Need help spec'ing SOHO type VLAN setup

[skates]

Great website! Have enjoyed reading here for the past week or so.

I was drawn here because I'm outgrowing the cable modem to wireless router (WRT-310N) setup I currently have and would like some help deciding on some hardware to fit a new topology.

I have a couple of tweens at home who I'd like to isolate on their own network...while I'm at it, I'd like to put my wife off my network also, but not onto the kids network. The reason for segregating everyone is security...the only person I trust on the network is yours truly. My wife is pretty good at safe networking but the kids are still learning how to think before clicking. I use OpenDNS on the router which is great, but I still don't want them bringing something malicious onto the network where I do my online banking, etc.

I'm thinking the solution is VLANs but I'm open to suggestions.

VLAN 1 - reserved for network management
VLAN 2 -me, wireless and wired laptops
VLAN 3 -spouse, desktop, wireless laptop
VLAN 4 -kids, wireless laptop, HTPC, Wii

NAS - files and printserver, on VLAN 2,3
NAS - music server, on VLAN 3,4
HP thin client w/magicjack on router

Not sure what else would connect, but want to have some room to grow....maybe security cameras at some point.

I've been reading as fast as I can...hope I'm on the right track. My first thought was that the Cisco 4400n would fit the bill, but the reviews on the net are pretty awful. Instead, I was thinking of something like a FVS336G and a GS108T. I also would need an access point(s)?

Thanks for the help.

 

[thiggins]

VLANs are well suited to what you're trying to do. But beware of leaks between VLANs. Your proposed layout could leak malware from the kids VLAN to yours via your Wife's VLAN, because it shares a connection with the VLAN 3, 4 NAS.

A smart switch like the GS108T would work fine, although you might run out of ports. Consider a 16 port switch, like the GS716T.

I don't think you need the FVS336G. A regular consumer router should work fine.

If you want wireless confined to a VLAN, then you'd need to use APs.

Consider NASes that can run Antivirus software. I believe Windows Home Server NASes can. You can also mount NAS shares from your machine (or a trusted machine) on each VLAN and run scans. Slower, but it will get the job done.
Again, however, watch out for VLAN to VLAN "leaks".

 

[skates]

Thanks! Appreciate the feedback...I see what you mean regarding the leaks. I can fix that easy enough.
I was wondering about the access points...If I wanted all the VLANs to have wireless access, would I need 3 access points? How do access points will multiple SSIDs work?
Thanks again,
Scott

 

[thiggins]

Good thought on using APs with "guest" SSIDs. But you would have to use VLANS with tags vs. physical port based. A single AP will connect to one physical switch port, which will be assigned to VLANs.

Although it can separate wireless traffic, unless those packets are 802.1q tagged and the switch set up to properly direct those packets to the proper VLANs, all traffic will end up in the same VLAN once it hits the Ap Ethernet port.

Consumer Routers with guest WLAN features don't tag the packets.

 

[jam3ohio]

WHS and Antivirus

I can confirm that WHS supports AV software. Avast seems to be pretty popular and is reasonable. I run McAfee on my HP MSS EX475 and it works.

 

[skates]

Calling Uncle

Although it can separate wireless traffic, unless those packets are 802.1q tagged and the switch set up to properly direct those packets to the proper VLANs, all traffic will end up in the same VLAN once it hits the Ap Ethernet port.

Consumer Routers with guest WLAN features don't tag the packets.

Been a few months since I left this post...w/o much progress...I took my Linksys 300N and flashed it with DD-WRT. I was able to get that router working with 2 BSSIDs that couldn't see one another, but the router would overheat frequently.

So I've now purchased a new router, a Cisco WRVS4400N v2. It seems to fit all the requirements that I could want in a router for now.

I think the best way to make the VLANs work w/o leaks would be to set it up like:

VLAN 1 - left as default/management
VLAN 2 - Trusted (wireless parent computers, NAS in port 2, BSSID1)
VLAN 3 - VOIP (computer w/Magic Jack in port 3)
VLAN 4 - Untrusted (kids computers, guests, BSSID2 and port 4)

I'm not sure why this is proving to be so cosmic to me, but when I get on the router, the "router speak" is difficult to grasp. I read and re-read your VLAN guide and spent a few hours looking at CCNA VLAN tutorials on YouTube, but I'm not progressing.

In the router, I can easily define the VLAN IP address ranges, and assigned the BSSIDs to different VLANS, but the actual VLAN setting page is confusing me.

Could some please help me out? Thanks!
Attached a picture of what the router setting page looks like..