Best way to implement Vlan

[Woodymakespizza]

Hey all, I need some help. I have two Asus GT-AXE11000s, not pro models set up with ethernet backhaul as Router and AP, and a growing homelab with a plex server, DNS/PiHole (firewall to come). I am working on isolating my IOT and outdoor cameras and its my understanding that these dont handle Vlan tagging easily or maybe at all. I have a Trendnet TEG-3182WS managed switch that can create the vlans. This is my first real foray into this kind of networking and Im wondering if there is a firmware I could use to manage tagging, or if there is not, what if them both as mesh or APs under a newer model that does support Vlan tagging, or would it be better to look to replace them both with newer hardware. I'd of course prefer not to replace them both if I dont have to.

Open to suggestions, thoughts or ideas I havent thought of. Thanks.

 

[bennor]

If you don't need VLAN's you can likely accomplish some of what you seek by using Asus-Merlin firmware coupled with the Asus-Merlin YazFi addon script followed by some IPtables scripting if YazFi's One-Way or Two-Way to Guest doesn't work for your setup.

Or one can try the following with the Asus-Merlin 388.x firmware:

Tutorial - How to use VLANs on your non-pro Asus router with 386 or 388 code (no scripting required)

You didn't answer whether the satellite routers are in Mesh or AP mode. Aimesh parent is in AP mode, satellite routers are in Aimesh node mode off the parent.

www.snbforums.com

 

[Woodymakespizza]

Ill poke through these. My long term goal is to separate for both security and convenience somewhat like this:
Primary network - Laptops, business and gaming computers, and homelab
Roku's - vlan 10
Cameras and MyQ - vlan 20
Guest Network - House is a double and I have tenants - Also VLAN?

You'll have to forgive me Im still learning VLANs and some of this deeper network config stuff

 

[Tech9]

Hey all, I need some help. I have two Asus GT-AXE11000s, not pro models set up with ethernet backhaul as Router and AP, and a growing homelab with a plex server, DNS/PiHole (firewall to come).

YazFi won't help you. It's not VLAN based, doesn't work in AP Mode and doesn't work network-wide with Router and AP Mode or AiMesh Node. You can explore potential solutions on the link below or use it as an example for custom scripting of the VLANs you need. In a long term VLAN capable gateway/firewall is best to pair with VLAN capable APs. Run the firewall on bare metal, not virtualized with other services. Your entire network will be hanging on s single device. It fails - everything goes down at once.

MerVLAN v0.52.91 Simple and Powerful VLAN Management **BETA**

MerVLAN VLAN Manager – Simple and Powerful VLAN Management LATEST CHANGELOG (often condensed, full log: main | dev mervlan v0.52.91 - Hotfix mervlan_boot.sh: Fixed a critical bug where template injection silently deleted subsequent blocks in services-start. Re-injecting the addon...

www.snbforums.com

 

[Tech9]

House is a double and I have tenants - Also VLAN?

VLANs won't help here. This type of account sharing is not allowed with most ISPs (read your service contract) and presents potential issues with authorities (illegal activities online). The ISP account is in your name and you are personally responsible for all online activities. Make sure you weight carefully the pros and cons.

 

[Woodymakespizza]

YazFi won't help you. It's not VLAN based, doesn't work in AP Mode and doesn't work network-wide with Router and AP Mode or AiMesh Node. You can explore potential solutions on the link below or use it as an example for custom scripting of the VLANs you need. In a long term VLAN capable gateway/firewall is best to pair with VLAN capable APs. Run the firewall on bare metal, not virtualized with other services. Your entire network will be hanging on s single device. It fails - everything goes down at once.

MerVLAN v0.52.91 Simple and Powerful VLAN Management **BETA**

MerVLAN VLAN Manager – Simple and Powerful VLAN Management LATEST CHANGELOG (often condensed, full log: main | dev mervlan v0.52.91 - Hotfix mervlan_boot.sh: Fixed a critical bug where template injection silently deleted subsequent blocks in services-start. Re-injecting the addon...

www.snbforums.com

You're saying buy a specific device for firewall instead of running virtual off the minipc that is running pi-hole/NPM? Looking at the Mervlan and the experimental warnings are a little concerning as both wife and I have our own businesses and need stability.

Also - Does anyone know if I were to buy a BE model as the primary and ran one or both of the AXE11000s as APs or AImesh without a flashed firmware would that work or would I be better off buying two new ones? I could sell these and recoup at least half the cost.

 

[bennor]

Ill poke through these. My long term goal is to separate for both security and convenience somewhat like this:
Primary network - Laptops, business and gaming computers, and homelab
Roku's - vlan 10
Cameras and MyQ - vlan 20
Guest Network - House is a double and I have tenants - Also VLAN?

YazFi is main router only. Won't help, or work, with AP or AiMesh nodes if you go that route.

 

[Tech9]

both wife and I have our own businesses and need stability

Then drop all experiments with consumer AIO routers, 3rd party firmware and scripts. Go small business equipment with Ubiquiti UniFi or TP-Link Omada as affordable price options. Don't waste your time.

 

[PunchCardBoss]

Open to suggestions, thoughts or ideas I havent thought of. Thanks.

@Tech9 is right in several respects. Ubiquiti is better hardware and gives you more control. The down side is there is a steeper learning curve vs Asus. Knowing what I now know (that doesn’t hold a candle to Tech9), I would have started with Ubiquiti. Nonetheless, I am happy with my VLAN setup with my RT-AX88U-PRO. It has been running flawlessly for several years with STOCK Asus Firmware (3.0.0.6.102_33421).

My setup includes:

VLAN-1 (router default gateway)
My ‘Trusted’ network is the primary (default) subnet and provides both wired and 5Ghz WiFi to several devices, including port #1 on my DS220+ Synology NAS

Router port #3 is connected to a Netgear GS308T managed switch in the 1st floor office that services trusted wired devices on switch ports 2, 3, 4, & 5.

VLAN-25 is configured on the same Netgear GS308T managed switch in the 1st floor office (switch ports 6, 7, & 8) for untrusted wired devices – isolated from all other LAN but has internet access

VLAN-30 has (6) IP POE cameras, (1) IP speaker and (1) monitoring station connected to a Netgear GS316EP in the attic connected directly by ethernet cable to port #2 on my DS220+ Synology NAS running Surveillance Station in my downstairs office (Note: VLAN-30 is a phantom subnet that is ‘semi-isolated’ from the rest of my LAN [none of the cameras can access the internet and 'call home' on their own]. Normally, the switch is not connected to the router, although it can be for special and temporary maintenance functions. Surveillance Station has access to all subnet 30 devices due to its dual-NIC configuration). By the way, all LAN-30 devices were set with fixed/static IP addresses.

VLAN-20 is assigned to router port #1 and is connected to a Netgear GS308EP in the attic. This VLAN services several 2nd floor untrusted wired devices: TVs and wall outlets. No WiFi on this VLAN. I could connect an AP for better WiFi, but the WiFi I get in the house is sufficient.

VLAN-13 is 2.4Ghz WiFi only for IOT and guest Wifi, This VLAN is isolated from all other LANs but has internet access.

Now, @Tech9 , before you say anything, I do know that I could have done this with fewer switches . But the locations of devices and limitations of cabling led be to this as the easiest - not necessarily the most cost effective.

All this to say that from a technical point of view, the Asus AX88U-PRO seems to have the functionality you are looking for. Whether you can make it work for your needs is another story and requires some serious planning and testing.

 

[jksmurf]

Nonetheless, I am happy with my VLAN setup with my RT-AX88U-PRO.

Sorry if I missed I but no AiMesh nodes is that correct?

 

[degrub]

You're saying buy a specific device for firewall instead of running virtual off the minipc that is running pi-hole/NPM? Looking at the Mervlan and the experimental warnings are a little concerning as both wife and I have our own businesses and need stability.

Also - Does anyone know if I were to buy a BE model as the primary and ran one or both of the AXE11000s as APs or AImesh without a flashed firmware would that work or would I be better off buying two new ones? I could sell these and recoup at least half the cost.

Put your tenants on their own service - make them sign up with an ISP, not YOU. You don't want the liabilities. There are no positives to your planned sharing.