Vlans

wizzi01

2[H]4U
Joined
Apr 25, 2008
Messages
2,864
Is there a site that's good to go to learn about creating vlans? Any tips? I am just trying to get my Poe cameras seperated, but still access them over computers that need internet access I do have an hp 1820 J9983A
 

ComputerBox34

[H]F Junkie
Joined
Nov 12, 2003
Messages
12,088
It's a bit more complicated than that. If you want devices from separate VLANs to communicate with each other, you need routing in between to route traffic between the subnets. This can be accomplished in a variety of different ways depending on several factors.
 

scrappymouse

Limp Gawd
Joined
Mar 18, 2016
Messages
149
Youtube is a great resource for these things, but many people misunderstand VLANS from a security standpoint. Some people automatically think if you put devices in their own VLAN then they are magically safer...that's not the case. If you take out the "virtual" part, it's basically having two separate networks. Meaning that in order for the two networks to talk to one another you need to add the routes(and hopefully FW rules) to control the traffic between the two networks. Same thing with VLANS that you should need to add routes between the two...keep in mind some manufactures will automatically add the routes between all VLANS(Looking at you Ubiquity), negating at lease one security measure for them. Thankfully those same manufactures allow you to add FW between the VLANs to control the traffic.

My point is this yes it's good to put your POE cameras in their own VLAN, but if you then turn around and add routers between your two networks you'll be defeating the purpose entirely(I see it happen every day).

You'll need to plan it out a bit more carefully.

Step 1. Determine what devices in your main network need to talk to them.
Step 2. Determine what ports they need to communicate on.
Step 3. Plan your networks/FW rules accordingly.

Just for reference here is how I have my IOT network separated.

I put them all on their VLAN 192.168.1.0/24
The Network is a "guest" type(Ubiquity) basically it means it is client isolated(Devices can't talk to each other...no need in my setup, this may not work for your setup)
That VLAN has an allow out to the internet, and allows sessions created from it to come back(established sessions)
I've limited the DHCP scope to the exact number of devices that I expect to have connected.
Any traffic from my IOT network that is destined to anywhere but the internet is explicitly dropped.
 

wizzi01

2[H]4U
Joined
Apr 25, 2008
Messages
2,864
I am fine with going in my server room, but my dad's legs don't work so good. So, I just wanted to know if it was possible to get the separate vlan on his laptop while he could still get internet on it too.
I mean if China wants to see my dogs poop and read my license plates that's fine.
 

scrappymouse

Limp Gawd
Joined
Mar 18, 2016
Messages
149
I am fine with going in my server room, but my dad's legs don't work so good. So, I just wanted to know if it was possible to get the separate vlan on his laptop while he could still get internet on it too.
I mean if China wants to see my dogs poop and read my license plates that's fine.

If you're asking if the laptop can be on one VLAN and access the internet, while having the ability to talk to other VLAN than the answer is yes. But you may (and should)need to create FW's rules between the two VLANS.

Most home networks if you want VLANs to talk to each other you'll end up doing router-on-a-stick Good video series here

 
Last edited:

tangoseal

[H]F Junkie
Joined
Dec 18, 2010
Messages
9,066
What hardware do you have and what exact topography are you seeking. Let's begin there. Also go and learn what a broadcast domain is and what a router does exactly.
 

wizzi01

2[H]4U
Joined
Apr 25, 2008
Messages
2,864
I have a hp 1820 and a Asus rt-acrh13. I am sure the Asus won't do what I want and I know the switch is capable of vlans. I also have 10 Poe cameras if that matters
 
Top