Vlans

Discussion in 'Networking & Security' started by wizzi01, Nov 6, 2019.

  1. wizzi01

    wizzi01 2[H]4U

    Messages:
    2,327
    Joined:
    Apr 25, 2008
    Is there a site that's good to go to learn about creating vlans? Any tips? I am just trying to get my Poe cameras seperated, but still access them over computers that need internet access I do have an hp 1820 J9983A
     
  2. ComputerBox34

    ComputerBox34 Right in the Box

    Messages:
    11,047
    Joined:
    Nov 12, 2003
    It's a bit more complicated than that. If you want devices from separate VLANs to communicate with each other, you need routing in between to route traffic between the subnets. This can be accomplished in a variety of different ways depending on several factors.
     
  3. scrappymouse

    scrappymouse n00b

    Messages:
    50
    Joined:
    Mar 18, 2016
    Youtube is a great resource for these things, but many people misunderstand VLANS from a security standpoint. Some people automatically think if you put devices in their own VLAN then they are magically safer...that's not the case. If you take out the "virtual" part, it's basically having two separate networks. Meaning that in order for the two networks to talk to one another you need to add the routes(and hopefully FW rules) to control the traffic between the two networks. Same thing with VLANS that you should need to add routes between the two...keep in mind some manufactures will automatically add the routes between all VLANS(Looking at you Ubiquity), negating at lease one security measure for them. Thankfully those same manufactures allow you to add FW between the VLANs to control the traffic.

    My point is this yes it's good to put your POE cameras in their own VLAN, but if you then turn around and add routers between your two networks you'll be defeating the purpose entirely(I see it happen every day).

    You'll need to plan it out a bit more carefully.

    Step 1. Determine what devices in your main network need to talk to them.
    Step 2. Determine what ports they need to communicate on.
    Step 3. Plan your networks/FW rules accordingly.

    Just for reference here is how I have my IOT network separated.

    I put them all on their VLAN 192.168.1.0/24
    The Network is a "guest" type(Ubiquity) basically it means it is client isolated(Devices can't talk to each other...no need in my setup, this may not work for your setup)
    That VLAN has an allow out to the internet, and allows sessions created from it to come back(established sessions)
    I've limited the DHCP scope to the exact number of devices that I expect to have connected.
    Any traffic from my IOT network that is destined to anywhere but the internet is explicitly dropped.
     
  4. wizzi01

    wizzi01 2[H]4U

    Messages:
    2,327
    Joined:
    Apr 25, 2008
    I am fine with going in my server room, but my dad's legs don't work so good. So, I just wanted to know if it was possible to get the separate vlan on his laptop while he could still get internet on it too.
    I mean if China wants to see my dogs poop and read my license plates that's fine.
     
  5. scrappymouse

    scrappymouse n00b

    Messages:
    50
    Joined:
    Mar 18, 2016
    If you're asking if the laptop can be on one VLAN and access the internet, while having the ability to talk to other VLAN than the answer is yes. But you may (and should)need to create FW's rules between the two VLANS.

    Most home networks if you want VLANs to talk to each other you'll end up doing router-on-a-stick Good video series here

     
    Last edited: Nov 10, 2019
  6. tangoseal

    tangoseal [H]ardness Supreme

    Messages:
    7,720
    Joined:
    Dec 18, 2010
    What hardware do you have and what exact topography are you seeking. Let's begin there. Also go and learn what a broadcast domain is and what a router does exactly.
     
  7. wizzi01

    wizzi01 2[H]4U

    Messages:
    2,327
    Joined:
    Apr 25, 2008
    I have a hp 1820 and a Asus rt-acrh13. I am sure the Asus won't do what I want and I know the switch is capable of vlans. I also have 10 Poe cameras if that matters