vlan hardware

[paque1960]

Im a total beginner in terms of vlan set up, the objective for me is to learn how to build in my home network setting first, then once im comfortable do the same at a restaurant. I have attached a drawing of the desired network i am aiming for at home.
I understand the basic concepts and have tried to set up once already with the hardware that i have with limited success.

The hardware I have is
TP-Link Archer AX55 / AX3000 4-Stream Wi-Fi 6 Router
TP-Link-SG108PE Smart Switch
TP-Link AP WA 901ND Access Point

The switch & access points you can configure vlans on but i can find none on the router.

So having spent a lot of time on google with regard to whether a router needs to be vlan capable im confused .

So the question is do i need to buy a different router to build the vlan network example attached?

 

[eibgrad]

One of the problems in using typical consumer-grade hardware is that it often lacks important features (usually to keep things simple and affordable for the masses) that become important for more sophisticated configurations. And your typical consumer-grade router is a good example. Rarely do these support VLANs. Not unless you're able to find third-party firmware support (dd-wrt, tomato, etc.). And as you combine additional consumer-grade hardware (switches, APs, whatever), it just gets harder. In most cases, you're better off to consider prosumer-grade equipment like Ubiquity, from top to bottom, so you have ALL the capabilities you need, assured compatibility, extensibility, only need to deal w/ *one* vendor for support, etc.

All that said, the biggest problem here is that the router is NOT VLAN aware, which means there's no way for that router to manage each VLAN's subnet wrt DHCP, DNS, routing (local or internet), etc. If the router *was* VLAN aware, then you could define and configure each VLAN on the router and establish a trunk port from the switch to the router. Now when the router sees those VLAN IDs, it knows how to respond to each w/ DHCP, assign an appropriate default gateway, establish firewall rules to determine which VLANs can or can't talk to each other, etc.

So that's the biggest issue here. Trying to mix a VLAN aware switch w/ a NON VLAN aware router is problematic. (BTW, I'm assuming, the TP-Link switch is strictly a layer 2 device and has no routing capabilities of its own (sometimes switches add that capability, but not usually)). The separation you desire at the point of the switch can't be maintained up to the router unless the router itself knows of that separation (via VLANs). From the perspective of the router, there is NO DIFFERENCE between the various clients, and it will assume they all share the same local IP network. And therein lies the rub.

 

[degrub]

look at the ER605 + OC200 controller. The ER605 605 is VLAN aware and will allow you to VPN into the network securely. The OC200 controller will allow you to manage the devices on the network and it will handle coordination of APs etc.
Best would be to use all OMADA hardware , but check with TPlink to make sure the AP and switch you have is supported. They may not be supported by the controller

 

[coxhaus]

Why don't you try Pfsense for a router? It is free to use.

I use Cisco small business as I know it will work. If there is a problem, I know it is me not the software. I find it much faster to debug that way.

 

[CaptainSTX]

Im a total beginner in terms of vlan set up, the objective for me is to learn how to build in my home network setting first, then once im comfortable do the same at a restaurant. I have attached a drawing of the desired network i am aiming for at home.
I understand the basic concepts and have tried to set up once already with the hardware that i have with limited success.

The hardware I have is
TP-Link Archer AX55 / AX3000 4-Stream Wi-Fi 6 Router
TP-Link-SG108PE Smart Switch
TP-Link AP WA 901ND Access Point

The switch & access points you can configure vlans on but i can find none on the router.

So having spent a lot of time on google with regard to whether a router needs to be vlan capable im confused .

So the question is do i need to buy a different router to build the vlan network example attached?

 

[CaptainSTX]

The equipment you have proposed using should enable you to accomplish what you want. The smart switch you have will let you create port based VLANs. Multiple ports should be able to be assigned to the same VLAN. You have correctly disabled Wi-Fi on the primary network facing router. All the Wi-Fi devices connecting to your AP's Wi-Fi will be in that devices VLAN and effectively isolated from devices in other VLANs unless they connect by Wi-Fi to the AP.

None of the devices in any of the VLANs will be able to connect with devices in the other VLANs. Only a device connected by Ethernet cable (assuming that its Wi-Fi remains off) to your primary router will be able to connect monitor any device on any VLAN.

While as far as I know SOHO smart switches don't create separate subnets for each VLAN but instead tag the data packets and use this technique to isolate VLANs. Some of the network gurus on this forum can probably give you a more elegant technical explanation.

 

[eibgrad]

While as far as I know SOHO smart switches don't create separate subnets for each VLAN but instead tag the data packets and use this technique to isolate VLANs. Some of the network gurus on this forum can probably give you a more elegant technical explanation.

Yes, that's correct. And if the only issue was layer 2 (ethernet) isolation, that would be the end of it. The problem is routing, whether local or the internet.

Let's assume (since I don't see how it could be otherwise given the current situation) all the VLANs are configured by the primary router's DHCP server over the trunk port. IOW, they all share the same IP network, default gateway, etc. Granted this isn't typical, but I suppose technically it's possible. But in order to support routing between the switch and the router, the router also has to support VLAN tagging. Otherwise, that information gets lost upstream of the switch, but is necessary in order for the return packets to be routed back to the appropriate VLAN. Without tagging, all such traffic will be directed to the default VLAN. Of course, remote access would have a similar problem.

In short, VLAN tagging only makes sense if two or more switchs are engaged in the process. As soon as any switch is not capable of tagging, routing becomes problematic.

 

[coxhaus]

Yes, that's correct. And if the only issue was layer 2 (ethernet) isolation, that would be the end of it. The problem is routing, whether local or the internet.

Let's assume (since I don't see how it could be otherwise given the current situation) all the VLANs are configured by the primary router's DHCP server over the trunk port. IOW, they all share the same IP network, default gateway, etc. Granted this isn't typical, but I suppose technically it's possible. But in order to support routing between the switch and the router, the router also has to support VLAN tagging. Otherwise, that information gets lost upstream of the switch, but is necessary in order for the return packets to be routed back to the appropriate VLAN. Without tagging, all such traffic will be directed to the default VLAN. Of course, remote access would have a similar problem.

In short, VLAN tagging only makes sense if two or more switchs are engaged in the process. As soon as any switch is not capable of tagging, routing becomes problematic.

You are correct. You need a layer 3 device when networks are assigned to VLANs which I always do. I prefer a layer 3 switch instead of a router as they are faster and don't bottle neck on the uplink port. But it can be done using a router which supports VLANs.

 

[Tech9]

TP-Link Archer AX55 / AX3000 4-Stream Wi-Fi 6 Router
TP-Link-SG108PE Smart Switch
TP-Link AP WA 901ND Access Point

Only the smart switch supports VLANs. Get one ER605 and needed number/type Omada APs, for 2-3 you may go without OC200 controller. From stand-alone WebUI to Omada SND the system needs to be reconfigured, you may want to start with Omada SDN Controller for easier further expansion.

 

[paque1960]

One of the problems in using typical consumer-grade hardware is that it often lacks important features (usually to keep things simple and affordable for the masses) that become important for more sophisticated configurations. And your typical consumer-grade router is a good example. Rarely do these support VLANs. Not unless you're able to find third-party firmware support (dd-wrt, tomato, etc.). And as you combine additional consumer-grade hardware (switches, APs, whatever), it just gets harder. In most cases, you're better off to consider prosumer-grade equipment like Ubiquity, from top to bottom, so you have ALL the capabilities you need, assured compatibility, extensibility, only need to deal w/ *one* vendor for support, etc.

All that said, the biggest problem here is that the router is NOT VLAN aware, which means there's no way for that router to manage each VLAN's subnet wrt DHCP, DNS, routing (local or internet), etc. If the router *was* VLAN aware, then you could define and configure each VLAN on the router and establish a trunk port from the switch to the router. Now when the router sees those VLAN IDs, it knows how to respond to each w/ DHCP, assign an appropriate default gateway, establish firewall rules to determine which VLANs can or can't talk to each other, etc.

So that's the biggest issue here. Trying to mix a VLAN aware switch w/ a NON VLAN aware router is problematic. (BTW, I'm assuming, the TP-Link switch is strictly a layer 2 device and has no routing capabilities of its own (sometimes switches add that capability, but not usually)). The separation you desire at the point of the switch can't be maintained up to the router unless the router itself knows of that separation (via VLANs). From the perspective of the router, there is NO DIFFERENCE between the various clients, and it will assume they all share the same local IP network. And therein lies the rub.

First of all thank you for taking the time to write such a comprehensive reply (and to all the others all though some of the answers are getting a bit deep for me)

So as i said at the outset is to practice on my home network before moving to do my restaurant which has much more security concerns.

So I believe the best thing is to buy a new router im thinking with PFsense from google i believe negate the best brand for this however they are prohibitively expensive here in Indonesia or OMADA hardware then its all tp-link

 

[paque1960]

look at the ER605 + OC200 controller. The ER605 605 is VLAN aware and will allow you to VPN into the network securely. The OC200 controller will allow you to manage the devices on the network and it will handle coordination of APs etc.
Best would be to use all OMADA hardware , but check with TPlink to make sure the AP and switch you have is supported. They may not be supported by the controller

Hi started to look at the hardware you suggest and i can buy here in Indonesia at reasonable price, one thing i am a bit lost with is if the ER605 is vlan aware why do i need the OC controller as well?
Also to clarify my smart switch TP-Link-SG108PE Smart Switch can create vlans
my TP-Link AP WA 901ND Access Point can also do vlan plus multiple SSID

 

[paque1960]

look at the ER605 + OC200 controller. The ER605 605 is VLAN aware and will allow you to VPN into the network securely. The OC200 controller will allow you to manage the devices on the network and it will handle coordination of APs etc.
Best would be to use all OMADA hardware , but check with TPlink to make sure the AP and switch you have is supported. They may not be supported by the controller

just seen a utube on exactly what you are recommending seeing how my existing hardware is also tp-link seems like the way to go

 

[degrub]

just seen a utube on exactly what you are recommending seeing how my existing hardware is also tp-link seems like the way to go

i would suggest confirming that the hardware you currently have is supported by the OC200 or the controller software. i do not know for certain. There are differences between hardware that is marketed as consumer and that marketed as for business (Omada).

If you only have one AP, then you may not need/want the controller. The controller helps with setup/management of the network hardware. It also coordinates the function of APs from what i read.

You can also run the controller software in a PC (free) and do the same thing. Penalty is in power consumption of PC versus dedicated device. i have been told that if you set up the network without the controller and later add the controller, you will have to redo the setup of devices. i have not tried that.

In the CISCO SMB world, the APs have a controller built into the software. So i configure 1 AP, and then add the others to the network and the master AP configures the rest of the APs.

 

[paque1960]

i would suggest confirming that the hardware you currently have is supported by the OC200 or the controller software. i do not know for certain. There are differences between hardware that is marketed as consumer and that marketed as for business (Omada).

If you only have one AP, then you may not need/want the controller. The controller helps with setup/management of the network hardware. It also coordinates the function of APs from what i read.

You can also run the controller software in a PC (free) and do the same thing. Penalty is in power consumption of PC versus dedicated device. i have been told that if you set up the network without the controller and later add the controller, you will have to redo the setup of devices. i have not tried that.

In the CISCO SMB world, the APs have a controller built into the software. So i configure 1 AP, and then add the others to the network and the master AP configures the rest of the APs.

Hi did as suggested only my switch is supported, from what i have also read i could probably get away without the controller .

The point of this exercise is as i said at the beginning is to learn how to set up network with vlans and various access points and others so later i can deploy to my restaurant/bar which is more complex

i have gone ahead and bought the following to practice with at home (here in Indonesia quite cheap all for less than 200 USD)
TP-Link ER605 V2 Omada Gigabit VPN Router
TP-Link OC200 Omada Cloud Controller
TP-Link Omada EAP110 AP

 

[Tech9]

i would suggest confirming that the hardware you currently have is supported by the OC200 or the controller software.

None is supported.

deploy to my restaurant/bar which is more complex

For your business place estimate how many users the network needs to handle, deploy the number of needed Omada compatible High Density APs, use many on very low power. You need more radios working together for many guests.

Or better use this sign:

Restaurant/bar... what they are going to do with Wi-Fi anyway?

 

[paque1960]

None is supported.



For your business place estimate how many users the network needs to handle, deploy the number of needed Omada compatible High Density APs, use many on very low power. You need more radios working together for many guests.

Or better use this sign:

View attachment 59701

Restaurant/bar... what they are going to do with Wi-Fi anyway?

brilliant love the sign will share with my partners who are in my ear about IT!!!!
on a more serious note i have 3 isp's, guest wifi, owner wifi, streaming sports, ios, cctv and importantly POS which i need to secure....

so once im ready to set up vlans in my home which forum do i post for the set up?

 

[Tech9]

on a more serious note i have 3 isp's, guest wifi, owner wifi, streaming sports, ios, cctv and importantly POS which i need to secure....

You need something better than the cheapest Omada compatible hardware then.

so once im ready to set up vlans in my home which forum do i post for the set up?

You read, practice and learn how to do it yourself on your home network. This was the original idea, no? We don't have Omada support forum here. Once you are comfortable enough you may start planning your business network. Based on description - my advice is to hire a professional to do it for you.

 

[paque1960]

You need something better than the cheapest Omada compatible hardware then.



You read, practice and learn how to do it yourself on your home network. This was the original idea, no? We don't have Omada support forum here. Once you are comfortable enough you may start planning your business network. Based on description - my advice is to hire a professional to do it for you.

correct i want to learn at home first so forgetting the OC , since i will soon have a router that is vlan aware then i should be able to build the network i described at the beging yes?

 

[Tech9]

then i should be able to build the network i described at the beging yes?

Not really. Your business place requirements seem complex enough and the network there needs professional planning. Not only VLAN segmentation planning, but also wired infrastructure, switches for wired devices, Wi-Fi coverage for wireless devices indoors and perhaps outdoors, your PoS system has to be totally secure, your camera system has to be isolated with planning of how much bandwidth it needs, etc. You can play with ER605 stand alone WebUI at home and learn VLANs, but this is just to make yourself somewhat familiar how to eventually manage the future business system. If you go for Omada the SDN Controller has totally different interface and different features with ER605 (or other Omada integrated router) connected.

 

[paque1960]

i would suggest confirming that the hardware you currently have is supported by the OC200 or the controller software. i do not know for certain. There are differences between hardware that is marketed as consumer and that marketed as for business (Omada).

If you only have one AP, then you may not need/want the controller. The controller helps with setup/management of the network hardware. It also coordinates the function of APs from what i read.

You can also run the controller software in a PC (free) and do the same thing. Penalty is in power consumption of PC versus dedicated device. i have been told that if you set up the network without the controller and later add the controller, you will have to redo the setup of devices. i have not tried that.

In the CISCO SMB world, the APs have a controller built into the software. So i configure 1 AP, and then add the others to the network and the master AP configures the rest of the APs.

I now have an ER605 router, attached is what i would like to try to set up, i believe the hardware i have can achieve this?
couple of questions before i start
from my reading i should set up all the VLANS in the switch do i need to set up anything specifically in the router for these vlans?
the NAS i have in vlan 20 i think this is a mistake i need the desktop pc to be able to access the NAS but i dont want the smart tv or the android box on the same network , im thinking the NAS should be on its own vlan?