Help with VLAN Setup Please

Hello all,

I’ve been lurking in the forum for quite some time and learned how to put together a small home lab. Now I am thinking to play with VLANs.

This is what my network topology looks like right now. It’s a pre-wired house so my router and switch placement choice is very limited, or I have to re-wire the whole thing.

The main network hub sits in the closet of the master bedroom. Cable coax in the living room, so I think the QNAP switch and the router can’t be moved.

The goal here is to segregate network traffic according to their roles. Servers and NAS in one VLAN, cameras in another, IoTs in another, workstations, etc, etc.

So how do I tag VLANs according to the diagram above? I am afraid of doing something wrong and cause my whole network to be inaccessible…

Besides, should I re-wire to have everything just go to the garage as a single point, utilizing the L3 capabilities of the Brocade switch?

Thanks a lot, any suggestions would be helpful.

As long as both switches support 802.1Q trunking then you should be fine. VLANs are a Layer 2 technology so no real need for the L3 switch, unless you need to do Inter-VLAN Routing (but try not to if you can help it, especially if you’re new to this).

Just watch out for what each manufacturer calls a ‘trunk’ because I know from experience this is different between HPe and Cisco at least. You just need to set your clients up as ‘Access’ ports on VLAN 1/2/3, whatever, and then set the link between your switches up as a ‘trunk’ port and allow the relevant VLANs to be carried across it.

Another point to be careful about, does the Netgear router support VLANs? If so, same thing there. If not, you’ll have to have that link as non-VLAN otherwise the router won’t know what to do with the extra info in the packets coming from the L2 switch…

Happy to help if you have any more questions/screenshots/cli outputs/etc :slight_smile:

Update: Looks like the QNAP calls ‘access’ ports ‘untagged’ and ‘trunk’ ports ‘tagged’ (same as HPe does). Seems like the firmware is potentially weird so make sure you’re physically there to factory reset it if things go awry!
https://forum.qnap.com/viewtopic.php?t=154706

Thank you so much sir, I will give this a go and see what comes out of it. Will report back.

1 Like

Yeah, the router must support vlans or have discrete LAN ports (not bridged). Since it’s a consumer router, the LAN ports are likely a hardware switch, so it’ll need to support vlans.

Idk about qnap switches in general, but this confuses a lot of people when they start with vlans. When a port is tagged with a vlan, that means it will allow traffic on that vlan to pass through it. You can tag as many vlans as you want on a port. Typically a trunk is tagged with all the vlans you’ve configured on your network.

When you assign a port with an untagged vlan, you’re essentially setting the default vlan for that port. You can only untag one vlan per port. Data that comes in without a vlan header (untagged), is assigned the untagged vlan.

Also, vlan1 is reserved for untagged traffic. Some switches will show all ports untagged vlan1 by default. That essentially means you’re not using vlans.

Depends if the switch cli will let you set the native vlan, then it’s not necessarily vlan1 :man_shrugging:

1 Like

Also from my Googling, that Netgear won’t do VLANs properly unless you flash ddwrt onto it… RIP

1 Like

I’d have to see exactly what you mean, but it sounds like that’s essentially assigning an untagged vlan to the whole switch (which is a fine thing to do if you want to).

Why not use ddwrt then?

I probably would if I was in that scenario, up to OP I suppose…

1 Like

Usually both LAN and WAN ports are a hardware switch, and you get one or two rgmii going from CPU to switch. Routing between wan and lan is usually actually using CPU to route across a pair of VLAN interface (the CPU rgmii being configured as a trunk)… The switch section on SoC can usually do basic L3 forwarding, but the documentation on how switch registers need to be programmed is usually limited under NDA - not something any opensource driver implements.

You can probably do VLANs using DD-WRT in hardware just fine, even if you do L3 stuff in software (there isn’t that much you need to do).

Also, WiFi <-> Ethernet bridging has to go through the kernel/CPU, always (on every wifi router/AP) and I think you can get 4 or 8 SSIDs decrypted with WPA2/WPA3 in hardware on an R7000, iirc.

2 Likes

Would it be just helluva lot easier and make more sense just to buy a proper router like Edgerouter X and use this R7000 as an AP?

2 Likes

Ddwrt, anything pfsense or edgerouter all good options. Only reservation with edgerouter is that Ubiquiti seems to be phasing out edgemax.

Ddwrt would be lowest barrier to entry assuming R7000 supports it.

The other way around, but yes. R7000 is supported by DD-WRT devs, it was one of the more popular models in that community. You can just grab the latest official builds DD-WRT » Router Database

1 Like