Network upgrade to the new wifi 7 and VLAN

[sman]

Hi there,
I plan to upgrade to WIFI 7 and use the VLAN too. I am not an advanced user and need recommendations.
I have to mention from the start, that I'm not expressly interested in wireless speed as much as wired fluidity matters.

In the attached sketch you can see the existing topology:

Devices in Main router + 10 GB Switch: Ubuntu server with LAMP and more (this is most important device of network and req. max priority for low latency), Win11 Media server, 2 PC, Node 2i, 8 wireless devices.

Devices in Node2. A lot of IoT devices on wired ports: 3 TVs with Netflix, 3 IP cam, 2 PC's. Looks like I need a switch here.
Wireless there are 8 phones, laptops etc.

I have some questions:

1. Are the ports in the ROG-GT-BE98 or RT-BE-88U base router Layer 3? If so, what type? CPU based or Hardware acceleration? Apropos, which is more suitable for wired connections ROG-GT-BE98 or RT-BE-88U ?

2. Do AIMESH NODES necessarily need to be made up of routers that have the VLAN feature? e.g. RT-BE86U, RT-BE96U ? This is very important because I don't know if the MAIN Router is using resources from the VLAN function of the NODE(S) Router. If the VLAN feature of the NODE are not used by the MAIN Router I am thinking to buy a RT-BE92U - better wireless, no VLAN feature available and it's cheaper.

3. For traffic flow is it recommended to connect Node 1 and Node 2 with a wired connection? Of course I will enable Spanning-Tree Protocol - STP. Fortunately there is a CAT5 cable between these two nodes. I mention that in node 1 there is little traffic and I was thinking that maybe load balancing between the nodes and the main router.

4. Can the Main Router create VLANs for IoT devices placed in physical (not wireless) ports in Node2? I mean without direct connection in the main router ports.

Thanks for any hints and help

 

[sman]

Could someone please confirm/deny the questions marked with yellow in points 2. and 4.?
This information is not available anywhere and only an owner or advanced user would know. Thanks guys

 

[Tech9]

Not documented - not guaranteed to work. If you want full VLAN configuration freedom for LAN/WLAN you have to look elsewhere, skip Republic Of Gamers. If you want true 10Gbps processing capabilities gateway you have to look at x86 hardware devices. Nothing on the consumer market can do 10GbE without NAT acceleration hacks. The home routers you are looking at can do Gigabit with true traffic processing. RPi-like hardware inside with aggressive marketing and false advertising involved. Good luck!

 

[sman]

thanks for the reply mate. I understand, but it doesn't necessarily have to be true 10Gb, it can be 5Gb.
in my current network I have main router AX88U and the mesh node is a AC68U which is on the limit, so the new models should do the job (probably 2 x BE88U)

But the network set-up makes me nervous as I know nothing about VLAN on asus routers/NODES.

I saw an older discussion on reddit, from a user called TiggerLAS., him answering a question similar to mine:

Your primary router is where you'll need to create your VLANs, gateway IP addresses, DHCP servers, NAT, and firewall rules. This is where your VLANs will start.

Managed switches don't typically source VLANs, they simply distribute the various VLANs across their ports as instructed. No need for ACLs in most cases. Use port-based VLANs.

Not sure why you linked several articles about using non-vlan-aware routers if all of your devices are already flashed with Merlin, which supports VLANs.

Define your VLANs on your primary router, making sure that each one has a gateway IP address, DCHP server, and NAT / Firewall rules as needed.

Assign trunk ports on your primary router, and assign them to the appropriate VLANS.

Configure your other Asus devices as access points, and create VLAN entries on each one, and tie them to your SSIDs as needed.

Plug each one into the trunk ports you defined on your primary router.

If you have switches in between your primary router, and your Asus access points, then you'll have to set up the VLANs on them as well.

Don't over-complicate it.

He said to "Configure your other Asus devices as access points, and create VLAN entries on each one, and tie them to your SSIDs as needed."
question the AP mode is the same thing with AIMESH node?

 

[degrub]

No, it is not. Think of AiMesh as a wifi extender box.

 

[Tech9]

But the network set-up makes me nervous as I know nothing about VLAN on asus routers/NODES.

Let's put it this way - what we know so far is based on experiments. As per Asus marketing everything is AiMesh Compatible, but in reality only partially depending on hardware and firmware. Advantage - cheap, somewhat user friendly. Disadvantage - may not work the way you want. With your requirements look at SMB equipment. Lower cost options are from MikroTik, TP-Link (Omada), Ubiquiti (Unifi). Cisco also has some low cost options APs with built-in controller (CWB series) as well as HPE Aruba (Instant On). Disadvantage - you have to pay more (especially for real 10GbE capable hardware) and you may need to have above average networking knowledge. If you don't feel comfortable going this way - consumer market and it is what it is. Find a way to use whatever is available.

 

[Tech9]

For 10Gbps appliance with user friendly software you may look at Firewalla:

Firewalla Gold Pro: 10G Cyber Security Firewall & Router Protecting Your Family and Business

Powered by The Firewalla Security Stack Deep Insight helps you see the network at up to 10+ Gigabits per second with 2x 10Gbit Interfaces and 2x 2.5Gbit interfaces. Control your network with intrusion prevention (IPS) and network segmentation, adding virtual walls around your connected devices...

firewalla.com

...or similar Netgate, but this one runs pfSense and is more complex to setup:

Netgate 6100 BASE pfSense+ Security Gateway

The Netgate® 6100 is one of the most versatile security gateways in its class. It is ideal for home, remote workers, and small businesses who require flexible port configurations for high-speed WAN and LAN connectivity. The 6100 combines the power of an Intel C3558 Quad Core CPU with integrated...

shop.netgate.com

...or you can build your own with proper Mini PC hardware and use free pfSense/OPNsense.

pfSense® - World's Most Trusted Open Source Firewall

pfSense is a free and open source firewall and router that also features unified threat management, load balancing, multi WAN, and more

www.pfsense.org

OPNsense® is an open source, feature rich firewall and routing platform, offering cutting-edge network protection. - OPNsense

We’ve made digital security accessible to everyone. With our free OPNsense® platform, you get all the features of expensive commercial firewalls and more. Enjoy open and verifiable sources in a product developed with and for a large user community.

opnsense.org

DIY option may come significantly cheaper, you may have some suitable x86 hardware already.