VLANs with non-VLAN Router

[Ettore]

I have an ISP provided cable modem/router combo (Hitron from ~2012) that I cannot get to bypass the router part. Because of this, I'm having issues separating my work network from my not-work networks. In a perfect world, I have 2x wifi networks ([2] guest/smart devices/random {phones, etc.}, [3] work), and 2x wired networks ([3] guest/smart devices, [2] work).

I know my APs can do VLAN tagging, but the ISP router can't interpret that. I also want the NAS to be accessible from both networks (its 2x NICs can be run as separate networks); if things work how I think, there is no two routes to the NAS from any device. I tried making a guest network on my AP, but then devices can't connect to each other within that network, and that stops many of my smart devices from working together.

I'm not really looking for a how to, but moreso what hardware I'm looking at needing to accomplish this to get me started. It feels like I can maybe do this with my Mikrotik, but I would need everything on port 1 to "become" VLAN 1 (switch connected with relevant devices), port 2 to "become" VLAN 2 (switch connected with relevant devices), then port 3 to be routed to whatever VLAN it is tagged by the AP. Everyone can access port 4 (Internet). My Internet is 40/10.

I have in my possession:
1x Hitron modem/router combo (this cannot be changed)
1x Mikrotik Hex Lite (this used to be my router)
3x Unifi WiFi 6 APs
1x "managed" 8 port switch (NetGear GS108PE)
1x unmanaged 16 port switch
1x unmanaged 6 port 10gbe/2.5gbe switch
1x Hubitat home hub (wired)
1x Hue hub (wired)
1x Misc.smart home stuff (wireless)
1x VoIP device (wired)
1x NAS (wired x2 ... file server, camera server)
1x work PC (wired)
1x work laptop (wireless)
1x server (wired ... FTP, WWW, VPN, Plex, etc.)

Currently, everything is on the same network, which I am not in love with. Hopefully my pic makes sense for what I want to do. I'm OK with having to access the NAS my IP.

 

[ttabbal]

This is how I do it, which might help.

The inter-VLAN routing is on an OpnSense box.
The main switch handles the VLAN isolation.

Managed switches usually have 2 modes for the VLAN side. One, everything on a port is on whatever VLAN you tell it. Other VLAN traffic is blocked. The second is a "trunk" port that tags all traffic based on which VLAN it came from. This mode is for devices that can handle tagged traffic, mostly routers, but anything that can "speak VLAN" can use this mode if you like. My main server uses this to attach VMs to specific VLANs.

Unifi APs can assign VLAN tags to SSIDs. So you can isolate guest networks etc there. They connect to a switch trunk port. You probably want to disable client isolation so that clients on the same SSID can talk to each other.

OpnSense also connects to a trunk port. You create VLAN interfaces on the trunk port and assign IPs and various routing rules there. I also run DHCP, DNS, etc. here. So VLAN 1 = 10.1.0.0/24 etc.. Then you can create firewall rules to allow/block traffic based on the VLAN interface, addresses etc..

Some switches can handle inter-VLAN routing and DHCP. I prefer to put it in OpnSense as I find the interface easier to use and my switch is old enough that IPv6 is not supported.

Internet traffic gets routed via OpnSense to the ISP device.

One issue here, internet traffic will now be "double-NAT" for IPv4. You can have OpnSense forward ports etc if your ISP device allows it. In practice, this is annoying, but doesn't really hurt much of anything. Most programs are smart enough to work with NAT, even multi-layer, thanks to CGNAT etc.. Ideally, we'd all move to IPv6, but since ISPs suck and most of us don't have options, we're stuck.

 

[mattventura]

The easy way out is to just stick a router that is VLAN-capable in front of the ISP router. You get a double NAT, but other than that you get to take the ISP router out of the picture. Your real router would be that "magic device" in your diagram.

 

[BoredSysadmin]

Hex lite is too low for internal vlan routing. as suggested above, opnsense box is probably a better choice.

 

[Ettore]

Ok, so I think I accomplished what I needed with my GS108PE. I originally didn't think it did it, because I never thought to click the 802.1Q button.

With that, I was able to make all ports "untagged" except 4 (AP), but isolate them from each other (1-8 in VLAN 1, 1-4-6-7 in VLAN 2, 1-4-8 in VLAN 3) ... then I force 6-7 to VLAN 2 (seems to make these ports into VLAN 2 no matter what), and force 8 into VLAN 3.

It seems to let the switch do all the figgerin' , and the AP on port 4 can use it's legitimate tagging to tell the switch where it wants to go.

It SEEMS to isolate as I want, but maybe it's not as secure as it can be.


Edit: spoke too soon. I forgot to isolate the networks at the AP. With both networks as VLAN 1, it works (1-8 are in VLAN 1). As soon as I isolate them into VLAN 2 and VLAN 3, devices can't access the DHCP to get an IP. It LOOKS like the Unifi AP wants to be the DHCP, but it doesn't work. Curiously, the default DHCP for "LAN"" on the AP is 192.168.1.0/24, but my actual network is a different range. So, for some reason, the AP is happy to be wrong for the default LAN network, but not the new VLAN2 and VLAN3 networks.

Is it possible to use a single DHCP range (192.168.1.0) for all 3 VLANs, or do they need to be on different subnets?
If not, can I use a single DHCP server and do a 192.168.1.0/22? I can't test, because my garbage router can't do it.

 

[Parallax]

They would all need to be on different subnets, otherwise the device will think whatever it is trying to reach is directly connected.

 

[Ettore]

They would all need to be on different subnets, otherwise the device will think whatever it is trying to reach is directly connected.

I am learning how this stuff works now. thank you for this. I did some Googling and I think I'm just going to build a router. I contacted my ISP and they are going to send me a modem without a router.