This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Help with Basic VLAN Setup to Segment Wired and Wireless Network

I would like to segment my network into multiple LANs and VLANs.

Right now, I have one happy LAN network, all shared with all devices. Small unmanaged switches in each room, converging to a large 24 port unmanaged switch in the office:

  • Primary real LAN in the LAN port of the Sophos UTM - 192.168.10.x /24
  • Wireless network SSID 1, bridged to LAN - 192.168.10.x /24 ... too.

Future:

  • Existing LAN and SSID 1 Wireless on that same LAN for servers, personal computers, printers, etc. 192.168.10.x /24
  • New segmented networks with internet access through the firewall, but isolated and blocked from the LAN above:
    • Guest wireless network on separate SSID 2  192.168.20.x /24
    • New virtual network VLAN 10 for home appliances (kitchen oven, sump pump, etc.), some on Ethernet, some on Wireless with its own SSID 3   (... .30.x /24)
    • New virtual network VLAN 20 for streaming devices (TiVo, Roku, AppleTV, etc.), some on Ethernet, some on Wireless with its own SSID 4  (... .40.x /24)
    • New virtual network VLAN 30 for cameras (... .50.x /24) 
    • You get the idea...

Each room has a single Ethernet port. The ethernet cables converge in the office closet. Currently each room has a small 5 port switch. A room may have any combination of Sophos AP 100C, devices that belong on the 192.168.10.x LAN (computers, printers, servers), and various ethernet and wireless home appliances, streaming devices, etc. 

In other words, a given room may have a combination of different devices, each one associated with a different network segment / VLAN. At the same time, the same VLAN network segment may have devices in different rooms. 

I ordered managed 5 port switches (L2, 802.1q) to replace the unmanaged switches in the rooms. I ordered an extra managed 8 port switch for the office closet. I am not sure I need it. (To the best of my knowledge, the 24 port unmanaged switch will not pass tagged VLAN Ethernet packets.)

-> Am I on the right track? Is there a better way to segment my network?
-> Do I have what I need to make this work? 
-> What is the best way to configure these devices to segment my network as described? 

P.S. Can I configure the new network segments to be IPv4-only, but leave my primary LAN IPv4 and IPv6?



This thread was automatically locked due to age.
Parents
  • I bought some cheap managed switches. There are TP-Link model TP-SG105E smart switches in each room. The room switches connect to a similar TP-SG108E in the office. The switches all support 802.1Q VLANs. Configuring them is not easy and not intuitive. Advice there would be appreciated, too.

    At the moment, everything is working on the 192.168.10.x network, the LAN. I have not yet configured VLANs in the Sophos UTM or the switches. They are operating the same as unmanaged switches. I gave each switch a fixed IP address on the 192.168.10.x LAN. 

    The LAN would stay at 192.168.10.x, with VLANs configured with 192.168.20.x, 192.168.30.x, 192.168.40.x, etc.

    Now I am scratching my head over how the AP-100C access points handle both LAN and VLAN SSID traffic to the room's switch and how the room's switch passes both types of traffic to the office switch and through it to the UTM. That might include WiFi traffic on a VLAN where there is no corresponding wired room device on the same VLAN on that room's switch. How do I configure a port on the room's switch to pass both VLAN tagged 802.1Q ethernet packets as well as ordinary LAN ethernet packets without alteration?  

    I am also scratching my head over how to configure the room switches to handle devices that should be in a VLAN (e.g., streaming devices) and those on the regular LAN (say, a laptop computer or printer). 

    The goal is to isolate devices to the LAN or the appropriate VLAN. Devices may be in different rooms, but on the same VLAN to communicate with each other. The DVRs can share programs with each other over the network, for example. Some devices on a given VLAN may be on the Ethernet, while others on the same VLAN may be wireless. 

    -> How do I configure the room switches and office switch to pass the traffic to the UTM. ... and how do I configure the UTM? Here is a simple network diagram. (Oops, I forgot to label the UTM.) Hopefully it will put us all on the same page:

  • Hello,

    this link to the TP-Link "FAQ" may help a little: https://www.tp-link.com/us/support/faq/788/

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

Reply Children
  • To be honest, I find that TP-Link guide a bit confusing: I will try to simplify here:

    If you use a normal "access-port" on a switch that is capable of managing VLAN-tagging, then there ist always one VLAN-ID which is transported "untagged". This is sometimes called the PVID (private VLAN ID or just private VLAN). This is only possible with ONE of your VLANs per port.

    Then there are the other, "non-private" VLAN-ID, which are transported as well, if you assign them to that port as "tagged" VLAN.

    So there is one "untagged" VLAN and multiple "tagged" VLANs sharing the same physical port.

    Now what happens, if a device on that port is not recognizing that there are VLAN-tags? Then this device "sees" only the "untagged" packets.

    If the device attached to that port is able to decode VLAN tags, then you can define to which of possibly several "tagged" VLANs should be detected by that device.

    Back to your setup: you have VLAN-IDs: 1, 2, 10, 20 and 30

    You have the port going to your AP100C with VLAN1 untagged, VLAN 10 tagged and VLAN 20 tagged.

    On the Sophos UTM you have the LAN port with default VLAN 1 untagged (normal default), you then add VLAN 10 tagged (Ethernet VLAN with VLAN Tag 10 to the same physical LAN port) and with VLAN 20 you do the same with VLAN Tag 20.

    For port eth0 (internal LAN) this would look like this:

    And then you have two interfaces:

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • But you could do yourself a favour when you number your VLAN similar to the IP-networks.This is mauch easier to read.

    My suggestion would be:

    VLAN 30 = 192.168.30.0 /24 name = home

    VLAN 40 = 192.168.40.0 /24 name = stream

    VLAN 50 = 192.168.50.0 /24 name = cameras

    Personally, I would define a VLAN for the Guest Network as well:

    VLAN 20 = 192.168.20.0 /24 name = guest

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.