Unmanaged to managed switch

[RLD]

Currently Fiber comes from the pole to the basement into the ONT. The ONT Ethernet runs from the ONT to an upstairs wireless router. I recently ran cat6a from the basement out to the garage.

Now my ONT is only provisioned for LAN 1 however I can pull several real world IP’s from the ONT. The router that’s upstairs needs to remain there. I had an unmanaged switch laying around so I connected the ONT to the switch, then the router connects to the switch and the Ethernet from the garage connects to the switch. This works fine but the router upstairs and the AP in the garage both gets real works wan ip’s so this created 2 separate networks.

I need the AP in the garage to be on the same Network. So I replaced the unmanaged switch with a managed switch. I then set the router and the AP to use the new switch as there gateway and staticly set them both. I then disabled dhcp on the router and the AP, so any device on each is getting an IP from the switch and anything on either the router or AP can now talk to each other.

So all good. But I’ve been told doing ONT > Switch > Wireless Router/AP is wrong and it should be ONT > Wireless Router > Switch. This doesn’t make much sense to me, especially for my needs. Even if I didn’t need the router to remain upstairs, doing it that way seems like I’d just be accomplishing the same thing, and I’d be losing WiFi upstairs where it’s needed anyways.

Any thoughts as to why my setup is wrong? Or maybe it’s not I dunno but all works and speeds are great but still I’d like to learn some things and ask questions about it.

Thanks all.

 

[Crimliar]

You probably need to tell us who your ISP is. What you are doing won't work on most ISPs, and may work weirdly in the extreme (and unsafely) on some others!
Have a look at https://www.spiceworks.com/tech/networking/articles/network-switch-vs-router/ it's less than perfect, but not a bad explanation.
The fact that is seems to be working does not make it a good idea!

 

[RLD]

The ISP is Altafiber (previously Cincinnati Bell)

I don’t know why this wouldn’t work on any ISP. The switch is just pulling the real world wan IP and then everything else is behind the 192.* of the switch. The ONT doesn’t know what’s plugged into it, it’s just giving a 50.* WAN IP to whatever I have plugged into it.

But I still don’t get why this isn’t a correct setup. If I put a router on the ONT then I’d disable WiFi on it, and then connect the wireless router upstairs to it and the AP in the garage to it, and then like now disable dhcp on the upstairs router and garage AP and use the router on the ONT to hand out all IP’s. That’s exactly what I have setup now with the switch to the ONT, I’d just be turning the router into a managed switch instead of just using unmanaged switch.

 

[ColinTaylor]

As @Crimliar said most ISP's only provide one public IP address per customer account. The reason is not so much a technical limitation but a provisioning/account limitation. Trying to pull two or more public IP addresses from the ISP's equipment usually doesn't work or results in the first public IP address being disabled. However, there are some ISP's that do provide more than one public IP address on a single customer account - check your ISP's terms of service.

I don’t know why this wouldn’t work on any ISP. The switch is just pulling the real world wan IP and then everything else is behind the 192.* of the switch. The ONT doesn’t know what’s plugged into it, it’s just giving a 50.* WAN IP to whatever I have plugged into it.

This sounds slightly different. It looks like you're now using a single public IP address (50.x.x.x) and the managed switch is operating as a gateway router and creating a private subnet of 192.168.x.x. That would be a more normal setup, except most people would be using their wireless router as the gateway device rather than a managed switch. Does the managed switch also provide a firewall, DHCP server, DNS server, etc?

 

[RLD]

As @Crimliar said most ISP's only provide one public IP address per customer account. The reason is not so much a technical limitation but a provisioning/account limitation. Trying to pull two or more public IP addresses from the ISP's equipment usually doesn't work or results in the first public IP address being disabled. However, there are some ISP's that do provide more than one public IP address on a single customer account - check your ISP's terms of service.


This sounds slightly different. It looks like you're now using a single public IP address (50.x.x.x) and the managed switch is operating as a gateway router and creating a private subnet of 192.168.x.x. That would be a more normal setup, except most people would be using their wireless router as the gateway device rather than a managed switch.

That’s correct. What I said before was that when I use a hub or unmanaged switch then yes I can pull 2 public WAN IP’s from the ONT. I didn’t want to do this because that puts the house and the garage on 2 separate networks that have no route to each other.

So I replaced the unmanaged switch with a managed switch so both the garage router and the house router are now using the switch as the DHCP server, all 192.* IP’s are coming from the switch and thus everything is on the same network regardless if your on the garage router or the house router.

My concern is why is this wrong, but removing the managed switch handing out 192.* IP’s to the routers and putting another router there instead to do the same thing is correct? Feels like a waste of a router, I don’t need anything special there just a bridge for the 2 routers to make them all the same network.

 

[ColinTaylor]

The confusion came about because you didn't mention that the "switch" was actually configured as a router and providing NAT, firewall, etc. (all the things your other router previously did).

So instead of this:
ONT > Switch > Wireless Router/AP

you actually have this:
ONT > Router > Wireless AP

But yes, it does seem like a waste of the capabilities of your wireless router to use it as just an access point - but if that's what you need it for that's fine.

 

[RLD]

The confusion came about because you didn't mention that the "switch" was actually configured as a router and providing NAT, firewall, etc. (all the things your other router previously did).

So instead of this:
ONT > Switch > Wireless Router/AP

you actually have this:
ONT > Router > Wireless AP

But yes, it does seem like a waste of the capabilities of your wireless router to use it as just an access point - but if that's what you need it for that's fine.

I have ONT > Managed Switch > (1)Wireless Router/(2)Garage AP.

I just assumed when I originally said ONT to managed switch acting as DHCP that it was implied the switch had 1 wan IP and all ports hand out 192.* IP’s, my bad on the assumption.

So is there any reason not to do this and to buy another router just to use it in place of the switch?

Because then I’d have ONT > Router > (1)Wireless Router/(2)Garage AP. - I’d get the same result but like I said I’d be using 3 routers and waisting the router on the ONT just to use it as a bridge between the upstairs WiFi router and the garage router.

 

[ColinTaylor]

So is there any reason not to do this...

That's fine provided that the managed switch provides all the security and features you need. If you state the make and model of the switch someone might be able to comment on that.

 

[RLD]

That's fine provided that the managed switch provides all the security and features you need. If you state the make and model of the switch someone might be able to comment on that.

I had to keep the wireless router on the 2nd floor because there are a lot of WiFi devices up there and this particular router (Asus w/ Merlin) works great for the VPN is remains connected to, and one of the ports is configured to route all traffic through it with a kill switch and is hard wired to a server.

If I was going to replace the switch with a router, and I don’t need wireless there, just the router/firewall for the WiFi router and AP to connect to, do you have a couple recommendations I can check out?

 

[ColinTaylor]

I had to keep the wireless router on the 2nd floor because there are a lot of WiFi devices up there and this particular router (Asus w/ Merlin) works great for the VPN is remains connected to, and one of the ports is configured to route all traffic through it with a kill switch and is hard wired to a server.

The Asus's VPN only works when it's in router mode. It doesn't work in access point mode. So that doesn't achieve your objective of having the AP in the garage being on the same network.

If I was going to replace the switch with a router, and I don’t need wireless there, just the router/firewall for the WiFi router and AP to connect to, do you have a couple recommendations I can check out?

Sorry, I don't have any recommendations for a wired-only router.

 

[RLD]

The Asus's VPN only works when it's in router mode. It doesn't work in access point mode. So that doesn't achieve your objective of having the AP in the garage being on the same network.


Sorry, I don't have any recommendations for a wired-only router.

The VPN on the Asus router would remain a router. Only 1 device on that router uses the VPN. A device in the garage can’t see the Plex server that’s on the Asus router because with the unmanaged switch I had on the ONT each router got a different WAN IP. But with the managed switch being used to provide DHCP addresses to both routers I can access the plex server from the garage because both the AP and the WiFi Router are now on the same 192.168.1.* network.

Like I said this all works. BUT I want to learn and practice the proper way to do things. And if the switch should be replaced with a router instead I just wanted to understand why that setup is better than what I’ve done. Etc.

Now..I’m not bad at this stuff but I know just enough to “get things working” even if it’s wrong lol. Someone recommended doing something that I don’t truly understand why I’d do it this way but maybe someone can dumb it down for me. I’ll type what they said verbatim:

“Alternatively you could add a second managed switch so you have a switch on the ONT that then a switch upstairs in front of your Asus router. Configure a port on the switch on the ONT as a WAN VLAN, and do the same on the switch upstairs. Then connect that WAN port to the WAN port on my Asus wireless router and the other ports would be LAN VLAN. Then connect the garage AP to one of those lan ports on the ONT switch. Having a WAN (or DMZ) VLAN is pretty common practice.”

I wasn’t sure why I’d do all that for this setup.
I have no ego here so I don’t mind admitting I know nothing of VLAN’s other than they are used to segment the network into separate broadcast domains. I haven’t set one up because I never had a reason too, I always just did things via the router for any sort of security or separation of routing things.

Regardless of what the other person said, speaking of VLAN is there any reason I’d want to use them in this setup?

 

[ColinTaylor]

The VPN on the Asus router would remain a router. Only 1 device on that router uses the VPN. A device in the garage can’t see the Plex server that’s on the Asus router because with the unmanaged switch I had on the ONT each router got a different WAN IP. But with the managed switch being used to provide DHCP addresses to both routers I can access the plex server from the garage because both the AP and the WiFi Router are now on the same 192.168.1.* network.

So the Plex server is actually running on the Asus router itself and not a separate device plugged into one of the Asus' LAN port? I can see how that would work.

Like I said this all works. BUT I want to learn and practice the proper way to do things.

If what you've got works that's fine. It's just that you still have two separate networks, the 192.168.1.x network created by the managed switch and another network (192.168.50.x?) created by the Asus router. Any devices connected to your Asus' LAN/Wi-Fi (ignoring the device using the VPN) is in "double-NAT", which many people try to avoid.

And if the switch should be replaced with a router instead I just wanted to understand why that setup is better than what I’ve done. Etc.

As your managed switch is operating as a router then there's no point replacing it with another router. Unless the new router offers features the managed switch can't. e.g. VPN, AiProtection, etc.

Now..I’m not bad at this stuff but I know just enough to “get things working” even if it’s wrong lol. Someone recommended doing something that I don’t truly understand why I’d do it this way but maybe someone can dumb it down for me. I’ll type what they said verbatim:

“Alternatively you could add a second managed switch so you have a switch on the ONT that then a switch upstairs in front of your Asus router. Configure a port on the switch on the ONT as a WAN VLAN, and do the same on the switch upstairs. Then connect that WAN port to the WAN port on my Asus wireless router and the other ports would be LAN VLAN. Then connect the garage AP to one of those lan ports on the ONT switch. Having a WAN (or DMZ) VLAN is pretty common practice.”

I wasn’t sure why I’d do all that for this setup.
I have no ego here so I don’t mind admitting I know nothing of VLAN’s other than they are used to segment the network into separate broadcast domains. I haven’t set one up because I never had a reason too, I always just did things via the router for any sort of security or separation of routing things.

Regardless of what the other person said, speaking of VLAN is there any reason I’d want to use them in this setup?

I think all of these suggestions were based around the assumption that your managed switch was acting as a switch (albeit with VLAN capability) and not as a router.

 

[RLD]

So the Plex server is actually running on the Asus router itself and not a separate device plugged into one of the Asus' LAN port? I can see how that would work.


If what you've got works that's fine. It's just that you still have two separate networks, the 192.168.1.x network created by the managed switch and another network (192.168.50.x?) created by the Asus router. Any devices connected to your Asus' LAN/Wi-Fi (ignoring the device using the VPN) is in "double-NAT", which many people try to avoid.


As your managed switch is operating as a router then there's no point replacing it with another router. Unless the new router offers features the managed switch can't. e.g. VPN, AiProtection, etc.


I think all of these suggestions were based around the assumption that your managed switch was acting as a switch (albeit with VLAN capability) and not as a router.

No the Plex is running on a Synogy NAS which is plugged in the Asus router.

And no it’s 1 network and no double NAT. DHCP is off on the router in the garage and on the second floor of the house.

The switch is handling all DHCP request.
Both routers (Asus House) & (Linksys Garage) are setup to use the switch as its gateway. So if you connect to either the Asus or Linksys via wired or wireless, the IP you’re getting is coming from the switch and either router will hand out a 192.168.1.* being provided by the switch. So if I’m on the Linksys in the garage and have 192.168.1.8 I can see the Plex in the house on the Asus that might have 192.168.1.7.

 

[ColinTaylor]

Well I don't understand how this could possibly work with the Asus' VPN still being operational. But obviously it does so there's some piece of the puzzle I'm not seeing. In any case, if it works it works.

 

[tgl]

I'm fairly concerned by this setup. I'm not surprised that your managed switch can run a DHCP server --- that's fairly common. I am surprised that you seem to be relying on it for NAT and firewall service, because switches are not normally able to do that at all, let alone do it out-of-the-box. I'm very afraid that you have an insecure network and half your stuff is already pwned by some random hacker.

You were asked before what is the make and model of the switch, and didn't answer.

 

[coxhaus]

None of the cheap affordable Cisco switches do NAT that you can run at home. I would own one if I could. Too much power demand and too much cost for home use. It would require separate special cooling as well.