noticed an uptick in
     broadcast traffic on the network, and determined it was
     multicast traffic from a newly-installed video conferencing system.
     There didn't seem to be a way to turn that off in the web interface,
     so I just blocked multicast traffic on that port.

     There are alot of different network gadgets out there that
     spam the network with various types of broadcast data.
     To my annoyance, many of them have no way of turning them off,
     even if the device isn't going to be using them.

     For example, my *AHEM*  Zyzel WiFi router, which is currently
     set up in access-point mode, keeps sending out HomePlug advertisements.
     I reached out to Zyxel, and was told that disabling OneConnect
     should turn off those broadcasts, but it didn't.

     I could probably filter them out before they reached my network
     if I were using a more advanced switch, but that isn't the case.

     So, every few seconds, there it is.   Grrrr.
-------------------------------------------------
Your router(s)
     10 years is getting up there.
     The older it gets, the more likely it will be to fail
     as its electronic components (such as capacitors) start to age.

     If your kids are doing video sessions for school,
     then a StreamBoost-capable router might not be a bad idea.
     Most of them are consumer-grade routers, with 802.11ac WiFi.
     They're available from Zyxel, Trendnet, DLink, and possibly others.
     A Zyxel Armor Z2 might not be a bad choice for your (internet) gateway,
     since it will support multiple simultaneous WiFi users.

     Sadly, hardly any of the consumer-grade routers are advanced enough
     to deal with multiple VLANs and routing options, so you'll end up
     using a separate router for the rest of your network.

     A question about your SBC Gateway device -
     What kind of sustained throughput can it handle,
     from a routing standpoint?

     At home, I have a Ubiquiti EdgeRouter X.
     It has a dual-core 880mhz processor, but isn't
     powerful enough to *route* at gigabit speeds.
     So, if I had gigabit internet, it wouldn't be up to the task.
     (Still, for a $65 router, it has a heck of alot of advanced features,
     including VLANs, L2TP/IPSec/OpenVPN options, QoS, etc.)

     That is why I caution about using several VLANs
     to segregate your PCs from your servers, scanners, and printers,
     especially if you are expecting alot of interaction with those devices.

     However, if you are intent on multiple VLANs, and you're expecting
     large amounts of sustained data between the VLANs, you'll want a router
     with alot of oomph, such as a Ubiquiti ER-4 or ER-12 router.

     You could certainly try starting with the lower-cost EdgeRouter X,
     and if it doesn't give you the performance that you're expecting,
     upgrade to one of the more powerful models.
-------------------------------------------------
Do you need more managed switches?
     That depends on your needs, where your devices are located,
     and how many ports you need to plug everything in to.

     You'll need a managed/VLAN-aware switch or router anywhere that
     you need wired access to more than one VLAN.

     You'll also need a managed/VLAN-aware switch or router
     anywhere that you need to use a LAG.

     But, you don't necessarily have to create a VLAN for every subnet.

     The only time you'll need a VLAN, is when you intend to carry
     multiple subnets to another device, across a single physical

     or logical link.

     So, unless you're planning on using security cameras,

     or your IoT devices devices in your office area, then you

     probably don't need a managed switch to support your office,

     unless LAG access from your office to your server is critical.

-------------------------------------------------
Subnetting vs VLANs
     You can do some intersting things with subnetting, by using the
     Class A (10.x.x.x) or Class B (172.16.x.x) address range
     instead of the Class C address range (192.168.x.x)

     Consider this Class A example -

     VLAN 192  10.10.192.0/23

     The /23 will give you an address range of 10.10.192.0 thru 10.10.193.255

     You could set up DHCP to provide the 10.10.192.x ip address to your PC's.
     Then, you set up your printers, scanners, etc, at STATIC ip addresses of
     10.10.193.x/23

     Essentially -

     Subnet for office PC's      10.10.192.0/23
     Subnet for office Printers  10.10.193.0/23

     By using the /23 mask, your printers and PC's can communicate
     with each other directly, without having to hit your router first.

     VLAN192 will carry the entire address range to your other managed switches.

     If you want to create a firewall rule to allow internet access to the PC's,
     but deny internet access to the printers and scanners, then you'd simply refer
     to the PC-portion of the ip address range with the /24 address instead.
     10.10.192.0/24 in this example.

bozden

Thank you again for sharing your expertise...

From what I learned I can deduce the following:

• Existing two managed switches are sufficient, as they can be extended by unmanaged switches.
• A new AC router will be nice, I'll check the options. On the other hand, we only have 100 Mbps cable here, nothing higher is possible nowadays.
• Some of the existing AP's currently installed are repurposed WiFi capable ADSL modem/routers. Two of them are Airties modems, also a Airties extender, and all have VLAN capability. Although they are lower end, they can handle a couple of users, and they also have "public" wifi channel. I can use them behind the first firewall (SBC gateway with pihole) and provide guest and home-network WiFi access. I also can program them to VLANx on wired ports, in case I need access from non-office areas (only 100 Mbps).
• One misconception I had: Having VLAN for every subnet. I don't need them (but see the Q below). Office network will be behind 2 firewalls (3 if you count the one on the router) and If I only TAG office computers it will be enough as you suggested.
• I'll keep IoT's and security devices in their own subnets as in my original design. But move the printers etc to the home-network area. There is only a single printer I'll keep where I have invoices in tray and connect it to an office machine / unshared. I'll need to route printer connections between office and home networks (I'll check CUPS first).

I'm not sure how much the SBC gateway can handle, but it is a 4 core 1.3 GHz H5 running Armbian (Ubuntu 20.04 based), and it did not have any hick-ups until now. I need to solve the DNS resolution, DHCP and routing on it (last night I failed because of package incompatibilities). And I need to solve cooling, it becomes hot on load (during test).

FYI: I'm already using non /24 subnetting for firewall/routing rules. I was not sure how I can combine them with VLANs...

I think I can implement this now so that I can test the performance, throughput and security.

One last question (if you know Ubuntu & netplan):
I use bond on the server and split the throughput to vlans/subnets. I don't know any other method of doing it, i.e. without VLAN definition in netplan or any other nw manager.
If there is none, how will this perform: I define VLANx on the server with subnet 192.168.x.0/24 but do not use any VLAN capable devices on that subnet. Say these are IoT's. Will that VLAN definition on the server hinder anything?

Thank you again and be safe...

TiggerLAS

Sorry for the delay in responding.

Correct - VLANs shouldn't care about /subnet masks, and shouldn't pose a problem.

Yes, keeping high-traffic items on the same subnet/VLANs

as the devices that use them will cut down on the traffic that

has to traverse the router.   Sometimes, it's unavoidable,

but it's always best to minimize cross-vlan traffic.

So, if your office network is on a different VLAN

from your home network, and both need access

to your server, then one of the VLANs will need

to traverse your router.

Alternately, you could forgo the LAG to the server,

and instead assign one server port to your office VLAN,

and the other port to your home VLAN.

Sorry, I know nothing of Ubuntu or netplan.

As for VLANs on the server, and your IoT subnet -

As long as the port(s) on your managed switch(es)

that feed you IoT devices are set with the appropriate

PVID setting, it shouldn't matter to your IoT's.

The PVID setting is the key -- it will take the traffic

from non-vlan-aware devices, and apply the VLAN tag,

which will then traverse your managed switch(es)

as tagged traffic.

As an example, let's make the following assumptions -

Your server -

     Is on 192.168.224.0/24 as VLAN1

     Is also on 192.168.192.0/24 as VLAN2

     Is plugged into Port 1 on your managed switch

Your IoT devices -

     Are all on 192.168.192.0/24

     Are not generally VLAN-aware

     You have several IoT devices connected to an unmanaged switch

     The unmanaged switch is connected to port 2 on your managed switch

Your managed switch -

     Port 1 (server port) is set to VLAN1, PVID1

     Port 1 (server port) is also set to VLAN2/Tagged

     Port 2 (IoT port) is set to VLAN2, PVID2 only.

At this point, your IoT devices will be living happily together

on the unmanaged switch.

They will be oblivious to the fact that, when traffic hits

Port 2 on your managed switch, it will be tagged as VLAN2.

(Due to the VLAN2/PVID2 port setting.)

That traffic will then be carried as VLAN2/Tagged,

where it will be able to freely communicate with

VLAN2 on your server, and across any other links

that you have set to carry VLAN2.

Based on previous conversations, one possible

solution looks something like the diagram attached below. . .