They really need to start making "<insert subject here> for Dummies" books again

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

ramicio

Member
Nov 30, 2022
69
14
8
I am going to be serving internet to people where I live and I want to segregate them from each other and from me. They will all have a fiber link to my Brocade switch's SFP+ ports, and on their end is a media converter and Unifi AP. I want them to be able to access my server on my network, but only for one specific application. I also want to be able to take my phone to their [physical] site and not be segregated from my own network. What I have for a router is some older Asus thing with DD-WRT on it. Do I need something like a Dream Machine Pro (I already have a CloudKey Gen2, could be replaced)? Whatever does the routing, does it literally do the routing (as in, does all traffic have to flow from my switch, through it, and back out to the switch just to cross VLANs? I don't understand how any of this works, and I'm honestly be looking to pay someone to set it up for me and to explain what they're doing. There seems to be zero info out there. It's just "tag this, tag that" and it's all with out-of-the-box stuff like Ubiquiti. There certainly isn't any info on doing on my switch what needs to be done. It seems to be trade secret stuff, which is always discouraging and why I am soon going to give up on this hobby and sell it all off.
 

DavidWJohnston

Active Member
Sep 30, 2020
242
188
43
Most people need to learn by doing. It's not really an issue of trade secrets, but networking is so flexible and complex there is no one-size-fits-all tutorial. I have been doing it for 25+ years and every day I learn something new I didn't know before; usually from others around me, not from books.

Are you the landlord of a set of buildings looking to provide internet to your tenants? If so, sub-contracting is almost certainly going to be less expensive when you factor in your time. I don't know how large a scale you're talking about, but it could be nearly impossible to do it yourself.

What kind of workload and bandwidth would you estimate you'll need? An old Asus router may not be up to the task. How much upstream bandwidth do you have available? (The internet connection you're sharing out)

If you want to cross VLANs, you need a router. That can either be a Layer 3 Switch (Does your Brocade do L3?), or a separate router device, or a software router like pfSense running in a VM. It/they will need to be sized to your bandwidth and workload.

For your question about your phone - How about an always-on VPN connection between your phone and your premises? Ex: with pfSense: pfSense® software Configuration Recipes — Connecting to L2TP/IPsec from Android | pfSense Documentation
 

ramicio

Member
Nov 30, 2022
69
14
8
I don't learn that way. I learn by copying others with them explaining what's happening. I can't just do stuff on my own from written material.

I am a tenant of a campground and their own "free WiFi" is awful, so people ask me to tap into mine. I have my own internet access. I already have the fiber run and all the material waiting for camping season to start.

I'm not concerned about my internet connection's upload bandwidth. People want it for watching streaming stuff. I'm concerned about if all traffic needs to go through the switch, through the router, and back out to the switch to cross VLANs.

Yes, my switch is a Brocade ICX6610. My server is connected to the switch at 40 gigabit. The clients will have a 1 gig link, but everyone wants
wireless, so it will be whatever is best-case for a wireless connection. This is IF they decide to access my server (for Plex).

Not interested in something like a VPN just to be able to stay local when I'm near home and on my own hardware, but on a different VLAN. I thought they could filter stuff by MAC address. I have no idea what to do, but I do know I don't want to build yet another piece of hardware to run another piece of software. I really don't understand the thing of making a switch into a router (L3) one bit. Does that negate the router I have now? It's all commandline, which is daunting to me. What I was seeing on some video about Ubiquiti is that it's all a GUI and easier to set up these rules. But, I don't want any of their switches. I need to find someone to do this for money.
 

DavidWJohnston

Active Member
Sep 30, 2020
242
188
43
Both the upload/download capacity of your internet connection matter (The one you're sharing). Streaming requires a lot of bandwidth. How many users do you want to serve, and how fast is the connection you're sharing?

Depending on the user agreement, you may need a business-class service package.

Also depending on the source of your Plex content, you could be placing yourself in a difficult legal situation - If a disgruntled camper (or just a mean-spirited person) chose to report you, things could get complicated, especially if you're charging money.

Maybe a place to start would be to ask around for a local tech contact who can work with you in-person. Maybe ask the campground operator if they know of anyone in the community.

I'd like to help more, maybe I can at least help you with capacity planning and equipment selection. (# of users; total and simultaneous, speed of the internet connection you're sharing, both UL and DL, Estimated Plex connections, if transcoding is needed, etc) How do you connect to the internet connection? PPPoE, etc? Static IP?
 

ramicio

Member
Nov 30, 2022
69
14
8
I thought my question was pretty simple, and aspects such as my internet speed, Plex things, and number of users isn't relevant to any of this. I just need to know how to segregate these networks but pass through a specific range of ports to make my server appear local with Plex. I don't really care about the phone thing, it would just be a nice convenience. I've already had 3 people connected to this for a few years now (with no internet bandwidth issues). I'd just like to get things more secure and separated, as I'm adding 2 more clients this year.

My equipment are as follows:
- Comcast's Business provided modem (irrelevant)
- ASUS RT-AC68R router
- Brocade ICX6610-24P switch
- Ubiquiti Cloud Key Gen2 (for my camera, my AP, and their APs)
- 2 servers connect to 40g ports in back (1 isn't used, it just sits there doing nothing for now, will be a backup machine later)
- Clients would be connected to the SFP+ ports on the front of the Brocade. If I need more, there are the two QSFP+ breakout ports in the back I can use.
- On the client end is simply a media converter that also provides PoE to their Ubiquiti AP.
 

DavidWJohnston

Active Member
Sep 30, 2020
242
188
43
Thanks for the feedback on the relevance of my questions, I'm always looking to improve the way I interact with people. It's my fault, I should have explained it better. Many times on this forum, it's necessary to probe a bit to find what the underlying problem really is, especially for people who are new to the subject matter they're asking about.

Your original post indicated you will be acting like an ISP in the future, not that you're simply adding 2 additional clients to a service you're already providing to 3, and want to simply add security. This is why I was asking about capacity, and more general questions related to acting as an ISP, since you are just starting out.

The reason I asked about your type of internet connection is it might be possible to eliminate your old Asus router altogether, and do all routing on your Brocade L3 switch. This could remove a potential bottleneck from your network.

Here is a possible network design you could consider, which requires more command-line work, but will keep inter-VLAN traffic load off your internet router, and in your Brocade instead:

Option 1
  • Use a separate VLAN for each client, so they would all have their own /24 subnet (ex. 10.1.0.1/24. 10.1.2.1/24, etc) exposed as an ACCESS port on your Brocade, then each client's AP would plug into such a port.
  • Use your Brocade's L3 routing capability for inter-VLAN routing only, and use your Asus for internet routing and DHCP only
  • Create a Transit VLAN where internet traffic will flow between your router and Brocade switch's VLANs.
  • To limit inter-VLAN traffic to only what you want (ex. Plex, AP management), use ACLs on the switch. (cmd line, somewhat tricky)
This will keep your Plex traffic off of your internet router. Instead, it will be handled by the extremely fast silicon in the switch itself. This is how I run my network in my personal homelab. It can be more complex to configure than other options, but is very performant.

Another option would be to do all routing inside a device with a management GUI, whether that's your Asus router, a pfSense box, a new Ubiquity router, or something else. Your Brocade will not do any routing in this case.

Option 2
  • Create VLANs on your Brocade as before, but use it as a purely L2 device (no routing on your Brocade)
  • Plug your VLAN-aware router w/ admin GUI into a TRUNK port on your Brocade, where all VLANs are tagged
  • Use the router's GUI to configure firewall rules to limit inter-VLAN traffic (easier than cmdline ACLs)
  • Using a pfSense box in-place of your Asus may be a good option here, or a Ubiquity and use their ecosystem (more expensive)
This would require your router to handle ALL traffic, not just the internet but Plex too - But it would let you configure and manage the system using an admin GUI, with less command-line config.

There might also be an additional choice:

Option 3:
  • Buy a new Ubiquity switch/router combo to handle your clients' L2 and L3 requirements
  • Your network (Plex, etc) would connect to the Ubiquity as simply another "client" (VLAN)
  • Use your Brocade as a "dumb" switch to handle your own equipment only
  • Use the Ubiquity GUI to config VLANs, DHCP, inter-VLAN firewall rules, and everything else
So as you can see, depending on which direction you go, inter-VLAN routing can be handled on an internet router, or inside a L3 switch.

That is not an exhaustive list of options, the possibilities are limitless when it comes to networking. There are many ways to accomplish the same thing, and it may not be as simple as it seems. The question of precisely how to run DHCP and DNS, and which specific firmware your Brocade is running for L3 support, for example, all still need to be answered depending on the option you are looking at.

Consider looking at some Youtube videos on this subject matter. Having someone else show it to you (instead of looking in manuals) may be beneficial to your learning style. None of this is a trade secret, there are people who volunteer hours of their time every day simply to help others, like a lot of people on this forum.

Hope this helps,

Dave
 

ramicio

Member
Nov 30, 2022
69
14
8
If Ubiquiti made switches that had cage ports on them instead of RJ45 (as the main ports, I know they make them with SFP/+/25 for the trunks), this would be easy. But they don't. I don't even see ho w I'd accomplish even reaching anything with this router of mine. I don't see a way to create multiple networks.

What I need is...to do this on the hardware I have, with the exception that I'm not opposed to buying one of those Dream Machine routers to the replace the old ASUS one I have. It wouldn't be a waste. I have one of their cameras already, I have and will have plenty of APs. Obviously the switch I have could handle this better, and it's better than doing it all with the router itself, even if it may be going through a 10g trunk.
 

DavidWJohnston

Active Member
Sep 30, 2020
242
188
43
You could put media converters at your end as well then use an RJ45-only Ubiquity switch/router. Not the best, but it would let you use a router/switch with RJ45. I don't like this option, but it's there.

The existing hardware you have can be used to accomplish your goals. It's just a matter of configuration, see option 1. If you start down that path, at least it would give you a place to start.
 

ramicio

Member
Nov 30, 2022
69
14
8
I can't get this to work. It's all complete nonsense to me. I really don't think what I'm trying to do is even possible. I can follow whatever guides I want, it's still nonsense and it doesn't work.
 

sic0048

Active Member
Dec 24, 2018
114
95
28
I thought my question was pretty simple, and aspects such as my internet speed, Plex things, and number of users isn't relevant to any of this.
That's simple not true.

You internet speed matters because the router/firewall specs needed for a 100mbs internet connection is going to be different than a 1gbs connection and the number of people/devices you are trying to serve matters for the same reason. People need to know if your "older Asus thing with DD-WRT" is going to be up to the task or not - one of the main questions you were asking about - and we can't answer that without more information.

Usually when you want people to help you, it's better if you don't act like you know everything and actually answer people's follow up questions instead of being a jerk about it.

Good luck!
 

ramicio

Member
Nov 30, 2022
69
14
8
I wound up getting a UDM-Pro. Each person is going to have their own AP with their own SSID. So far, I've provisioned a few APs at home with a short fiber jumper plugged into the port they will use. All works. The issue was the 10g SPF+ LAN port on the UDM-Pro needed to be set from LAN (vlan1) to ALL. I saw this mentioned in a reddit post. A light bulb clicked in my head, because I know exactly where those setting are in the mobile app. They stand out. The port settings are hard to find on the web UI and it's not something I kept stumbling upon during this journey. I had to dig to find them. At some point I am probably going to get a Brocade with 24 SFP ports and stack it with this one. The VLAN routing is being done on the UDM-Pro. I don't forsee that ever saturating the 10g link. That's assuming all people would be using Plex at the same time. How much content is even 100mbps, much less 1gbps? My internet connection is 600mbps. More than enough for the 4 clients I currently have. I usually abstain from using a lot of bandwidth while people are camping for the weekend.
 
  • Like
Reactions: itronin