Menu
What's new
By:
Filters Better Search

Confused about subnets and vlans

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

A

awediohead

Occasional Visitor
So I have a four port DIY router running pfsense and a Zyxel 24 port managed switch - neither are currently in use on my home network. I'm just connected to them via an old laptop to configure the web ui's. This is because my wife is very reliant on internet and access to our media server so I want to get things reliably set up and tested before swapping out the old for the new hardware, hopefully with minimal downtime.

Currently we have four rooms with two ethernet runs from each room to a centrally located patch panel. These eight runs are currently patched into a 16 port dumb switch and from there to an Asus RT-AC86U to the ISP and also my unraid server.

Eventually this hardware will be replaced with a Fujitsu Futro s920 mini PC running pfsense with a four port Intel NIC to a managed 24 port Zyxel switch (GS1920v2-24)

The idea is to have effectively two networks: One network being a basic home network LAN to the switch to pfsense to WAN, the other network being exclusively for Audio over IP which doesn't need WAN access. It will not be used very often but should be "ready to go" by simply changing which NIC is active on each of the PC's that will be used for audio recording i.e. running the Audio over IP software.

I'd imagined the home network LAN being on 192.168.1.0/24 and the Audio over IP network being on 10.0.0.0/24 so it was quickly visually obvious what was connected to what.

I'd also imagined being able to assign specific ports on the managed switch to one or other network - so for example ports 1,3,5,7 on the switch being assigned to Audio over IP with a further port (23) connecting it to pfsense em1, and ports 2,4,6,8, being assigned to the Home LAN with port 24 connecting that to the pfsense router on em0 - em3 is the pfsense WAN port and em2 is unused. In reality it's a bit more complicated than this example, but the broad principle of odd port numbers for Audio and even port numbers for Home LAN was the basic notion.

I was also advised to avoid VLANs on the audio network because apparently they can induce some latency. This latency is not normally of any concern because most uses of audio over IP are for streaming audio from a central server to multiple rooms or music from a PC in one room to a speaker in another - but it is much more important to minimise latency when trying to record live instruments and vocals in different rooms simultaneously.

However I can't figure out how to assign specific ports on the switch to one or other network without involving VLANs. And if I'm going to use VLANs then I might as well just keep everything on the same network and just assign static IP's on the different NICs in each PC for the different use case. I've tried RTFMing the Zyxel manual but I suspect I'm not searching for the right terminology or what I'm imagining I should do is fundamentally wrong in the first place.

Another option would be to continue to use the dumb switch for the Audio network and get the separation that way since the port/interface setup on the pfsense router could manage the DHCP for the audio network and it probably doesn't need WAN access.

Hoping someone can point me in the right direction.

Thanks in advance
 
Using VLANs the basic idea for a layer 2 switch is you create VLANs you want on pfsense. Plug the managed switch into a trunk port on pfsense. You also need to create the VLANs on the switch. You need to assign a network to each VLAN. When you assign the VLANs on pfsense it will create gateways that point to pfsense and it will run DHCP for those VLANs.

If you have enough ports on pfsense for all the networks then you don't have to use VLANs use separate networks on each port of the pfsense. You can just use dumb switches connected to each pfsense network port.

The latency on VLANs is probably related to having to use a router for local routing. A layer 3 switch will solve that. The problem is it will be too complex to configure for someone not really understanding VLANs.
 
Last edited:
Assuming you don't want to do static assignments and have two switches now. Plug one switch into each port on the mini and then put in the drops you want on their respective switch.

Otherwise you could do mac:ip bindings for DHCP for the subnets and use the new switch only.

It comes down to how much effort you want to put into it vs money.
 
Tech Junky said:
Assuming you don't want to do static assignments and have two switches now. Plug one switch into each port on the mini and then put in the drops you want on their respective switch.

Otherwise you could do mac:ip bindings for DHCP for the subnets and use the new switch only.

It comes down to how much effort you want to put into it vs money.
Click to expand...
I am not sure what you mean but you control traffic flows with gateways and VLANs. Routing also but not in his case as it is too advanced.

PS
He will need a wireless AP that understands VLANs if he uses them for wireless on both networks. If he uses separate networks then he can use his ASUS for wireless on 1 of the networks. The other network will not have wireless.
 
Last edited:
awediohead said:
So I have a four port DIY router running pfsense and a Zyxel 24 port managed switch - neither are currently in use on my home network. I'm just connected to them via an old laptop to configure the web ui's. This is because my wife is very reliant on internet and access to our media server so I want to get things reliably set up and tested before swapping out the old for the new hardware, hopefully with minimal downtime.

Currently we have four rooms with two ethernet runs from each room to a centrally located patch panel. These eight runs are currently patched into a 16 port dumb switch and from there to an Asus RT-AC86U to the ISP and also my unraid server.

Eventually this hardware will be replaced with a Fujitsu Futro s920 mini PC running pfsense with a four port Intel NIC to a managed 24 port Zyxel switch (GS1920v2-24)

The idea is to have effectively two networks: One network being a basic home network LAN to the switch to pfsense to WAN, the other network being exclusively for Audio over IP which doesn't need WAN access. It will not be used very often but should be "ready to go" by simply changing which NIC is active on each of the PC's that will be used for audio recording i.e. running the Audio over IP software.

I'd imagined the home network LAN being on 192.168.1.0/24 and the Audio over IP network being on 10.0.0.0/24 so it was quickly visually obvious what was connected to what.

I'd also imagined being able to assign specific ports on the managed switch to one or other network - so for example ports 1,3,5,7 on the switch being assigned to Audio over IP with a further port (23) connecting it to pfsense em1, and ports 2,4,6,8, being assigned to the Home LAN with port 24 connecting that to the pfsense router on em0 - em3 is the pfsense WAN port and em2 is unused. In reality it's a bit more complicated than this example, but the broad principle of odd port numbers for Audio and even port numbers for Home LAN was the basic notion.

I was also advised to avoid VLANs on the audio network because apparently they can induce some latency. This latency is not normally of any concern because most uses of audio over IP are for streaming audio from a central server to multiple rooms or music from a PC in one room to a speaker in another - but it is much more important to minimise latency when trying to record live instruments and vocals in different rooms simultaneously.

However I can't figure out how to assign specific ports on the switch to one or other network without involving VLANs. And if I'm going to use VLANs then I might as well just keep everything on the same network and just assign static IP's on the different NICs in each PC for the different use case. I've tried RTFMing the Zyxel manual but I suspect I'm not searching for the right terminology or what I'm imagining I should do is fundamentally wrong in the first place.

Another option would be to continue to use the dumb switch for the Audio network and get the separation that way since the port/interface setup on the pfsense router could manage the DHCP for the audio network and it probably doesn't need WAN access.

Hoping someone can point me in the right direction.

Thanks in advance
Click to expand...

If your audio network needs no access to the internet or other LANs, then you can just keep it totally isolated on a dumb switch with static IPs, that's going to be your lowest latency in most cases (unless it is a really old or crappy dumb switch). Or if you don't want to do static IPs, you can plug the dumb switch into a dedicated port on the PFSENSE simply for DHCP functionality (and also to be able to remotely access it from your other LAN for non-latency sensitive stuff, like downloading completed files etc).

Your other option is to check the documentation on your smart switch, some will let you create a private group of ports, they are assigned a VLAN of sorts but not tagged/untagged in the traditional manner and the latency may be as good as the dumb switch.

Of course most switches can tag and untag with minimal latency penalty (and consistent latency, thus low jitter which is critical to audio) so it may work perfectly fine with traditional VLANs. I'd say your first step is to test your new setup with audio using the various options above to see if any have latency/jitter issues, based on your findings, can then decide the best option.

The most bullet proof one is probably just put the audio stuff on the dumb switch, if you have enough dedicated drops for it. Optionally connect the switch to a dedicated port on your PFSENSE (with no VLAN) for DHCP and some inter-LAN functionality.

However if you test with traditional VLAN tagging, trunking, etc and the audio works fine, it becomes more flexible, so it is worth at least testing it out to see how it performs.
 
Thank you drinkingbird (and everyone else) for your advice and helpful suggestions.

Because I do tech maintenance for my family's tech and there aren't really all that many devices, everything on the home network LAN will have a static IP - I already have tables with all the MAC addresses for the various device's NICs.

So in other words doing everything via static IP was always the plan. I was also intending to add a couple of VLANs to the "home network" general category because there are a few things I don't want to allow internet access to and a few things I only want to be able to access the internet through a VPN service such as a smart TV.

As such I also have the MAC addresses of the dedicated NICs I'll be using for PC's on the Audio network.

Hearing that on modern gear the latency should be minimal even with VLANs that's clearly the most flexible way forward - with the fall back of always being able to use the dumb switch if things are too laggy . . .

The idea that:

some will let you create a private group of ports, they are assigned a VLAN of sorts but not tagged/untagged in the traditional manner and the latency may be as good as the dumb switch
Click to expand...

was exactly what I thought I'd read being possible a few months back, I just filed it away as THE way to do it for the audio network and was a configuration option I assumed would be searchable in my GS1920's manual. Searching for word "private" turns up results that refer to private VLANs and promiscuous and isolated ports, but pretty sure that's not useful in this context. Having scanned over 300 pages of the manual I can't see anything else that looks promising to achieve the same end, just a HUGE number of features I'll never need.

Maybe someone can say what terminology Netgate or Cisco use for the "private group of ports" so I can see if I can translate their terminology into Zyxel-ese or at least be more certain that it's not an available feature on my hardware?

Otherwise I'll just go ahead with the VLAN based set up - which I was going to do anyway for IOT devices and security cameras and as you say if the latency is too bad I'll just revert to the dumb switch set up.

Many thanks
 
awediohead said:
Thank you drinkingbird (and everyone else) for your advice and helpful suggestions.

Because I do tech maintenance for my family's tech and there aren't really all that many devices, everything on the home network LAN will have a static IP - I already have tables with all the MAC addresses for the various device's NICs.

So in other words doing everything via static IP was always the plan. I was also intending to add a couple of VLANs to the "home network" general category because there are a few things I don't want to allow internet access to and a few things I only want to be able to access the internet through a VPN service such as a smart TV.

As such I also have the MAC addresses of the dedicated NICs I'll be using for PC's on the Audio network.

Hearing that on modern gear the latency should be minimal even with VLANs that's clearly the most flexible way forward - with the fall back of always being able to use the dumb switch if things are too laggy . . .

The idea that:



was exactly what I thought I'd read being possible a few months back, I just filed it away as THE way to do it for the audio network and was a configuration option I assumed would be searchable in my GS1920's manual. Searching for word "private" turns up results that refer to private VLANs and promiscuous and isolated ports, but pretty sure that's not useful in this context. Having scanned over 300 pages of the manual I can't see anything else that looks promising to achieve the same end, just a HUGE number of features I'll never need.

Maybe someone can say what terminology Netgate or Cisco use for the "private group of ports" so I can see if I can translate their terminology into Zyxel-ese or at least be more certain that it's not an available feature on my hardware?

Otherwise I'll just go ahead with the VLAN based set up - which I was going to do anyway for IOT devices and security cameras and as you say if the latency is too bad I'll just revert to the dumb switch set up.

Many thanks
Click to expand...

Cisco would use private VLANs with isolated and promiscuous ports. Depending on the implemention usually you can have them all isolated but allowed to talk to each other, or possibly all promiscuous with no egress port. But in reality just putting a bunch of ports into a VLAN like 999 and not sending that VLAN anywhere else (trunks or to the PFSense) will probably be identical latency wise, and possibly even identical as far as how it gets done on the backend.

On my cheap tp link smart switch I think they call it port based VLANs and it is a similar setup, not quite as powerful as the Cisco setup though. I don't use that feature, for my isolated vlan with no Internet I use.... You guessed it.... regular VLAN 999. If you are just trying to replicate a dumb switch on a block of ports in a smart switch that's probably the easiest way to go. It does tag and untag still most likely, but private VLANs may also.
 
After doing more reading on what my Zyxel switch can do I'm wondering on the practicalities of using MAC based VLANs for the audio network.
We only have three desktop PCs that are ever likely to be used for audio recording/monitoring and each has two NICs. What I like about this idea is that for the 90% of the time that these PC's aren't involved with network audio, on each PC I could just select the NIC that connects to the regular LAN with WAN access and switch off the other in software. Then for a recording session I could select the other NIC on each PC (probably only two of the three at any given time) which would automatically mean these two or three PCs were on the same VLAN.
So unless someone tells me this is a dumb idea, my plan is to set it up like this in the Zyxel switch and then compare the latency of the MAC based VLAN approach against a dumb switch ?
 
I'd take a deep breath and think about what you're trying to do...

Key thing in home networks is to keep it as simple as possible - don't get distracted by VLAN's and Layer 3 switches, etc...

It won't improve overall performance or security, and it will only add management overhead...
 
sfx2000 said:
Key thing in home networks is to keep it as simple as possible - don't get distracted by VLAN's and Layer 3 switches, etc...

It won't improve overall performance or security, and it will only add management overhead...
Click to expand...
I am not sure a layer 3 switch adds management overhead, it just adds a complicated structure which must be understood.

VLANs do add security you just need to understand them, you get security isolation which you can control access to and from.

Starting off with VLANs is hard. It is not for the weak of heart.
 
There's quite enough complexity inherent in any recording session to make me want to keep everything else as simple as possible believe me.

However the 'KISS' principle can be applied in several ways: There's the simplicity of the network infrastructure and the practical simplicity of how it gets used and how quick and easy it is to switch a PC from doing one job to another. As I said, 90% of the time the PCs in question are not being used for audio recording but as general usage PC's that happen to have decent quality audio interfaces, which in turn can have a variety of mic's, MIDI gear, DI instruments etc. plugged into them.

Then, when my severely disabled, but exceptionally musical wife, has a better day and wants to make some music, she typically has a very limited window to get something recorded before the pain builds up and makes it all impossible for her again.

The broad principle here is that she could be in one of two rooms, while I need to be in a third room (my 'office'): It's very parallel to a studio having a control room and a live room and how the gear in one room talks to the gear in the other room. Previously that's always involved trailing audio and MIDI cable trip hazards between rooms which is also extremely time consuming to set up and complicated to troubleshoot when it (inevitably) goes wrong and pretty impossible to do spontaneously: hence the idea of doing it over the network.

Disconnecting one NIC and connecting another in software with a few clicks of a mouse seems pretty simple to me: No ethernet cables to swap scrabbling around at the back of the machine, nothing to reconfigure on the switch. It's already configured to recognise the MAC addresses of the NICs in question and assign them to the VLAN that allows them to communicate and that network is already preconfigured with the DAW software I/O's. That's the working theory anyway!

The question is whether or not going this route adds appreciable latency in a musical sense as the audio makes the round trip. My hunch, given that we'll be monitoring with the zero latency monitoring built in to the interfaces we'll be using, is that the latency will be negligible, but only testing will answer that question.
 
coxhaus said:
I am not sure a layer 3 switch adds management overhead, it just adds a complicated structure which must be understood.

VLANs do add security you just need to understand them, you get security isolation which you can control access to and from.

Starting off with VLANs is hard. It is not for the weak of heart.
Click to expand...

It's not overhead from the network view - it's the meatspace problem...

For networking pro's - VLAN's are the air they breathe - everyone else, it's not quite that simple... someone follows a cookbook recipe, and it works, until it doesn't because something changed...

@coxhaus - we're on the same page with the benefits of VLAN's - it's just a real challenge to explain them to non-pro's...

Try to explain VLAN's using this...

splasho.com

The Up-Goer Five Text Editor

splasho.com

and then - how to actually configure them based on the vendor and implementation...

Pretty hard, eh?

Screenshot 2023-10-26 at 5.37.53 PM.png
 
You must log in or register to reply here.

Similar threads

B
How to Connect ONT to Managed Switch to Router
Replies
2
Views
714
bigprimenumbers
B
Phantomski
Questions about VLAN support in 3006
Replies
5
Views
687
Tech9
Tech9
D
Isolating IP cams and NVR from the rest of the network with VLAN
Replies
11
Views
668
Digilog
D
D
Did I set up my home network correctly?
Replies
19
Views
997
tgl
T
D
VLAN Config Query using pfSense and Unifi
Replies
18
Views
2K
awediohead
A

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 666 (members: 19, guests: 647)
Top