This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Help with Basic VLAN Setup to Segment Wired and Wireless Network

I would like to segment my network into multiple LANs and VLANs.

Right now, I have one happy LAN network, all shared with all devices. Small unmanaged switches in each room, converging to a large 24 port unmanaged switch in the office:

  • Primary real LAN in the LAN port of the Sophos UTM - 192.168.10.x /24
  • Wireless network SSID 1, bridged to LAN - 192.168.10.x /24 ... too.

Future:

  • Existing LAN and SSID 1 Wireless on that same LAN for servers, personal computers, printers, etc. 192.168.10.x /24
  • New segmented networks with internet access through the firewall, but isolated and blocked from the LAN above:
    • Guest wireless network on separate SSID 2  192.168.20.x /24
    • New virtual network VLAN 10 for home appliances (kitchen oven, sump pump, etc.), some on Ethernet, some on Wireless with its own SSID 3   (... .30.x /24)
    • New virtual network VLAN 20 for streaming devices (TiVo, Roku, AppleTV, etc.), some on Ethernet, some on Wireless with its own SSID 4  (... .40.x /24)
    • New virtual network VLAN 30 for cameras (... .50.x /24) 
    • You get the idea...

Each room has a single Ethernet port. The ethernet cables converge in the office closet. Currently each room has a small 5 port switch. A room may have any combination of Sophos AP 100C, devices that belong on the 192.168.10.x LAN (computers, printers, servers), and various ethernet and wireless home appliances, streaming devices, etc. 

In other words, a given room may have a combination of different devices, each one associated with a different network segment / VLAN. At the same time, the same VLAN network segment may have devices in different rooms. 

I ordered managed 5 port switches (L2, 802.1q) to replace the unmanaged switches in the rooms. I ordered an extra managed 8 port switch for the office closet. I am not sure I need it. (To the best of my knowledge, the 24 port unmanaged switch will not pass tagged VLAN Ethernet packets.)

-> Am I on the right track? Is there a better way to segment my network?
-> Do I have what I need to make this work? 
-> What is the best way to configure these devices to segment my network as described? 

P.S. Can I configure the new network segments to be IPv4-only, but leave my primary LAN IPv4 and IPv6?



This thread was automatically locked due to age.
  • Adding a Guest wireless network is a good idea.

    Not sure that you need to replace the unmanaged 24-port switch.  Let us know if that was necessary.

    I don't think you can selectively activate IPv6 only on one interface.  The UTM only supplies IPv4 IPs with it's DHCP service.  You can selectively allow only the LAN to reach an IPv6 DHCP server.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • The guest wireless should be able to have its own VLAN, so I can use "Bridge to VLAN" rather than using "Separate zone" with its MTU issues. That is my plan. 

    With the small managed switches in every room, I believe that I will be able isolate mixed wireless and Ethernet-wired devices into their appropriate VLANs wherever they are. I assume that the AP 100C access points will properly tag VLAN and non-VLAN packets on the Ethernet according to their SSIDs, and the new switches will pass them to the next switch accordingly. 

    Does all that make sense to you? 

  • You are on the right track. I would leave the VLAN ID 1 (default VLAN) for administrative purposes and use only the iD above 2 for my segments.

    You would need to have trunk ports defined from the main switch to the 5 port switches in the different rooms, all others have to be access ports. Only trunk are capable to transport multiple VLANs at once. Most "unmanaged" switches are confgured like having all ports as a "trunk" and therefore seem to pass through all kind of VLANs. The problem is, if you "untag" a VLAN at a certain port, it stays like it was tagged when entering the "unmanaged" switch.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • I bought some cheap managed switches. There are TP-Link model TP-SG105E smart switches in each room. The room switches connect to a similar TP-SG108E in the office. The switches all support 802.1Q VLANs. Configuring them is not easy and not intuitive. Advice there would be appreciated, too.

    At the moment, everything is working on the 192.168.10.x network, the LAN. I have not yet configured VLANs in the Sophos UTM or the switches. They are operating the same as unmanaged switches. I gave each switch a fixed IP address on the 192.168.10.x LAN. 

    The LAN would stay at 192.168.10.x, with VLANs configured with 192.168.20.x, 192.168.30.x, 192.168.40.x, etc.

    Now I am scratching my head over how the AP-100C access points handle both LAN and VLAN SSID traffic to the room's switch and how the room's switch passes both types of traffic to the office switch and through it to the UTM. That might include WiFi traffic on a VLAN where there is no corresponding wired room device on the same VLAN on that room's switch. How do I configure a port on the room's switch to pass both VLAN tagged 802.1Q ethernet packets as well as ordinary LAN ethernet packets without alteration?  

    I am also scratching my head over how to configure the room switches to handle devices that should be in a VLAN (e.g., streaming devices) and those on the regular LAN (say, a laptop computer or printer). 

    The goal is to isolate devices to the LAN or the appropriate VLAN. Devices may be in different rooms, but on the same VLAN to communicate with each other. The DVRs can share programs with each other over the network, for example. Some devices on a given VLAN may be on the Ethernet, while others on the same VLAN may be wireless. 

    -> How do I configure the room switches and office switch to pass the traffic to the UTM. ... and how do I configure the UTM? Here is a simple network diagram. (Oops, I forgot to label the UTM.) Hopefully it will put us all on the same page:

  • Hello,

    this link to the TP-Link "FAQ" may help a little: https://www.tp-link.com/us/support/faq/788/

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • To be honest, I find that TP-Link guide a bit confusing: I will try to simplify here:

    If you use a normal "access-port" on a switch that is capable of managing VLAN-tagging, then there ist always one VLAN-ID which is transported "untagged". This is sometimes called the PVID (private VLAN ID or just private VLAN). This is only possible with ONE of your VLANs per port.

    Then there are the other, "non-private" VLAN-ID, which are transported as well, if you assign them to that port as "tagged" VLAN.

    So there is one "untagged" VLAN and multiple "tagged" VLANs sharing the same physical port.

    Now what happens, if a device on that port is not recognizing that there are VLAN-tags? Then this device "sees" only the "untagged" packets.

    If the device attached to that port is able to decode VLAN tags, then you can define to which of possibly several "tagged" VLANs should be detected by that device.

    Back to your setup: you have VLAN-IDs: 1, 2, 10, 20 and 30

    You have the port going to your AP100C with VLAN1 untagged, VLAN 10 tagged and VLAN 20 tagged.

    On the Sophos UTM you have the LAN port with default VLAN 1 untagged (normal default), you then add VLAN 10 tagged (Ethernet VLAN with VLAN Tag 10 to the same physical LAN port) and with VLAN 20 you do the same with VLAN Tag 20.

    For port eth0 (internal LAN) this would look like this:

    And then you have two interfaces:

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • But you could do yourself a favour when you number your VLAN similar to the IP-networks.This is mauch easier to read.

    My suggestion would be:

    VLAN 30 = 192.168.30.0 /24 name = home

    VLAN 40 = 192.168.40.0 /24 name = stream

    VLAN 50 = 192.168.50.0 /24 name = cameras

    Personally, I would define a VLAN for the Guest Network as well:

    VLAN 20 = 192.168.20.0 /24 name = guest

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.