Creating a VLAN in a complex networking situation

In my office, I have a work machine and a home machine.

I would like to place the work machine into its own VLAN.

This is my network plan:

image1012×428 6.66 KB

The QNAP allows for the creation of VLANs, though it is very basic as it is a basic switch.

The problem I have is that when I create a VLAN For it - the work machine cannot identify the network and cannot obtain an IP address.

I strongly suspect that my knowledge in this area is very lacking - and the “tutorials” that I have found relate to turning 1-port on a machine to a VLAN - where that one machine is the network.

In this case, the ASUS RT AX89X is the DHCP machine and acts as my router. The TP-Link TL-SX3008F - is a distribution switch that sends fibre cable all over my house. There are several switches like the QNAP connect to the TP-Link.

I can’t change the TP-Link connecter to a VLAN as it connects both my home and work machine.

Anyone got any advice, maybe been here and done this before and knows the solution?

I’m not sure VLANs are what you want.

A single ethernet connection, can carry multiple VLANs - these kinds of switch ports are called “trunk’ or hybrid” and ports that are connected to a single device or are connected to a single VLAN are called access VLANs.

Each VLAN is a separate virtual LAN from a perspective of a device connected to just an a regular plain old access port. Each VLAN network, needs a DHCP server and a gateway to access the internet.

So, basically, the connections [Asus RT AX89X] - [TP-Link TL-SX3008F] … should be a “trunk” or “hybrid” connection, and also [TP-Link TL-SX3008F] - [QNAP QSW-M408-2C] should be a “trunk” or a “hybrid” connection.

… now, the bad news. I don’t think your Asus, supports multiple VLANs, and I don’t think your TP-Link or QNAP switches support L3 routing.

You’ll need a more capable router, or a more capable L3 switch.

I’d probably relegate ax89x to “access point” duties, and would consider buying / setting up a cheap N100 based machine with pfSense for routing.

It looks like folks are working on adding support for that asus to openwrt, but it’s very nascent - it might be a while, and it’s definitely too early to tell how well i’ll work.

@Joe_Bloggs1 - are you by any chance that youtuber from uk who’s been reporting on russian finances a lot? I’m asking because if you are, … thanks! … but also, where you are in the world affects recommendations for solutions due to their cost effectiveness.

Basically think of a VLAN as a virtualized network. So when you put your NAS on a VLAN you took it off your physical network and it didn’t have a virtualized router to connect to. To use a VLAN you must set it up on the router, and the router will host the VLAN as a separate virtual network. Only then can you connect devices configured to use the same VLAN to it. As I understand your post, all you’ve done is put the QNAP in a virtualized network of itself.

As long as your router has configuration options for this you can run multiple VLANs off the same router, far as I know you can run the default network concurrently alongside multiple VLANs as well. In server space there can be hundreds of VLANs operating off the same router.

I was wondering about this and taking the post above, the TP-Link does have L3 Routing options.

I was wondering whether I had to create a MAC address VLAN on the TP-Link for it accept the Laptop after I put the laptop on a Port based VLAN.

I just wasn’t sure how to do it to be honest and I wasn’t sure whether the ASUS could continue to act as a DHCP.

I was wondering whether I might be better off switching DHCP duties to the TP Link which could then handle IP distribution at the point that it handles all the input traffic as it is the main hub.

A networking expert should probably chime in here. I’ve only done VLANs a few times via managed switches.

The problem I see is if your TP-Link port is configured to be a VLAN, then everything below it in your diagram is effectively one single unified VLAN. This won’t “fence” the work & home clients apart and the only thing it does is block DCHP broadcasting from the ASUS router & vice-versa from the clients.

If you want to fence the work & home machines apart then each needs to be on its own VLAN. Instead of assigning a VLAN to the TP-Link port you would assign each VLAN by the QNAP ports. If the QNAP switch doesn’t support VLAN assignments then you need to plug either the work or your home client into the TP-Link directly, and the other you can leave connected to the QNAP switch because the QNAP would be connected to a separate ethernet port on the TP-Link. This allows you to assign each port on the TP-Link to a separate VLAN and that would fence your home & work clients off from each other, and I believe without compromising DCHP access since it’s an L3 routing device. If I’m wrong you can simply enable DCHP Relay on the TP-Link switch to the VLANs and then it’ll pass on the ASUS DCHP anyway.

/s Maybe you can try out VXLAN, which is VLAN on L3.

Well, not satirically speaking, most of us Kubernetes cluster master, do have to come across this network segmentation problem because we needed an overlay network for the pods to allocate a unique IP address for, and the popular choices are Flannel and Calico. Both supports VXLAN as the network option that emulates VLAN over a L3 transport, and you can still directly attach your VXLAN network device to a bridge.

The only problem for VXLAN is MAC learning, which would go O(n^2) for manual assignments, or C(n, 2) in math term, and both Calico and Flannel, need to collect the MAC address for all their nodes and congregate them into a DHT where every node would ‘learn’ each other (that is, manually create a permanent remote VTEP IP address and remote MAC address assignment, using bridge fdb append command to the VXLAN device for each node, except itself, kind of like OSPF except on L2), so they both basically did a bootleg P2P overlay network, usually using etcd, whether directly or not.

Similar ideas would be NVGRE, GENEVE and the good ol’ L2TPv3.

@stevefan1999 … what you’re suggesting is too fancy. it’s two vlans and internet.

Hi,

aha, you’re right, it’s marketed as L2+, but it does seem have some L3. Would you look at that, nice!

oh, and it has DHCP server built-in, not just relaying.

specs: TL-SX3008F | JetStream 8-Port 10GE SFP+ L2+ Managed Switch | TP-Link United Kingdom
emulator: Download for TL-SX3008F | TP-Link United Kingdom
manual: … where? (am I missing it on the download page)

stick to 802.1q - this is the standard way of doing vlans, the other stuff is either a hack around 802.1q or marketing people being dumb thinking yet another way of doing thing is less confusing.

yup, … we have some basic L3 there. now we’re cooking.

OK, you’ve two VLANs, let’s do work first

VLAN config, assuming port 7 is currently empty, and port 8 is the trunk where qnap goes

screenshot from emulator,

VLAN ID 20 - WORK …

Screenshot 2024-02-05 11.13.201247×1166 82.6 KB

You may need to remove system vlan from your debug port, to assign vlan 20 untagged to it… not sure.

Then you give the TP-Link an IP address on that VLAN 20 interface:

like so

Screenshot 2024-02-05 11.23.401251×889 63.7 KB

… normally, you’d have a DHCP server somewhere … but this emulator is crap, and I can’t figure out how to set one up, … and technically, you kind of don’t need it, even though it makes life easier.

Let’s see QNAP:

specs: QSW-M408-2C | Hardware Specs | QNAP (Middle East)
user guide: 2023-04-28: QSW-M408-2C - Download Center | QNAP (Middle East)

This instructions page looks interesting

Screenshot 2024-02-05 11.40.081495×1324 180 KB

You need to add VLAN 20, and if port 10 is the one connected to TP-Link, make VLAN 20 tagged on port 10, and let’s say your work computer is on port 1, make port VLAN 20 untagged on port 1.

if UI doesn’t let you do this, remove port 1 from default.

Now your work comptuer,

Configure it statically, go to interface settings and type in 172.30.0.10 / 255.255.255.0 gateway 172.30.0.1 in windows or linux or mac interface settings.

Now, you should be able to ping, from your work computer 172.30.0.1 (which is the tp-link) and you should see replies coming back, indicating your qnap and tp-link are reasonably set-up.

Routing:

I’m betting your TP-Link is already getting an IP address from ASUS and can exit the internet, but I think you should probably reconfigure it to use a static ip on ASUS’s LAN network, with Asus as a gateway.

For example if Asus is doing 192.168.1.1/24 for itself, … just configure TP link statically to 192.168.1.251 for example if that’s available.

and then add a static route for your 172.30.0.0/24 network to go over the tp-link

see this page of Asus manual

Screenshot 2024-02-05 11.51.271353×1317 177 KB

What you should see as a result is basically, your work computer should be able to ping 192.168.1.1 … indicating packets going both ways.

Then configure DNS, on your work computer and try pinging internet.

Once you have basic pings to internet and back working, … things might still not work smoothly, … I’d suggest you enabled Jumbo frames on your QNAP and TP-link. I wonder if Asus is blocking any ICMP.

Just one step at a time!

I am at work, but wanted to just say immediately - thank you for taking the time here - really appreciate the effort you put into helping me - I will work through all of this and let you know how it panned out.

Might not be until the weekend though as some of these are shared services and I can’t afford to break the work connection lol - which I almost guarantee I will do as I misread some of your clear instructions.

Thanks!

One of the things stopping me implementing this immediately was my work machine is pretty locked down and I can’t just change the IP Address on the Adapter.

I had to get assistance and after talking to them, they have said that they would prefer if I did not assign a static IP address to the machine - but rather had an internal range as it has now.

This came from our InfoSec department and if you ever worked with InfoSec - what they say is really what you do - if you don’t, they will literally sack you for putting the whole company at risk.

So I need a solution with a DHCP range - I am suspecting that you gave a static IP as the “simplest” way of doing this, and I think if I just create a range for the VLAN on the TP-Link rather than a single IP - by setting a DHCP range of 172.30.0.1 - 172.30.0.250 - that this would still work as you set out?

Yeah, I just have no idea how that tp-link dhcp server UI is meant to be used.

I see some interesting options like “Pool Setting” and “DHCP VLAN Relay”.
I don’t see e.g. how to tie a “Pool” to an interface or a VLAN.

Maybe it’s obvious on a real device?

If its anything like Cisco, tying a DHCP pool to an interface is based on the subnet of the IP used on said interface.

e.g., you have a DHCP pool for the network 10.1.1.0/24, it will be applied to the interface on VLAN X that has an IP in the above subnet.