What's new

Simple VLAN setup - help please

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

simpleuser6

New Around Here
Hi all,

My first post here but I have been lurking around to gain knowledge of networking. My current setup is a very simple home networking solution: Xfinity 1g speed, Arris SB8200, Asus RT-AC3100 with Merlin FW.

My issue is setting up a VLAN using my current setup. I'm currently working at home, however, our company IT wants a LAN separated from the rest of the network (no wifi, no home devices and so on). They suggested a few other equipment but they can not help with the setup, they can only work on their systems which is understandable.

IT did suggest to create a VLAN from the router itself. Well, that's the thing I don't know about. What they are installing is a small server, a desktop and a phone for conference calls. As long as 1 LAN port is dedicated to those equipment, I'm all set. I'm assuming they also want remote access hence the need of a VLAN?

The diagram looks something like this; Router LAN port 4 to a switch then server, desktop, phone, printer.

My technical skills are capable of doing things with good instructions. I have not used jffs, telnet, DD-WRT and command lines and so forth.

My other solution was to follow their suggestion to purchase their recommended equipment but that seems complicated and additional cost. I would prefer try with Asus first.

Thanks for all the advice you can give and I look forward to working with you guys!


PS: I apologize if I posted in the wrong thread, feel free to move as necessary.
 
Last edited:
The stock Asus firmware and Merlin's do not support VLAN's. There are some user created scripts that attempt to do so if you're prepared to go down that route. You're probably better off going with whatever solution your IT department is familiar with.

How will you be connecting your home network to the company's network? Through a VPN? That might have a bearing on what equipment you need.
 
I'm not sure how they would connect to company and home. The proposed solution is a "smart switch" and something else. Additional cost was $450. Even if I purchase the equipment, I would still need to the initial setup as they would only begin their part of the work when connections are complete then they'll troubleshoot as needed.
 
I'm not sure how they would connect to company and home. The proposed solution is a "smart switch" and something else. Additional cost was $450. Even if I purchase the equipment, I would still need to the initial setup as they would only begin their part of the work when connections are complete then they'll troubleshoot as needed.
I think we would have to see a lot more of the technical detail of their proposed solution before we could recommend any sort of equivalent. Especially what this "something else" device is.
 
I think we would have to see a lot more of the technical detail of their proposed solution before we could recommend any sort of equivalent. Especially what this "something else" device is.

Colin, you're right I'll get some details tomorrow and will post asap.

@simpleuser6 Welcome to snbforums
Check out this thread. All the info you need to setup a VLAN on your Asus router.
https://www.snbforums.com/threads/help-setting-up-vlan-on-asus-rt-ac68u.49312/
I would think that any further questions would be best posted in that thread. ;)

Maybe @Martineau can share his script with you?
After getting the hang of using scripts on my router, this VLAN script was easy to use.

58chev, I'll take a look at your suggestion. Like I said, I haven't really tinkered around with scripts but I'm willing to give it a shot. My purpose is also to learn and educate myself with networking, it couldn't hurt to know a little more. My fear is screwing something :)
 
You may find this inexpensive managed switch the easiest solution to creating a VLAN within your home network - but of course it will serve wired connections only. https://www.tp-link.com/us/products/details/cat-5711_TL-SG108E.html#specifications .

It can be purchased from Amazon - in which case you are encouraged to use the SNB Amazon link to support this forum.
https://www.amazon.com/dp/B00K4DS5KU/?tag=snbforums-20

Check with your Company's IT first so they can confirm they will be happy with the switch and its VLAN capabilities.
I have used the TP-SG108se successfully in my home environment for similar office connection and other purposes.
 
You may find this inexpensive managed switch the easiest solution to creating a VLAN within your home network - but of course it will serve wired connections only. https://www.tp-link.com/us/products/details/cat-5711_TL-SG108E.html#specifications .

It can be purchased from Amazon - in which case you are encouraged to use the SNB Amazon link to support this forum.
https://www.amazon.com/dp/B00K4DS5KU/?tag=snbforums-20

Check with your Company's IT first so they can confirm they will be happy with the switch and its VLAN capabilities.
I have used the TP-SG108se successfully in my home environment for similar office connection and other purposes.

The listing describes it as unmanaged rather than managed.
 
The listing describes it as unmanaged rather than managed.

No idea why it describes it that way because it is in fact a "managed" switch - although not in the same way as the heavy weight switches from HPE or Cisco.
 
I think this would be fairly easy with a Cisco RV340 router. I paid $151 for my RV340 brand new from a Cisco partner. You would need to use your current router as an AP for wireless as the RV340 is a wired only router.
 
Thanks for all the replies!

IT dudes came to the house but wasn't able to finish the setup.

They brought a switch Netgear prosafe GS108Tv2. They were able to configure vlans on the switch. However, the router doesn't "natively" support vlans and it doesn't connect to the internet. I'm lost on that one

Now, since Asus ac3100 isn't applicable. They recommended a wired router which would make the RT3100 an expensive access point. Recommendation was a Ubiquiti edgerouter, looks cool but I don't have that kind of experience to configure it. (Again, they only come to configure their part)

I asked if they can write scripts on the router but they're not allowed to.

So, I'd rather keep the router because I like it and it's working perfectly fine.

Options:
1) keep it and write scripts (I only have a week)

2) purchase wired router and keep it as AP

3) return it to get a cheaper AP (still want to keep it)

By the way, IT guys always that quiet? Short answer kinda guys but loaded with knowledge.
 
Thanks for all the replies!

IT dudes came to the house but wasn't able to finish the setup.

They brought a switch Netgear prosafe GS108Tv2. They were able to configure vlans on the switch. However, the router doesn't "natively" support vlans and it doesn't connect to the internet. I'm lost on that one

Now, since Asus ac3100 isn't applicable. They recommended a wired router which would make the RT3100 an expensive access point. Recommendation was a Ubiquiti edgerouter, looks cool but I don't have that kind of experience to configure it. (Again, they only come to configure their part)

I asked if they can write scripts on the router but they're not allowed to.

So, I'd rather keep the router because I like it and it's working perfectly fine.

Options:
1) keep it and write scripts (I only have a week)

2) purchase wired router and keep it as AP

3) return it to get a cheaper AP (still want to keep it)

By the way, IT guys always that quiet? Short answer kinda guys but loaded with knowledge.

Did you actually purchase the Netgear GS108Tv2? Can you return it? :)

For the costs involved, I would simply buy an RT-N12D or similar and have it used as a router (yes, double NAT) behind your main router on a different private IP subnet (if your main router is 192.168.x.x, use 10.0.x.x on this one). Connect the companies devices to that.

The costs, complexities, and troubleshooting necessary will be greatly simplified and the time to set this up will be next to nil. When the time comes to replace/upgrade your main router, it won't affect the work devices too. ;)
 
Did you actually purchase the Netgear GS108Tv2? Can you return it? :)

For the costs involved, I would simply buy an RT-N12D or similar and have it used as a router (yes, double NAT) behind your main router on a different private IP subnet (if your main router is 192.168.x.x, use 10.0.x.x on this one). Connect the companies devices to that.

The costs, complexities, and troubleshooting necessary will be greatly simplified and the time to set this up will be next to nil. When the time comes to replace/upgrade your main router, it won't affect the work devices too. ;)

No I didn't buy it. They brought it with them. Life is definitely easier going to work in an office lol! Your solution is a lot cheaper than what they've been suggesting. And yes, it's been a week trying to figure this out. I'm not an IT guy, just an enthusiast willing to learn. One day, wife might want a RING doorbell and gotta figure that out too lol.

Could there be something I incorrectly configured during the initial setup? Whether true or not, he said that they were able to use a managed switch with ISP provided equipment, netgear, linksys routers.

What bothers me is that, he doesn't want to get inside the asus router. He would just stick the ethernet in and go from there, when it doesn't work he'll say try this and that. :eek::mad:
 
No I didn't buy it. They brought it with them. Life is definitely easier going to work in an office lol! Your solution is a lot cheaper than what they've been suggesting. And yes, it's been a week trying to figure this out. I'm not an IT guy, just an enthusiast willing to learn. One day, wife might want a RING doorbell and gotta figure that out too lol.

Could there be something I incorrectly configured during the initial setup? Whether true or not, he said that they were able to use a managed switch with ISP provided equipment, netgear, linksys routers.

What bothers me is that, he doesn't want to get inside the asus router. He would just stick the ethernet in and go from there, when it doesn't work he'll say try this and that. :eek::mad:


Yes, something could have been incorrectly configured, but the 'IT' guy should have caught it (via testing). Still would be more expensive and more complex though, in the long run (would your company reimburse you for all these extra costs). And, you'd have to rely on those non-talkative IT guys, indefinitely! :)
 
There's still too many unanswered questions to my mind.

I get that if they used the GS108Tv2 and an EdgeRouter (is this the "other" device?) they could create the separate VLANs. But I don't understand how they can say they can use "a managed switch with ISP provided equipment". That equipment is just like your Asus in that they don't have VLAN support.:confused: Maybe they mean that they would use the EdgeRouter in addition to the ISP equipment and the switch?

Then there's still the question of how this all links back to the office network. As pure speculation, perhaps the "server" they provide hosts a VPN client and your devices will use that as their gateway. So that begs the next question - where are the DHCP and DNS servers in this setup? Not on the GS108Tv2 because it doesn't do that. Not on the ISP equipment because they're not touching that. Maybe on the server itself?

Too many unknowns.....

If your IT people aren't adamant that you must use VLANs to separate the networks it might be easier to do as @L&LD suggested and just buy a second router and connect it to your current one. That would keep the networks apart but wouldn't achieve the same kind of separation that VLANs would.
 
There's still too many unanswered questions to my mind.

I get that if they used the GS108Tv2 and an EdgeRouter (is this the "other" device?) they could create the separate VLANs. But I don't understand how they can say they can use "a managed switch with ISP provided equipment". That equipment is just like your Asus in that they don't have VLAN support.:confused: Maybe they mean that they would use the EdgeRouter in addition to the ISP equipment and the switch?

Then there's still the question of how this all links back to the office network. As pure speculation, perhaps the "server" they provide hosts a VPN client and your devices will use that as their gateway. So that begs the next question - where are the DHCP and DNS servers in this setup? Not on the GS108Tv2 because it doesn't do that. Not on the ISP equipment because they're not touching that. Maybe on the server itself?

Too many unknowns.....

If your IT people aren't adamant that you must use VLANs to separate the networks it might be easier to do as @L&LD suggested and just buy a second router and connect it to your current one. That would keep the networks apart but wouldn't achieve the same kind of separation that VLANs would.

I'm curious about that last sentence. Wouldn't physically different routers with wildly different private IP subnets be more secure and 'separate' than on a single device and separated only 'logically' by VLANs?
 
I'm curious about that last sentence. Wouldn't physically different routers with wildly different private IP subnets be more secure and 'separate' than on a single device and separated only 'logically' by VLANs?
Not really, although it depends on the precise topology of the network. If all the routers/switches support VLANs then in theory you can stop packets from one VLAN traversing a particular physical switch or port (as well as logical separation). With a "router behind a router" setup all the packets from one of the networks have to traverse the switch on the other router to get to the internet. So in theory another device plugged into that switch could sniff the traffic of the other network. IP addresses are largely irrelevant here because we're just talking about Ethernet packets, and IP addresses are easy enough to spoof.

Depending on the organisation or application concerned different levels of separation may or may not be acceptable. I've worked in an environment where government regulations stated that the two networks used in a particular office had to be physically separate in every respect. When we asked about using VLANs they said that that was not good enough.
 
If the the VPN router is double NATed behind your primary router and access to its administrative functions from the WAN is disabled it is my opinion that it is every bit as secure as VLANs.

I agree that with some government regulations total seperation might be required which would mean having two modems and each acquiring an independent public IP, seperate routers etc, cabling, but even then security could be compromised by using a PC on both networks.
 
If they are that paranoid, they shouldn't let it into the home (or business) in the first place. ;)

Once inside, one has total access to it. Including, but not limited to, moving it off their 'recommended' equipment list for the more informed users among us. :)
 
If the the VPN router is double NATed behind your primary router and access to its administrative functions from the WAN is disabled it is my opinion that it is every bit as secure as VLANs.
I'd agree with that for the most part. VLANs are more applicable to environments with multiple switches and routers. At the moment with don't even know whether or not they're using a VPN, that was just speculation on my part. We also don't know why they are specifying the use of VLANs or whether other options are permissible.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top