Simple VLAN question

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.
A

AdditionalPylons

New Member
Apr 12, 2016
24
9
3
38
Oslo, Norway
Dear STHers,
I have started to learn about VLANs and have a probably very simple question.
I have a device that needs connection to the internet but not to other devices on the network.
I am considering setting up a network that looks like this:

Code: 
a) Internet
    |
b) Consumer router (that as far as I know does not support VLAN tagging) with wireless access point
    |
c) Managed switch
    |            \
d) VLAN 1     e) VLAN 2
Will devices on VLAN 1 be able to talk to devices on VLAN 2?
My thinking is that because the router does not support VLAN tagging, in principle a package from a computer on VLAN 1 could be allowed to travel d-c-b-c-e.
Or is this somehow avoided because the managed switch will read the "source MAC" part of the header (IEEE 802.1Q - Wikipedia) and know that the package should not come back to the managed switch at all?
Maybe that is a basic feature in any switch to avoid loops?

Forgive me if I am not understanding this correctly.
Thanks!

Edit: Updated sketch with the fact that the router is actually a consumer router which acts both as router and wireless access point.
 
Last edited:
G

gea

Well-Known Member
Dec 31, 2010
3,172
1,197
113
DE
On your Switch c. you can assign some ports to vlan1 and some to vlan2. They cannot see each other as this would require a l3 routing. The vlan that is connected to router b has internet the other one not.
 
  • Like
Reactions: AdditionalPylons
A

AdditionalPylons

New Member
Apr 12, 2016
24
9
3
38
Oslo, Norway
gea said:
On your Switch c. you can assign some ports to vlan1 and some to vlan2. They cannot see each other as this would require a l3 routing. The vlan that is connected to router b has internet the other one not.
Click to expand...
I want both VLANs to access the router (and thus the internet), but not to each other. If both VLAN 1 and VLAN 2 have access to the router, can't a package go from the VLAN 1 to the switch, to the router, then back to the switch and to VLAN 2?
 
K

kapone

Well-Known Member
May 23, 2015
1,095
642
113
That's not how it work on "L2". You need a "router" to route those packets, and that would be "b" in your case.

You can easily allow/disallow communication between the VLANs at the router level, depending on which router it is. You can disable it at the entire VLAN level, individual device level, address range level etc etc.
 
  • Like
Reactions: AdditionalPylons
A

AdditionalPylons

New Member
Apr 12, 2016
24
9
3
38
Oslo, Norway
kapone said:
That's not how it work on "L2". You need a "router" to route those packets, and that would be "b" in your case.

You can easily allow/disallow communication between the VLANs at the router level, depending on which router it is. You can disable it at the entire VLAN level, individual device level, address range level etc etc.
Click to expand...
Thanks! I doubt any of this can be set on consumer routers though. This is why I was thinking of adding a managed switch in between.
But if I understand it correctly the link between b and c (the router and the managed switch) will not use VLAN tagging (or at least the router won't care about it), hence my original question.

The full picture is a bit complex:
I'm looking into this for my parents, who are getting a device (a solar panel inverter) which needs internet connection. I would like to separate this (e.g. VLAN 2 in my sketch) from the rest of the network (which would then be VLAN 1). They have pretty old consumer-level hardware (a TP-Link TL1043 v1 as router+AP and another TP-Link Archer C7 v2 as AP only, with wired backhaul between).
I could get them another router with proper VLAN support instead, like the Ubiquiti Edgerouter X (please let me know if you have other suggestions). However I have also considered upgrading their wireless setup to something more modern, but as far as I know the VLAN support on consumer wireless routers is limited (on some routers there are settings for IPTV that allow setting up VLANs but it does not seem very flexible).
The inverter has both wired and wireless connection, so another way to deal with the separation would be to set up another wireless network on the router, but that would add to the wireless congestion, in addition to wire obviously being more stable in general.

Update: Also, because the router is actually a wireless access point as well, I guess both VLANs would be able to access the wireless devices as well. Hmm. This is not what I want. I guess this is not a good solution.
 
Last edited:
K

kapone

Well-Known Member
May 23, 2015
1,095
642
113
Yup, the more you think about, the quicker you'll come to the realization that "consumer" networking equipment is just...crap.

As an aside, I know you are using the term "router", but I think you realize it's really a "router and firewall and DHCP and DNS and... combo" :) That just makes things even more complicated. I like clean separation. A Router is a router. A firewall is a firewall. A DHCP/DNS server is just that and nothing more.
 
G

gea

Well-Known Member
Dec 31, 2010
3,172
1,197
113
DE
Your router is actually a nat router with the single public ip on one side and the local network on the other side with lan and wlan in switch/bridge mide (can see each other). To restrict fully, you need at best a firewall appliance or server insted your switch that can control and route between networks ex like lan1,lan2, wan, dmz, wlan etc with disabling the wlan functionality or your internet router and an independent access point on thw wlan port of the firewall

If you only want wlan with full access and a lan segement that you cannot access from wlan, add another cheap or used internet router with wlan disabled.
 
G

gregsachs

Active Member
Aug 14, 2018
563
193
43
One possible, simple solution; using consumer equipment.
Use dual firewalls, in series.
Hang the solar equipment off of firewall A, and configure firewall A to have a fixed IP for firewall B. Set firewall B as DMZ if possible in firewall A, and then hang their equipment off of firewall B. You can flip flop parents stuff on firewall A and solar on B if you want. The solar probably just needs a single port forward or similar, plus outbound access.

I think a Unifi Dream machine would also be a perfectly acceptable single box, define two VLANS on it, define firewall between the two vlans and go.
 
R

RTM

Well-Known Member
Jan 26, 2014
956
359
63
First of all, I think if the router is a TL-WR1043ND, it is probably about time to upgrade it.

But if you absolutely need to make it work (or is unwilling to replace it for some reason), it is probably possible to put a 3rd party firmware like OpenWRT on it. With a 3rd party firmware you should be able to configure VLANs on it.
Of course there is a (probably limited, if you plan correcly) risk here, but you could always buy something better if it breaks.
 
S

sh1

New Member
Sep 20, 2020
4
1
3
Actually, you can do quite a bit with "consumer" level devices theses days. As @RTM mentioned, OpenWRT on TL-WR1043ND will let you do what you want if you're just segregating traffic between the two VLAN's. Depending on how many ports you need on VLAN1 and VLAN2, you might need a switch (managed or unmanaged). You can VLAN tag on the internal switch and have untagged traffic come out the ports on the TL-WR1043ND. The performance should be fine from VLAN1 and VLAN2 to WAN. Just don't try to route between VLAN1 and VLAN2. That performance is awful. Disclaimer: upgrade TL-WR1043ND firmware at your own risk.
 
You must log in or register to reply here.
Top Bottom