VLAN configuration IoT (2 x XMG1915-10EP, 1 x ATP200)

lukipilot
lukipilot Posts: 4  Freshman Member
Zyxel Certified Network Engineer Level 1 - Security Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - WLAN
edited April 11 in Switch

Dear all,

First of all, I'm not an expert and am just trying to build a great home network. I progressed a bit by consulting many forums and tutorials. Now I have a question on VLAN's.

Attached you see the core part of my network where I'm currently stuck. The layout with the two switches is mainly as those are in separate rooms, du to space restrictions.

Internet is FTTH from a Fritzbox provided by the ISP, that is connected to the ATP200 WAN. I configured 3 further VLANS as visible on the attached chart. VLAN1 is my main, private and management network. VLAN66 is for guest WiFi and internet only, VLAN33 is basically the same, but with access to two printer objects, as well as a scanner object.

I'm stuck building a relation between VLAN 1 and VLAN 44 being the IoT network. basically that works fine for itself, devices are connected to the internet. But, I have three issues:

  1. Philips Hue Bridge (plan VLAN44; current VLAN1, so I can control my lamps)
    I should be able to control the lamps from the Hue App on my Smartphone which is connected to VLAN1. That does not work, the Hue Bridge can't be found if it is in VLAN44.
  2. Sonos devices (VLAN44)
    I should be able to control the speakers from the Sonos App on my Smartphone which is connected to VLAN1. The speakers should ideally be able to stream music from my NAS, which is in VLAN1 as well.
  3. Smart TV (VLAN44)
    I should be able to send a Youtube stream to my TV from my Smartphone which is connected to VLAN1. The TV is not locateable by Youtube.

What I did so far is assigned the switches a leg in VLAN1 and in VLAN44. I also tried to make one of the switches the gateway for VLAN44 devices (configured in the ATP200).

The firewall security policy rules seem to be fine so far as I'm able to ping VLAN44 devices from VLAN1. That's probably not the best way to do it, but I allow all traffic from VLAN1 to VLAN44.

I'd be thankful for any hints on how to set this up properly.

Thank you and best regards,

Lukas

All Replies

  • Zyxel_Melen
    Zyxel_Melen Posts: 2,409  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate

    Hi @lukipilot,

    I notice you set ports 3 & 4 as trunk. I assume it is the VLAN trunking function, right? The VLAN trunking function will help forward the packets from the unknown VLAN, which means the VLANs that were not set.

    Since VLANs 33, 44, and 66 are already set, you must set the fix ports correctly. Otherwise, the switch won't forward the packets as you wish. Please navigate to the VLAN setting page to fix ports 3 & 4 to these VLANs and set tagged out.

  • lukipilot
    lukipilot Posts: 4  Freshman Member
    Zyxel Certified Network Engineer Level 1 - Security Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - WLAN
    edited April 12

    Hi @Zyxel_Melen

    Many thanks for your answer.

    I'm not 100% sure, but I belive I already did that. In the following I paste screenshots of the VLAN configuration of Switch 192.168.1.210 / 192.168.44.2 for the 4 VLAN's and the Port setup.

    Also, if this configuration was not correct the devices should not be able to gain internet access I think. But devices of all 4 VLAN's have access to the internet.

    It's really just the exchange between VLAN1 and VLAN44 that gives me sleepless nights.

    Thank you very much for any further hints or corrections.

    Best regards,

    Lukas

  • Zyxel_Melen
    Zyxel_Melen Posts: 2,409  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate

    Hi @lukipilot,

    Thanks for the details about your VLAN configuration. I searched how Sonos and Philips Hue Bridge discover their device. Based on my research, both Sonos and Philips Hue Bridge use mDNS to find the devices. However, mDNS is not a routable multicast traffic. That's why you can find the devices in the same VLAN.

  • lukipilot
    lukipilot Posts: 4  Freshman Member
    Zyxel Certified Network Engineer Level 1 - Security Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - WLAN

    Hi @Zyxel_Melen

    Thank you for your answer. So, this means it is simply not possible to have those IoT devices separated from my "private" VLAN and control them from a Smartphone in the private VLAN? That's somehow disappointing. What other Hardware would I need to realize this?

  • Zyxel_Melen
    Zyxel_Melen Posts: 2,409  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate

    Hi @lukipilot,

    This has some workaround without additional devices. You may:
    1. Place the IOT devices (Sonos, Philips, and smart TV) within VLAN1.
    2. You can create an SSID for VLAN 44. Then you can control the IoT device when connecting to this SSID.

    By the way, a home network normally separates private VLAN and Guest VLAN. The IoT devices will be placed in the private VLAN. Would you like to share why you separate a VLAN for IoT devices?

  • lukipilot
    lukipilot Posts: 4  Freshman Member
    Zyxel Certified Network Engineer Level 1 - Security Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - WLAN

    Hi @Zyxel_Melen ,

    The reason why I want to separate them is that I have lots of such devices, it's not just the ones discussed here, I also have iRobot devices, fridge, washing machine, oven, Apple TV and many more - it's 24 in total. AND I just don't trust these devices at all.

    I'd love to have a clean VLAN1 with only devices I have a certain amount of trust, including my NAS.

    Therefore, of the two options you gave above, Nr. 1 is not an option, at the moment I'm with Nr. 2, but not very happy with it. I need to switch WiFi to the VLAN44 SSID on my Smartphone whenever I want to control devices, or stream to the TV and back thereafter.

    Of course you're right, this is not the usual home network, the usual home network is a bit less expensive ;-)