What's new

Shared Cable VLAN LAN & WAN

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

lunkens

New Around Here
Hi there fellow members of this great forum. I've been helped many times by searching and reading all posts. But now I came a cross a problem which I can not find an answer to. Or at least. I do not know how to search for the solution.

Problem WAN LAN Cabeling

I have a fibremodem WAN port in Location1 RJ45. A single cat5e is routed to Location2 where my Router/gateway is located (pfsense on VM Qnap tvs-671). Port4 is setup as a external only on WAN incoming and port3 is in bridge mode. Another switch is connected here to supply ethernet to devices in location2. No problems.

Now the big problem. Location1 where the Modem is located also have clients who needs LAN from location2 but theres only 1 physical cat5e between Location1 and Location2.

Is it possible to have VLANS setup for this to work?

WAN Modem location1 -cat5e-> location2 pfSense(VPN Gateway, router and so on) and LAN back to location2 with the same physical cat5e as the incoming WAN?
 
image.jpeg
 
This can be done. Personally I would use two managed switches, one on each side of the link to do it (like your picture shows, except I can't read the VLAN info in the pic). Don't know your bandwidth requirements but you will be limited to Gigabit ethernet shard by you internet connection and your clients on that side.
 
The edge router (avoiding certain company names) should be able to create/manage the VLAN's for the LAN side...

L3 switch can play as routers, no doubt, but better to have a router there on the ingress, as firewall/gateway concerns play here for the LAN side...
 
I'm getting a bit confused. Do I need a L3 switch for this to work or an extra router?

Or would a simple L2 managed switch do with VLAN and Taging? (802.1q) be enough?

My Qnap with pfSense acts as router and a VPN client for the 250Mbps internet.

I want to split up the one cable combinding location1/2 with VLANs so only the QNAP sees the WAN for a public adress.

So the idea with the picture is that the Managed Switch at location1 would have incoming internet on port1(vlan10) port8 (trunk vlan10/20) rest of the ports (vlan20)

Location2 port1 (trunk vlan10/20) port5 (vlan10) the rest of the ports (vlan20)

All LAN clients on vlan20 and WAN on vlan10 which only my QNAP(pfSense) receives.

Why it's my qnap is cus in the coming weeks I have 500Mbps link to internet and with VPN AES-256-CBC at that speed I need some pretty powerful CPU I suppose.
 
I'm getting a bit confused. Do I need a L3 switch for this to work or an extra router?

Or would a simple L2 managed switch do with VLAN and Taging? (802.1q) be enough?

My Qnap with pfSense acts as router and a VPN client for the 250Mbps internet.

I want to split up the one cable combinding location1/2 with VLANs so only the QNAP sees the WAN for a public adress.

So the idea with the picture is that the Managed Switch at location1 would have incoming internet on port1(vlan10) port8 (trunk vlan10/20) rest of the ports (vlan20)

Location2 port1 (trunk vlan10/20) port5 (vlan10) the rest of the ports (vlan20)

All LAN clients on vlan20 and WAN on vlan10 which only my QNAP(pfSense) receives.

Why it's my qnap is cus in the coming weeks I have 500Mbps link to internet and with VPN AES-256-CBC at that speed I need some pretty powerful CPU I suppose.

Yes it will work with L2 switches. Just remember both VLANS will share the 1GB/s connection bandwidth on the one cable.
 
I got me a Unifi US-8-150W for the main switch powering a Controller From C4 via PoE+ and in the other end a Netgear GS108T which got "PD" powered by PoE

The port with incoming WAN should that be a VLANx or just untagged?

I'm thinking like this:

Loc1 (US8) port1 (WAN) untagged, port2-7 vlan1, port8 untagged+vlan1 (this goes to port1 in loc2 (gs108T)

Loc2 (GS108T) port1 untagged+vlan1 (connected from US8 port8), port 2 untagged (wan) to router, port3-8 vlan1

with this config my itention is that only the router WAN port sees the internet. All the rest of the equipement is on vlan1.
 
A lot of your setup depends on your switches. What I like to do is create new VLANs for all traffic and not use the default VLAN. Anyway you do it though, you need to have at least two VLANs. One for WAN traffic and one for LAN traffic. There should be one VLAN already on your switches. Usually VLAN1 and it is the default. Personally I don't like to use the default VLAN, but if you choose to use it I would use it for LAN traffic and put the WAN in a different VLAN.
 
You can do this with vlans, but is there any reason why you aren't putting your router on the front end instead of the back end? A bit clearer of a setup and if the cable between the two locations goes down, only half your network will lose its gateway.
 
With the vlan setup does port one switch one and port 5 switch 2 (internet ports) need to be a tagged vlan port or just access ports? Tplink
 
Last edited:
I have got this setup/similar working using cheap smart tplink switches - thanks to the original poster.

DSL modem at the bottom edge of house, asus router now upstairs in the dead center of the house wan/lan on the same cable.

attic vlan.PNG
attic pvid.PNG
lower vlan.PNG
lower pvid.PNG
 
For the experts, does this look okay? No chance of any wan stuff hitting the lan direct?
 
Yes that looks fine. Personally I would create another VLAN on each switch and put port 1 as untagged in that VLAN and set the PVID to that VLAN. You really don't have to do that but I do it to make sure no untagged packets get sent over the bridge on the default VLAN. Either way you really want both sides of the trunk on the same default VLAN (some switches will let you know of the mismatch). Once again it would probably work without, but if your not going to create the extra VLAN then change the PVID on switch2 port 1 from 102 to 101 to match switch1. Note: I am assuming port 8 on switch1 and port5 on switch 2 are your WAN ports and port 1 on each switch is your trunk.
 
Last edited:
Yes that looks fine. Personally I would create another VLAN on each switch and put port 1 as untagged in that VLAN and set the PVID to that VLAN. You really don't have to do that but I do it to make sure no untagged packets get sent over the bridge on the default VLAN. Either way you really want both sides of the trunk on the same default VLAN (some switches will let you know of the mismatch). Once again it would probably work without, but if your not going to create the extra VLAN then change the PVID on switch2 port 1 from 102 to 101 to match switch1. Note: I am assuming port 8 on switch1 and port5 on switch 2 are your WAN ports and port 1 on each switch it your trunk.

Yes thats right, thanks for the advice I will amend later!
 
I appear to be having a slight issue with this setup, for the most part it works fine it is when the equipment is off for an extended period and turned back on again the internet connection will not re-establish.

The strange thing is if I go and get my router and plug it directly into the modem, establish a connection and then power the router off move it back to the vlan setup and power it on the internet connection re-establishes fine, I in effect have to jump start the connection.

My internet is PPPoE VDSL, to me this seems like the initial ppp session doesn't work for some reason but stays alive on isp side long enough to enable me to move my router. pppoe discovery failing? https://en.wikipedia.org/wiki/Point-to-point_protocol_over_Ethernet

What could be the cause of this, pppoe does not like vlan? Is there a setting I should change on the router, should I tag all the wan ports?

Timeout waiting for PADO packets is what appears in the routers log.
 
Last edited:
I mirrored port 5 on the 5 port switch and ran wireshark and I could see the padi broadcast from the Asus router but no response hence the time out waiting for PADO.

I don't really understand this as surely that means the broadcast is making it across the vlan to the modem and there should be a response from the ISP.
 
Quite confusing, could it be some sort of MAC address mixup?

I think pppoe relay/half bridge might be a potential workaround.
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top