PC Access Across Multiple VLAN

[cdikland]

Below is a rough image of something I am considering if my objective is at all possible. To the switch Netgear GS108T, I have added two additional vlans. Vlan 10 would include most of my PC and printers. Vlan20 would be all my home automation (HA) devices such as Hue, Smarthings hubs, cameras,etc. I know this setup works however, I can not figure out how PCs on VLAN10 can connect to HA devices or other lan devices connected to VLAN20. The way I have the GS108 setup now, devices on one vlan cannot see, let alone access, anything on the other vlan. Is this something I can overcome with this or any other smart switch setup?

 

[abailey]

If your Eastlink modem is truly bridged I don't see how the above diagram is working correctly. None the less, if you want two VLANs that are on separate subnets to talk you need a router (a real router, not the consumer router/gateways), or a routing switch (layer 3 switch - or possibly even a layer 2+ switch).
You could possibly do it with Port based VLANs if your only talking a single switch and a single subnet, but that method is not real secure.

 

[coxhaus]

I always assign separate networks to VLANs. This does require routing at layer 3 which requires a router which will route be it router or switch.

 

[umarmung]

1. Why do you have more than one device connected to a bridged modem?
2. To communicate between VLANs, which are virtual L2 broadcast domains, i.e. logical switches which segment your network entirely, you need to route between them. This requires a VLAN-aware router or L3 switch.

I am not aware of any consumer router with direct support for VLANs (*). You would need a SOHO or SMB/enterprise router to do it conveniently or run third party firmware and pray. In many cases, such routers automatically allow inter-VLAN traffic and require you to configure their IP firewall to limit the traffic (good security design suggests configuring the reverse of that, i.e. deny all traffic and only allow exceptions).

An alternative is to run Merlin firmware on the Asus and use its command line tools for VLANs, but it is not a convenient or trivial option.

Another alternative is to run a router operating system on one of your PCs, but that requires strong technical skills and leaving a PC always on.

Even the cheapest L3 switch is far more expensive than a VLAN-aware router. So, if you are serious about VLANs, your cheapest and most convenient option would be something like getting a Ubiquiti Edgerouter X ($50?), connecting it solely to the modem, and re-configuring your existing wireless routers as pure access points (AP mode). They should connect to the ER-X directly or to the switch.

(*) I forgot that Draytek, best known for DSL routers, do support VLANs. Ubiquiti would still be cheaper and much more powerful though since the Draytek VLAN support is limited.

 

[cdikland]

Well, through sheer determination, trial and error and a whole lot of luck, I have it working. Here is what I did to the above configuration.
Deleted VLAN10 (didnt need it)
GS108t Port 1-6 are the default VLAN 1.
GS108t Port 7-8 are VLAN 20
VLAN1 Members - ports 1 -7
VLAN20 Members - port 1, 7-8
16 port switch connected to port 1 (switch has router and 2 pcs connected to it)
ports 2-6 are not connected
R6 pc connected to port 7
R7000 connected to port 8
AC68U router - 192.168.1.1 (dhcp server)
R7000 router - 192.168.1.4
R6 Static IP with R7000 as gateway. (I want force it to use the R7000 for WAN access)

The R6 accesses the WAN via the R7000 and has access to everything within VLAN1 including the Ac68U
The other PCs access the WAN via AC68U and can access shares on the R6. They cannot see/access the R7000.
I am mostly mystified on why this is working
I should point out this is not the final objective. I am trying to separate all my Home Automation (HA) setup(s) from normal regular wifi activity. When all said and done, all PCs, printers etc will be on one VLAN while all HA will be on the other.

Below is an image of the GS108T configuration. I look forward to any suggestions, criticism or advise to improve on what I got.

 

[L&LD]

Well, through sheer determination, trial and error and a whole lot of luck, I have it working. Here is what I did to the above configuration.
Deleted VLAN10 (didnt need it)
GS108t Port 1-6 are the default VLAN 1.
GS108t Port 7-8 are VLAN 20
VLAN1 Members - ports 1 -7
VLAN20 Members - port 1, 7-8
16 port switch connected to port 1 (switch has router and 2 pcs connected to it)
ports 2-6 are not connected
R6 pc connected to port 7
R7000 connected to port 8
AC68U router - 192.168.1.1 (dhcp server)
R7000 router - 192.168.1.4
R6 Static IP with R7000 as gateway. (I want force it to use the R7000 for WAN access)

The R6 accesses the WAN via the R7000 and has access to everything within VLAN1 including the Ac68U
The other PCs access the WAN via AC68U and can access shares on the R6. They cannot see/access the R7000.
I am mostly mystified on why this is working
I should point out this is not the final objective. I am trying to separate all my Home Automation (HA) setup(s) from normal regular wifi activity. When all said and done, all PCs, printers etc will be on one VLAN while all HA will be on the other.

Below is an image of the GS108T configuration. I look forward to any suggestions, criticism or advise to improve on what I got.

Could you please re-upload the image? Just seeing a 'x' now.

 

[cdikland]

Could you please re-upload the image? Just seeing a 'x' now.

Huh that is weird.. Anyhooo. Here it is again

 

[coxhaus]

GS108t Port 1-6 are the default VLAN 1.
GS108t Port 7-8 are VLAN 20
VLAN1 Members - ports 1 -7
VLAN20 Members - port 1, 7-8

I have a question on your setup. As this is not the way I setup VLANs. I noticed you have ports 1 and 7 as members of both VLAN1 and VLAN20. Also it shows port 1 and 7 as untagged. So if the traffic is untagged how is the traffic differentiated since there are no tags? In the Cisco world all untagged traffic belongs to the default VLAN. If you are going to say PVID but isn't there just 1 per port?

 

[abailey]

I am mostly mystified on why this is working
I should point out this is not the final objective. I am trying to separate all my Home Automation (HA) setup(s) from normal regular wifi activity. When all said and done, all PCs, printers etc will be on one VLAN while all HA will be on the other.

This works because you have ports that are members of both VLANs. As coxhaus has said this is not the way to really set up VLANs. Also, you are using a single subnet across multiple VLANs. When you do this, you create a security risk. The best way to do what you want is with a router. If you do not want to purchase a router and you are okay with loosing some of the security gains of using multiple VLANs (because of a single subnet), then you can likely do what you want. Reference the article below. It should show you how to do what you are looking to do:
https://www.smallnetbuilder.com/lanwan/lanwan-howto/30071-vlan-how-to-segmenting-a-small-lan

 

[cdikland]

First of all, I have/had no idea what I was doing when I set this up. My main objective was to remove some of the load from the AC68U and place it on the R7000. The former was being out performed by an old asus N66 connected to another WAN port on the same Eastlink modem. Granted the N66 only had 2 PCs, a printer and a phone connected but it was getting close to 400mbps download vs the AC68U which maxed out at 260mbps. That speed jumps up when I start start shutting down some of the devices connected to this modem. Hence, my plans to "load-balance" my home network devices.
With that in mind, by "security risks" you mean between the two vlans then this should not be a really issue, correct? Of course I could simplify this just by replacing my modem(s) with something more powerful.

BTW: I have tried tagging, untagging etc each of the different ports and/or a combination there of but once I do I usually lose connection between different vlan devices. Can you tell from my configuration above which ports you would tag/untag. In the meantime I will do a bit more reading of the article you posted above.

 

[abailey]

BTW: I have tried tagging, untagging etc each of the different ports and/or a combination there of but once I do I usually lose connection between different vlan devices. Can you tell from my configuration above which ports you would tag/untag. In the meantime I will do a bit more reading of the article you posted above.

In your posted configuration, you will not use any tagged ports. To use tagged ports you would need VLAN aware devices (like a router or another smart switch). The article I liked to should show you how to do exactly what you want to do. Try to use it as a guide and if you hit problems after trying it, post them and we will see if we can figure out what is wrong.

 

[coxhaus]

My main objective was to remove some of the load from the AC68U and place it on the R7000.

BTW: I have tried tagging, untagging etc each of the different ports and/or a combination there of but once I do I usually lose connection between different vlan devices. Can you tell from my configuration above which ports you would tag/untag. In the meantime I will do a bit more reading of the article you posted above.

Routers run at layer 3 and VLANs are layer 2 devices so I am not sure you will accomplish splitting the load across routers without assigning networks to VLANs. What you will do is limit broadcast domains.

The purpose of VLANs is to segment traffic to limit broadcast domains. When you have large numbers clients in domains the network slows down so VLANs is a way of controlling this. It is also a security feature nowdays.

I setup VLANs the simplest way I know and that is just like if you have 2 separate networks. Two separate switches totally independent. In VLANs I am doing a logical separation of networks on the same physical switch just the same as 2 separate switches with 2 separate networks. Otherwise when you get into lots of switches passing traffic becomes too complex.

I don't have an answer for you on setup as I always asign a network to each tagged VLAN which will require a router or layer 3 switch to route at layer 3. I always try to work at layer 3.

 

[cdikland]

In your posted configuration, you will not use any tagged ports. To use tagged ports you would need VLAN aware devices (like a router or another smart switch). The article I liked to should show you how to do exactly what you want to do. Try to use it as a guide and if you hit problems after trying it, post them and we will see if we can figure out what is wrong.

Well I read the article (several times) and I think I pretty much have what is described. The only exception(s) I see is I have two routers connected to the switch and am using only 2 vlans. Here is the most current working setup with all 3 PCs connnected to ports 5,6 and 7, the R7000 router connected to Port 8 . The remaining devices I am using in this experiment is connected to Port 1 (vlan 1)
All devices within VLAN 20 use R7000 for internet access. The VLAN 1 devices, by default, use the AC68U. I need to do a lot more thinking about this.

 

[abailey]

So is it working like you want it to? I am trying to go back through your post to see exactly what you wanted it to do but it is getting overwhelming. If its not working like you want let us know whats not working and also restate exactly what you want it to do.

 

[coxhaus]

Well I read the article (several times) and I think I pretty much have what is described. The only exception(s) I see is I have two routers connected to the switch and am using only 2 vlans. Here is the most current working setup with all 3 PCs connnected to ports 5,6 and 7, the R7000 router connected to Port 8 . The remaining devices I am using in this experiment is connected to Port 1 (vlan 1)
All devices within VLAN 20 use R7000 for internet access. The VLAN 1 devices, by default, use the AC68U. I need to do a lot more thinking about this.

.

I think you are confusing routers and VLANs. Routers are layer 3 devices which divide networks. VLANs are layer 2 logical collections to limit broadcast domains. You say you want to share the load across your routers. This really can't be done with these small routers. You can plug 1 router into another router's WAN port and divide your network. You will need to setup the front router to route all traffic from the internet for the second router's network to the second router's WAN port. You may want to turn off the firewall on the second router. But this is all that comes to mind with these small routers. If you use only the LAN side of a router you are just adding more ports to your network.

I think adding your VLANs is just making a complicated network. They seem to serve no purpose​

 

[abailey]

I agree with coxhaus in that this whole scenerio falls apart if your Eastlink ISP modem is not delivering two public IP's on two different interfaces. If it is not then it could still work if the Eastlink is actually a router/modem not in bridged mode, though you would have a double NAT scenario then.

 

[cdikland]

Well, one step forward, two back I thought I was getting close to understanding this. I got lost with the mention of the router setup. You do realize that each router has its own public IP? The Eastlink Modem has 4 WAN ports. Currently any of my PCs connected to vlan 20 use R7000 and my download speed is (usually) anywhere from 350-375Mbps. If I connect a PC to vlan 1 my router becomes the AC68U and my download speeds drop down to 260Mbps. If I move the routers from one vlan to the other I still get the best speed,albeit not quite the same, using vlan20 which now has the AC68U connected to. This to me suggests I have a lot of activity/overhead on vlan1 hence the reduced speeds regardless of which of the router I use. Am I wrong in this assumption??

 

[abailey]

If you have two public IP's then carry on as you were. It is weird that one is faster than the other though since I assume the Eastlink has only one physical line coming into it. Are you testing the speeds on a wired connection or wireless?

 

[cdikland]

If you have two public IP's then carry on as you were. It is weird that one is faster than the other though since I assume the Eastlink has only one physical line coming into it. Are you testing the speeds on a wired connection or wireless?

yes, all tests were wired. Yup, there is only one Eastlink cable coming in but would the different speeds not be due to the activity on the router?
BTW I started all this because my wife's n66 old router which is connected to the same modem but nothing else consistently blew the ac68 out of the water.

 

[coxhaus]

Well, one step forward, two back I thought I was getting close to understanding this. I got lost with the mention of the router setup. You do realize that each router has its own public IP? The Eastlink Modem has 4 WAN ports. Currently any of my PCs connected to vlan 20 use R7000 and my download speed is (usually) anywhere from 350-375Mbps. If I connect a PC to vlan 1 my router becomes the AC68U and my download speeds drop down to 260Mbps. If I move the routers from one vlan to the other I still get the best speed,albeit not quite the same, using vlan20 which now has the AC68U connected to. This to me suggests I have a lot of activity/overhead on vlan1 hence the reduced speeds regardless of which of the router I use. Am I wrong in this assumption??

If each router has a WAN IP then you can use 2 routers setup manually to share the internet connection. You can not load balance across these small routers as there is no gateway of last resort so if 1 router fails the other one can take over. You need to explain to me how your DHCP setup works with your 2 routers. Are you using the default DHCP gateway IP address for your clients? Do your routers support VLANs?

I don't think your switch is sharing traffic across VLANs since you have all traffic untagged and there is no way to distinguish traffic. If I am wrong please explain.