New to VLANs: How to Put a Switch's Web Managment GUI on a VLAN that isn't VLAN 1 without Breaking Anything?

tl;dr: I have an OPNSense firewall with a QNAP core switch, and one “management” VLAN defined as VLAN 10 to be the place where all my web management pages live for various hardware (switches, serial console server, etc.).

(Yes, I know I don’t really need that for my home/home office network, but it’s my first ever VLAN and seemed a safe enough thing to practice on.)

I’ve run into a minor issue with a few switches I have that don’t have out of band management ports, so the web GUI is accessed via the trunk port that goes upstream to the core switch.

As this is my first experiment with VLANs, I’m a bit confused about what’s considered the best way to put a device’s web GUI on a specific VLAN (e.g., VLAN 10), without overcomplicating tagging/untagging VLAN ports on the rest of the switch.

I thought about passing the management VLAN as the untagged VLAN, and passing VLAN 1 as tagged, but (1) that is backwards to how I’ve been doing trunk ports on other hardware; and (2) I’m concerned it might break something. In any case, it would seem to make my network topology unduly complicated.

tl;dr I’m not buying any more switches that don’t have easy to use out of band management ports. :stuck_out_tongue:

What devices?

This is my core switch: QSW-M1208-8C | Upgrade your network with a 10GbE managed switch | QNAP (US)

This is the edge switch I’m trying to set the IP of the web GUI on. Unfortunately, it doesn’t let me specify a VLAN to put the web GUI on. :stuck_out_tongue:

Both support setting per-port VLAN tags, as well as untagged ports.

Then use VLAN 1 as management, otherwise you’ll get into a lot of trouble for no apparent gain …

I’m moving from a flat network with no VLANs to a segmented network, so right now almost everything is configured for VLAN 1, and some of my devices don’t understand VLANs at all, so they’ll always be on VLAN 1 until I can replace my ancient WiFi router (which also doesn’t understand VLANs).

If I could just rebuild the entire network from scratch, I would.

That’s not really workable for me right now, which is why I asked this question specifically.

Hmm, that’s not how it works…
Any device that has no vlan capability/you do not wish to make aware you have VLANs gets an access port, fixed on one vlan, it can be whatever you choose, and it’s where you implement your segmentation.
The fact that now you are using 1 is irrelevant, you could change all ports of all your switches to access mode on a different VLANs and they still would work …
When you are dealing with VLAN aware devices , you choose whether to allow them on specific VLANs and how you trunk them together, be they switches, servers or APs.

1 Like

Don’t do that. VLAN1 always has access to all other VLANs. You can just stick a VLAN header on some packets, and they’ll jump right across to that other VLAN.

Changing the management VLAN away from 1 will not make things secure. Using VLAN1 for all traffic will make your network insecure. Instead, you should look into changing the “native vlan” and/or “default vlan” on your switch(es).

As MadMatt said, you can just set each port appropriately. “access port” is the Cisco term, while others often call it an “untagged interface” or port, but in either case, you can use any VLAN number.

1 Like

sThanks for the replies. :slight_smile:

I definitely didn’t do that on purpose. Unfortunately, since I wasn’t using VLANs before, everything defaulted to VLAN 1 (as the only (V)LAN that existed.

I’ve got plans to gradually create more VLANs and get as much traffic off VLAN 1 as possible (e.g., an IoT VLAN for the dubious smart TVs that I somehow am surrounded by…), but I’m going to have to go slow with that, and get some more experience building VLANs that won’t annoy anyone else if I screw them up. :stuck_out_tongue:

Since I’ve got maybe 5 hours a week (on Saturdays) to tinker with this stuff, and doing everything right (the easy way) would require starting from scratch, I’m afraid I can’t really start over at this point. I don’t think work will give me a week off to “figure out how to redo my home network and then how to make that happen across the three different brands of hardware I somehow ended up with.”

Alas.

I’m not trying to get things onto a management VLAN for security purposes so much as I figured this was a relatively safe thing to experiment with for a first VLAN; I’ve got actual serial console access to all the network equipment and a hardware terminal server so I can quickly reverse things I break, but when I do break something, no one notices but me, and it doesn’t impact anyone else in the house as far as actually using their devices. Or me using my production machines for work, come to that.

Instead, you should look into changing the “native vlan” and/or “default vlan” on your switch(es).

This is definitely the way to go. I somehow assumed this would be easy given that I’ve been accumulating small business gear.

Oops.

My core switch has an out of band management port. It was easy enough to put that on an untagged port on the management VLAN.

My FS S3900 is a Cisco-like switch with a dedicated out of band management port that takes a static IP assignment, so I think I can probably make that do what I want, but I haven’t had a chance to test it yet.

But. My consumer/small office non-PoE and small office PoE switches from QNAP don’t have management ports (which is REALLY inexcusable on the PoE switch, IMHO, given its target audience and price point). And QNAP hasn’t yet released firmware for either of those that supports redefining the native/default VLAN (in fact, it’s locked to VLAN 1, I tried).

They also don’t allow the management web GUI to be assigned to a specific VLAN, which would solve my problems neatly.

Rumor is this feature is on the super secret roadmap for the QNAP switch firmware, but rumor is also that these features were suppose to be in version 2.0 and release at the beginning of 2023. It’s almost 2024 and we’re still on the 1.3.x branch, sooooo…

tl;dr I’ve outgrown a pair of very expensive switches because I wasn’t informed enough when I bought them and didn’t realize not all VLAN support was created equal.