Question Pain in the VLAN

[ecniVgiB]

Hi all.

I have been working on setting up a network to suit my family, iOT and work needs.
With the replacement of some hardware and the purchase of a new VPN router I've come a long way.
However, I seem to be able to configure port based VLAN for segmentation, but beyond that I struggle.
I hope there is someone that can give me some insight in the deeper configuration layers.

I have attached a picture of my current network and highlighted the problems.
Any comment is welcome and I am happy to elaborate on how I have set it up in case someone is trying to do the same.

Thanks a plenty! Vince

Network Diagram

 

[kanewolf]

Hi all.

I have been working on setting up a network to suit my family, iOT and work needs.
With the replacement of some hardware and the purchase of a new VPN router I've come a long way.
However, I seem to be able to configure port based VLAN for segmentation, but beyond that I struggle.
I hope there is someone that can give me some insight in the deeper configuration layers.

I have attached a picture of my current network and highlighted the problems.
Any comment is welcome and I am happy to elaborate on how I have set it up in case someone is trying to do the same.

Thanks a plenty! Vince

Network Diagram

Nothing you have provided lists what you are trying to accomplish. What are your goals for VLANs? What behaviors do you want ?

 

[nigelivey]

As stated, without knowing what you are actually trying to achieve, just creating vlans is just an exercise in complexity for its own sake. Please provide more information

 

[bill001g]

First a comment about the tplink switch. I can't say exactly which hardware revisions they partially fixed this. It was impossible to set ports untagged to any vlan other than 1. The only way to use vlans was if the devices supported tagging. They also force all the management ip to be on vlan1. This was a security exposure because all devices technically are on the same lan if the tag is not set. They did this because they were worried a user would change the tagging and lock themselves out of the management ability......duhh reset the switch when you do something stupid and learn from your mistake. So they have partially fixed this. They now properly allow you to have any vlan untagged on any port. BUT they still allow you to get access to the switch management from any port no matter what the tag is set to. Not sure how they accomplish this. Unauthorized traffic can no longer go between ports or switches but a device can still attempt to hack the switch management itself. Again all because they want to protect stupid customers who should not be using vlans unless they understand what they are doing.

So in theory your design works. My guess is you have not set the proper vlan tags on the uplink ports. Although you don't have to you generally want to start with a management vlan that only has the IP addresses of the switches themselves. This vlan should be separate from everything else. You want this vlan untagged on all the uplink ports all the other vlans you want tagged on uplink ports. Without explanation this is done partially for security but to keep spanning tree working correctly especially on lower switches that do not support per vlan spanning tree.

Your problem can also be in the router and how it implements its virtual router interface concept. You have to be sure that those interfaces as set to the proper vlans and it can be confusing since this is all done in proprietary methods depending on the device.

Your overall general design you need to think of this as you have a bunch of cables from your router going to lots of small switches where everything is physically serperate. That is all a vlan is simulating and with the most complex part being the simulation of combing the multiple cables going to the main router.

 

[ecniVgiB]

Thanks for your comments: I did realise that I needed to do more Googling to describe my issues and intentions. I apologise in advance for using incorrect terminology. I have gotten a bit further (see updated diagram attached). I'm just struggling with two issues:

First, I noticed that the time on my WiFi router is no longer updating over NTP. In addition I noticed that I can't access the router via the cloud or check for updates of the firmware. This lead me to believe that even though the WiFi router passes through the internet connection, the WiFi router itself doesn't have access to the internet. I have gone through many setting but I can't put a finger on it why this is the case.

Second, from the "Main Computer" on subnet 192.168.222.0 (VLAN 222) I can access all the switches, the main router and the devices connected (as intended). I can't access the WiFi router which is on subnet 192.168.221.0 (VLAN 4). As it is part of the different VLAN (intentionally) I can't put that router on subnet 192.168.222.0. Is there a way I can configure my subnet settings in order to reach 192.168.221.0 from 192.168.222.0?

I've left my printer for what it is and decided that I might need to wire this up in order to manage it better or smarter.

Thanks for any feedback!

Network Diagram v2

 

[bill001g]

You could use a subnet mask of 255.255.252.0 This would map 220-223 into a single subnet but that would undo your vlan concept.

When you look at fancy stuff like this is where you need a actual router. Most home users are only using the NAT part to share a IP. A actual router means that it "routes" traffic between subnets. It would need a virtual interface on each vlan. So the router would have 192.168.220.1,192.168.221.1,192.168.222.1 etc. The traffic would then flow between the subnets via the router function. Problem is you have no connected all your vlans together but at layer 3 rather than layer 2. ie they will use IP address to talk rather than mac addresses.

So when you need some communication but not all you add a firewall or some other filter rule as to which IP can talk between the vlans.

This is partially why home routers do not support any of this. It gets very complex very quickly.

 

[ecniVgiB]

You could use a subnet mask of 255.255.252.0 This would map 220-223 into a single subnet but that would undo your vlan concept.

When you look at fancy stuff like this is where you need a actual router. Most home users are only using the NAT part to share a IP. A actual router means that it "routes" traffic between subnets. It would need a virtual interface on each vlan. So the router would have 192.168.220.1,192.168.221.1,192.168.222.1 etc. The traffic would then flow between the subnets via the router function. Problem is you have no connected all your vlans together but at layer 3 rather than layer 2. ie they will use IP address to talk rather than mac addresses.

So when you need some communication but not all you add a firewall or some other filter rule as to which IP can talk between the vlans.

This is partially why home routers do not support any of this. It gets very complex very quickly.

Thanks for the suggestion!

That's still useful information. I would be able to play with that and see what I can do.
Especially the subnet: if this limits the communication to 192.168.220.x to 192.168.223.x it would still work.
The isolated devices will be on 192.168.10n.x (which would be excluded) and the WLAN would be in 192.168.4.x
I did see the router supports firewall access control, which I could also use in case the subnet doesn't work.

Thanks a plenty

 

[ecniVgiB]

Thanks for the suggestion!

That's still useful information. I would be able to play with that and see what I can do.
Especially the subnet: if this limits the communication to 192.168.220.x to 192.168.223.x it would still work.
The isolated devices will be on 192.168.10n.x (which would be excluded) and the WLAN would be in 192.168.4.x
I did see the router supports firewall access control, which I could also use in case the subnet doesn't work.

Thanks a plenty

Until the router doesn't like the LAN connected to the VLAN to be on the same subnet :/

 

[bill001g]

This is hard to say if you had a cisco layer 3 switch I could give you a exact configuration but this brands I never have used.

 

[ecniVgiB]

So the aim is to connect from my main computer on the LAN (192.168.222.88/24 - VLAN 222) to the WiFi router (192.168.221.20 - VLAN 4). I can't use subnets as I am using VLANs. Is there a way to use static routing to allow me to reach the GUI of the WIFI router?

 

[bill001g]

The concept of vlan and subnet are almost the same thing in many ways.

A vlan itself is nothing but a number of virtual switches. The vlan itself does not know anything about IP addresses. Very technically you could use a different data protocol to talk between device.

So each vlan must have its device assigned to a subnet and these subnets must be different if the virtaul switch, vlan, is connected to the same router. The router can only have 1 interface on each subnet..without extreme complexity.

What you need to think of is you have 2 switches each on different subnets. These swithes are plugged 2 different ports on a router and each port is the gateway for that subnet. By default most routers that support multiple subnets automatically "route" traffic between them.
If you want to prevent this traffic the router would need some form of rules you could set to limit it.

 

[ecniVgiB]

The concept of vlan and subnet are almost the same thing in many ways.

A vlan itself is nothing but a number of virtual switches. The vlan itself does not know anything about IP addresses. Very technically you could use a different data protocol to talk between device.

So each vlan must have its device assigned to a subnet and these subnets must be different if the virtaul switch, vlan, is connected to the same router. The router can only have 1 interface on each subnet..without extreme complexity.

What you need to think of is you have 2 switches each on different subnets. These swithes are plugged 2 different ports on a router and each port is the gateway for that subnet. By default most routers that support multiple subnets automatically "route" traffic between them.
If you want to prevent this traffic the router would need some form of rules you could set to limit it.

Thanks for the suggestions and explanation @bill001g !
I've been thinking about putting routers each on a different subnet. Might be something to try on the weekend.

 

[bill001g]

I hope you mean virtual routers. I did not go back to check the device you are using but fancy routers and layer 3 switches can support multiple router interfaces. It works mostly the same as seperate routers with the big "but" I am talking about professional routers not the stuff most people on this forum they bought from bestbuy or other consumer electronics store.