EdgeRouter X and VLAN Questions

beyonddc

Limp Gawd
Joined
Sep 25, 2002
Messages
412
Hey guys,

I just bought myself an EdgeRouter X recently. I want to learn more about VLAN by configuring my home network with 3 VLANs.

At a high level overview, my current setup consists of a modem/router 2-in-1 combo and a dumb switch that lives inside a single subnet. Computers used for entertainments, NAS, printers and work computers.

I want to setup 3 VLANs
VLAN 1 would be my printers and NAS
VLAN 2 would be entertainment computers
VLAN 3 would be work computers

My requirements are
1) VLAN 1 can have a bi-directional communications between VLAN 2 and VLAN 3
2) VLAN 2 and VLAN 3 cannot talk to each other.

EdgeRouter X has 5 ports, I know this can be achievable by creating 3 subnets and each subnet can be assigned to one of the physical interface then finally use firewall rules to control traffic flow but I want to configure this via VLAN as a learning experience.

I have never setup VLANs before so this would be my first time.

My question is do I need a smart switch to do this? I read about router on a stick where I can create multiple VLANs on a single physical interface, connect to a smart switch and then configure the smart switch to designate which ports are for which VLAN.

Or I can setup the EdgeRouter to designate a VLAN per physical interface?

And please correct me if I am wrong on any of the statements I made.

Thanks!
 

Vengance_01

Supreme [H]ardness
Joined
Dec 23, 2001
Messages
6,309
To do this you are going to need some kind of managed switched. You would create the vlans, then create a uplink port with all of those vlans that would connect to your router and you would create rules. Remember vlans you are going to to want different subnets even if you carve up a class c 192.168.1/24 network into smaller subnets for your different vlans. I am pretty sure you can find a cheap 8 or 16 port 1gb smart or managed switch
 

beyonddc

Limp Gawd
Joined
Sep 25, 2002
Messages
412
To do this you are going to need some kind of managed switched. You would create the vlans, then create a uplink port with all of those vlans that would connect to your router and you would create rules. Remember vlans you are going to to want different subnets even if you carve up a class c 192.168.1/24 network into smaller subnets for your different vlans. I am pretty sure you can find a cheap 8 or 16 port 1gb smart or managed switch

Thanks for your reply! Much appreciated!

Yea, I actually just picked up a used Netgear GS108T v2 today just for this purchase. I will be setting my VLANs using router in a stick paradigm.

I mentioned about setting a VLAN on each physical interface on EdgeRouter X. Is this another way to setup VLANs? That way I don't need a managed switch.
 

Cmustang87

Supreme [H]ardness
Joined
Oct 4, 2007
Messages
4,498
There are definitely more than one way to achieve this.

In Vengance_01 example, you are creating multiple VLANs on a single switch. This is essentially like breaking a switch into multiple autonomous segments. By default, devices on one VLAN cannot communicate with devices on another VLAN, even though they are connected to the same devices.

In your example, you have:
  • VLAN 1 would be my printers and NAS
  • VLAN 2 would be entertainment computers
  • VLAN 3 would be work computers
With your new switch (Netgear GS108T), you can do this easily.

I mentioned about setting a VLAN on each physical interface on EdgeRouter X. Is this another way to setup VLANs? That way I don't need a managed switch.

What you want to do is create your VLANs first on the switch. After they are created, they necessarily won't doing anything right now. Then you need to decide which interfaces will belong to which VLAN, depending on which device is connected to each port. So for sake of simplicity, let's say that Port 6 and 7 are on VLAN 3 and have 2 work computers attached. On ports 3-5, you have your entertainment computers. On port 1 and 2 you have your printers and NAS.

From there, you need to configure the interface on the link from your Netgear to the EdgeRouter X. This will be on port 8.

The biggest hurdle people have when trying to grasp the concept of VLANs and how they work (thanks to Cisco) is tag, untag, trunking, access, per-VLAN ID ("PVID"), etc. The below definitions may help to refer to, but try not to get in the weeds on it.

"Access" and "trunk" is Cisco nomenclature.
"Tagged" and "untagged" is basically all other vendors.
"Default VLAN" - The built in VLAN on a switch. It cannot be removed. This is VLAN1
"Native VLAN" - Cisco terminology, don't need to worry about it. But if you're curious, it determines to which VLAN incoming untagged frames belong. For more info - https://rednectar.net/2012/03/11/the-access-vlan-is-dead-long-live-the-native-vlan/
"PVID" is to other vendors what Cisco calls access

Access - An interface configured as an access port will only forward frames to other interfaces for which it shares the same VLAN.
Trunk - An interface type that is used primarily in switch-to-switch or switch-to-router configurations.
Tag - An identifier placed on a frame to identify which VLAN the source device exists
PVID - A method to instruct the switch to tag frames as they ingress on a specific interface. This is used for host machines that are not VLAN aware so that it can forward frames to other interfaces/devices that belong to the same VLAN.

In order to pass multiple VLANs through a single interface, you need to create a trunk. Without a trunk, any devices upstream would be blind to which VLAN a packet belongs to as it ingresses. So for this reason, a trunk on a switch will add a piece of information to the Ethernet frame called a VLAN tag (802.1q) as it egresses so devices upstream know that the original source was not on the native VLAN (VLAN1 on your switch) and tags will need to match as it makes its return trip.

It looks like this:

upload_2017-4-16_22-52-48.png


That's one example of using VLANs to connect to a router.

Another example would be quite a bit different. But instead of creating a trunk link, each VLAN on the switch has an interface to connect to the EdgeRouter. In this example, you don't create logical interfaces, you just create Layer 3 interfaces on the router that correspond to the subnet in its respective VLAN.

upload_2017-4-16_22-29-9.png


As you can probably guess, this isn't an optimal setup because of the port cost on the switch. With this setup, you actually lose 2 interfaces on your 8 port switch.

Additionally, the concept of VLANs don't exist on your EdgeRouter. They are just their own routed interface. The IP address assigned to each interface in either example (whether logical or physical) would be the default gateway for any devices within its respective VLAN.

I hope this clears up any confusion or questions you have.
 

Attachments

  • upload_2017-4-16_22-18-34.png
    upload_2017-4-16_22-18-34.png
    74.3 KB · Views: 39
  • upload_2017-4-16_22-20-8.png
    upload_2017-4-16_22-20-8.png
    74.3 KB · Views: 41
Last edited:

beyonddc

Limp Gawd
Joined
Sep 25, 2002
Messages
412

Cmustang87, thanks for your reply.

I am a bit confused on the first diagram you posted. Why VLAN1 is untagged while VLAN2 and VLAN3 is tagged?
Thanks!

=================

So I just did more reading on VLAN tagging.

Based on my reading, VLAN 1 is the default management VLAN and it is usually defaulted to untagged.

Perhaps I shouldn't use VLAN 1 and create another VLAN for my NAS and printers.
 
Last edited:

Cmustang87

Supreme [H]ardness
Joined
Oct 4, 2007
Messages
4,498
Something to keep in mind - VLAN1 always exists, no matter what. Every port on all switches by default belongs to VLAN1. Even on "dumb" (unmanaged) switches this is the case.

On a trunk link, any VLAN that is not the native VLAN will be tagged as it egresses. It doesn't matter what kind of device is on that VLAN. Basically it just boils down to that the trunk link still provides access to some kind of VLAN, but tags all other VLANs so upstream devices can understand.

Typically speaking in a home setup, people will use VLAN 1 for their normal home network and create additional VLANs for other purposes.
 

Vengance_01

Supreme [H]ardness
Joined
Dec 23, 2001
Messages
6,309
Success!

VLAN10, 20 and 30 is up and running

vlan_zps9ie7161k.png


I haven't play with the routing and firewall for access permission between VLANs yet but this is a good first step.
Let me know how you like the router. I am thinking of getting one as well
 

Cmustang87

Supreme [H]ardness
Joined
Oct 4, 2007
Messages
4,498
Success!

VLAN10, 20 and 30 is up and running

/imgsnip

I haven't play with the routing and firewall for access permission between VLANs yet but this is a good first step.

Awesome, good work, and congrats!

You won't have to worry about routing since all subnets are directly attached to the router. You will need to do access rules, however, to permit traffic between the networks. Is Ubiquiti a ZBFW?
 

beyonddc

Limp Gawd
Joined
Sep 25, 2002
Messages
412
Let me know how you like the router. I am thinking of getting one as well
My previous router is a consumer Arris SBG6700-AC cable model/router combo. It's not a good comparison between that with the EdgeRouter X. I can say that there's just so much things you can do with the EdgeRouter X and I really like it and it fits the bill!

I am using all my existing network devices. The two devices that I added is the EdgeRouter X and Netgear GS108T smart switch.

I do need to get a new access point. I am probably going to get a cheap wireless router and use it as an access point and a dumb switch.


Awesome, good work, and congrats!
You won't have to worry about routing since all subnets are directly attached to the router. You will need to do access rules, however, to permit traffic between the networks. Is Ubiquiti a ZBFW?


According to this article, it claims that you can do ZBFW with the EdgeRouter but an Ubiquiti's employee said their zone based firewall implementation is not as efficient as ACL based.
 

beyonddc

Limp Gawd
Joined
Sep 25, 2002
Messages
412
I must add that out of all my computers and smart phones, only one of them is acting a bit strange after switching to this new network setup.

I have a WiFi access point. There's one desktop, one laptop, one iphone 6 plus and one LeEco Le S3 andriod phone connect to it.

All devices can connect to the access point and gain Internet access.

Only the LeEco Le S3 andriod phone has some minor issue loading up website. It can take a while. It almost felt like there's some issue with the DNS. When I run a speed test on the Internet from that phone, I get about 90Mbps. I consider that is a pretty good speed.

What bothers me is that is the only device that has that symptom. All the other devices that connect to the same access point has no issue. Loading website is blazing fast on them.
 

beyonddc

Limp Gawd
Joined
Sep 25, 2002
Messages
412
2.4 or 5.0ghz wireless radio for that device?

Both bands seem to have issue. Again, it's only on that Android phone. My laptop, desktop and iphone that connects to the same access point has no issue. Very strange...
 
Top