jorgemarmo
Occasional Visitor
Dear all... I finally bought an old house and I made some renovation work and I put rj45 with cat6e cable everywhere I could...
So I'm about to start the patch panel and putting a network rack and a home-lab server to "run" the house.
So I'm trying to get everything well configured from the beginning (keyword: trying)
So I asked a new friend, chatGPT
This is the prompt explaining the situation:
And this was the answer (short version)
Would you like to share your thoughts on this?
The only part I don't feel completely confident is the very last... How to allow devices from the "main network" to find my brother wifi printer or the chromecast on the TV that will be on the IoT network? (Probably is an easy config. But I haven't done it before)... To be honest I've not even worked with VLANS and trunks before... But I'm learning.
Thank you all.
So I'm about to start the patch panel and putting a network rack and a home-lab server to "run" the house.
So I'm trying to get everything well configured from the beginning (keyword: trying)
So I asked a new friend, chatGPT
This is the prompt explaining the situation:
Code:
I'm building my home network from 0.
I have many rj45 outlets, a wifi printer, a couple of WiFi iot devices, bust most of iot are zigbee...
Hardware wise I have :
- an ISP modem
- a TP-Link Tl-Sg1024fr (that can create virtual networks)
- a TP-LINK ROUTEUR ER605
- a TP-Link Archer AX55
- a smart TV
- 2 Hikvision cameras that will connect to a small unmanaged switch and will arrive to the main switch.
- a Hikvision NVR that will also be connected to the main switch and that will need to connect to the home lab
- a home lab server running unraid as a NAS, home assistant and Plex
-a zigbee ethernet coordinator that needs to communicate with the home lab
Could you make me a scheme/cartography of the de best configuration, including the ip addresses and virtual networks I should use.
You can ask any question you need to better understand my setup and give me the best configurationAnd this was the answer (short version)
Code:
Design A — “Flexible, controlled access” (recommended)
All device groups are on separate VLANs but Home Lab can access devices it needs (cameras, NVR, Zigbee coordinator) through explicit firewall rules.
VLANs & subnets
Use a 10.0.0.0/16 base and give each VLAN a /24 for clarity and room to grow:
VLAN 10 — LAN / Home Lab / Trusted
VLAN ID: 10
Subnet: 10.0.10.0/24
Gateway (ER605): 10.0.10.1
Static reserved: Unraid/home lab server 10.0.10.10 (also use static DHCP reservation)
Purpose: PCs, core servers, devices you fully trust.
VLAN 20 — Management
VLAN ID: 20
Subnet: 10.0.20.0/24
Gateway: 10.0.20.1
Static: ER605 mgmt on this interface if needed, switch mgmt 10.0.20.2, AX55 mgmt 10.0.20.3
Purpose: switch/AP/router management, network printers if you want them manageable separately.
VLAN 30 — Cameras + NVR
VLAN ID: 30
Subnet: 10.0.30.0/24
Gateway: 10.0.30.1
Static: NVR 10.0.30.10, Hikvision cameras via DHCP reservations (or static on each camera) 10.0.30.11/12 etc.
Purpose: CCTV; put cameras + NVR here.
VLAN 40 — IoT (Wi-Fi IoT)
VLAN ID: 40
Subnet: 10.0.40.0/24
Gateway: 10.0.40.1
Purpose: Wi-Fi IoT devices (robot vacuum, roller shutter, Wi-fi printer if you consider it IoT).
VLAN 50 — Zigbee Coordinator / Home Assistant link
VLAN ID: 50
Subnet: 10.0.50.0/24
Gateway: 10.0.50.1
Static: Zigbee coordinator (slzb-06m) 10.0.50.10 or place this device on VLAN 10 (Home Lab) — see note below.
Purpose: the coordinator must be reachable by Home Assistant. Easiest if coordinator is on same VLAN as Unraid (VLAN 10) or reachable via firewall.
VLAN 60 — Guest Wi-Fi
VLAN ID: 60
Subnet: 10.0.60.0/24
Gateway: 10.0.60.1
Purpose: guest internet-only network.
Optional VLAN 99 — AP / Uplink / Native
Use for trunking if needed; depends on switch/AP config.
> Zigbee coordinator placement: because your coordinator (slzb-06m) must be linked to Home Assistant (on Unraid), the simplest approach is to physically connect the coordinator to the home lab server's switch port (or put the wall jack that hosts the coordinator on VLAN 10). That avoids complex firewall rules. If the coordinator must be placed somewhere else, put it on VLAN 50 and create firewall rules allowing only Home Lab IP 10.0.10.10 to talk to 10.0.50.10 (TCP/UDP ports used by the coordinator; check device docs for exact ports).
IP assignments (example static/servers)
ER605 router VLAN interfaces:
10.0.10.1 (LAN), 10.0.20.1 (Mgmt), 10.0.30.1 (Cameras), 10.0.40.1 (IoT), 10.0.50.1 (Zigbee if used), 10.0.60.1 (Guest)
TL-SG1024FR switch management: 10.0.20.2
Archer AX55 (AP mgmt): 10.0.20.3 (tagged trunk for SSIDs)
NVR: 10.0.30.10
Hikvision Cameras: 10.0.30.11, 10.0.30.12
Unraid/Home Lab server: 10.0.10.10
Zigbee coordinator: 10.0.50.10 (or 10.0.10.11 if placed on Home Lab VLAN)
DHCP
DHCP provided by ER605 on each VLAN:
VLAN 10: 10.0.10.100–10.0.10.199
VLAN 20: 10.0.20.100–10.0.20.199
VLAN 30: 10.0.30.100–10.0.30.199 (or static for cameras)
VLAN 40: 10.0.40.100–10.0.40.250
VLAN 50: 10.0.50.100–10.0.50.199
VLAN 60: 10.0.60.100–10.0.60.250
Firewall / Routing rules (high level)
Default: deny inter-VLAN. Create explicit allow rules:
1. Allow Home Lab (10.0.10.10) → Cameras VLAN (10.0.30.0/24) on specific ports/protocols only:
RTSP (TCP 554) or whatever port your Hikvision NVR uses (also HTTP 80/443 if web UI needed). Example: allow TCP 554, TCP 80, TCP 443 from source IP 10.0.10.10 to 10.0.30.10 (NVR) and to camera addresses if needed.
2. Allow Home Lab (10.0.10.10) ↔ Zigbee coordinator (10.0.50.10) or place coordinator on VLAN10 (simpler). Rule: allow required ports and block everything else.
3. Allow IoT VLAN (40) to Internet only (deny IoT→LAN and IoT→Mgmt). If some IoT devices need to reach Home Assistant, add targeted allow from Home Assistant to device IPs, or allow Home Assistant→IoT (recommended) rather than IoT→Home Lab.
4. Guest VLAN (60): allow only to WAN, client isolation. No access to LAN, Management, Cameras.
5. Management VLAN: allow management devices (your admin workstation) to reach switch/AP/NVR/ER605 mgmt addresses. Block from other VLANs to Management.
6. Allow NVR/Hikvision to use outbound connections if needed for Hik-Connect (for remote access). Alternatively, use router NAT rules / port forward for remote access.
Hikvision remote access (recommended secure method)
Best: set up a VPN on the ER605 (OpenVPN / IPsec / WireGuard if supported) and connect from your phone/remote device to the home network, then access NVR UI. This avoids exposing Hikvision ports to the internet.
If you must port-forward: only forward the minimum ports to the NVR (10.0.30.10) and use strong passwords + keep firmware updated. Forwarded ports example: TCP 8000 (SDK), TCP 554 (RTSP) — but this is risky. Use Hik-Connect (cloud service) if you prefer not to configure port forwards — still keep it secured.
Switch port mapping (TL-SG1024FR — example)
Assume the TL-SG1024FR is the central patch panel main switch in the rack.
Port 1 → ER605 WAN/LAN trunk (tag all VLANs; native VLAN 20 if you use one) — configure as trunk (802.1Q)
Port 2 → Archer AX55 (AP) — trunk, tag VLANs 40 (IoT SSID), 60 (Guest SSID), 10 (management/host SSID) and allow native mgmt on VLAN 20 as needed. If the AX55 will be used as mini-switch for 4 ports, ensure AP has VLAN-aware switchports (AX55 supports linking SSIDs to VLANs via VLAN tag on its Ethernet port).
Port 3 → Unraid / Home Lab server — access port on VLAN 10 (or trunk if server hosts VMs with VLAN tagging).
Port 4 → Small unmanaged switch for cameras — set as access VLAN 30 (cameras will be on this VLAN). The small switch will be unmanaged; connecting multiple cameras is fine.
Port 5 → NVR — access VLAN 30 (static IP 10.0.30.10)
Ports 6–n → RJ45 patch panels / room wall jacks; assign as needed: e.g., living room wall ports for smart TV on VLAN 40 or VLAN 10 as you prefer (set them as access ports to the appropriate VLAN).
> Important: the ports feeding to rooms must be configured as access VLANs for devices that are single-VLAN. If you want a room jack to support multiple VLANs (e.g. AP or trunk), configure that switchport as a trunk.
AX55 (access point) setup
Configure multiple SSIDs and map to VLAN tags:
SSID “Home-LAN” → VLAN 10
SSID “IoT-Devices” → VLAN 40
SSID “Guest” → VLAN 60 (enable client isolation)
Management SSID or local mgmt address → use VLAN 20 for AP management
Connect AX55 Ethernet to switch port 2 (trunk) and tag VLANs in switch/AP.
Notes on mDNS / discovery
If you need device discovery (AirPrint, Chromecast, etc.) across VLANs, use:
mDNS repeater/reflector on the router (limited; only for required services). Or
Use the Home Assistant mDNS / Avahi proxy to bridge needed services from IoT VLAN to Home Lab.Would you like to share your thoughts on this?
The only part I don't feel completely confident is the very last... How to allow devices from the "main network" to find my brother wifi printer or the chromecast on the TV that will be on the IoT network? (Probably is an easy config. But I haven't done it before)... To be honest I've not even worked with VLANS and trunks before... But I'm learning.
Thank you all.
