I know this is a couple years old, but your explanation of tagged and untagged was very easy, most other videos go on with a heap of stuff. I did not have my uplink as a tagged port.
ty mike @19:10 you mentioned something important. The wireless ap is untagged in the managed switch because the wifi vlans already have the traffic already identified within it. This was a crucial part i wasn't sure about, so thx for that.
Thanks you again Mike......am definitely looking for a Dream Router....very cool piece of gear......but they seem to be in scarce supply! Appreciate all ur help....will try and leave you along now......thanks again :)
No problem, anytime. Keep an on website as the sell fast when they come. If you are like and do not want to wait, they are available for a bit more on Amazon (amzn.to/46ztCJG). Good luck and let me know what you end with.
Ok so i asked in comments for another vlan video, in regards to why the youtuber did not opt to untag vlan1 for the ports tagged by the guest vlan (which was what the netgear documentation said you should do when configuring the vlan). This was the reply i got "It's a security measure. But it's up to you if you want to implement it or not since it depends on your own environment. In this case, he decided not to allow the computers and VoIP phone and WiFi endpoints to be able to access the management VLAN."
Thanks for the tip and for the link......Thought they were $199? Is the Ubiquiti different from the Unifi? Is there a downside to a used Dream Machine Pro is I found one for near the same price? I am guessing the Dream Machine Pro does not have built in UAP? Thanks Mike
The dream router is 199 and the dream machine is 299 and is an older model. Both have wifi but the router is wifi 6. BH photo has the dream machine with no mark up for 299. Counter intuitive but you cant go wrong with either.
Hi Mike, Awesome information.. Like you I'm running Amcrest w/Blueiris and a few other cams. I'm running opnsense with vlans for just cams and secure lan seperation. I can't seem to wrap my head around the firewall rules though. I should be able to access/ping my cam_vlan devices from my secure_lan if I have the right rules in place, right? It's the "In", "out" that's so confusing, thanks
Yes you should be able to. I have not used opensense but I am sure you can find the information. I switched to Unifi and they make it very simple and I able to do the same with Sophos when I was using it. Good luck and let us know if you get it working.
Mike i figured it out. When i was doing the vlan, i forgot to Tag the port connecting from the switch to the router.... doh (my only excuse, not enuff sleep xd). I got too many switches and things on my mind that it just slipped. Anyway this is what i did to get it to work. Keep in mind, for my setup, i'm using a pfsense router > managed poe switch > to another managed poe switch in a different room > ubiquiti unifi ap is connected to this 2nd switch With that in mind, after first configuring the vlan settings on the pfsense router and on the unifi ap, i then proceded to configure the 1st managed switch (the one directly connected to the router first). Port 1 which is trunking to the other switch, i set the vlan tag 30 (which is for the guest vlan). I also tagged port 15 which is connected to the router (it was explained that if the hardware can do vlan tagging in settings, to tag it. otherwise to use untagged. But in this case i use tag). vlan1 ports for all ports are all untagged. because this is a netgear i have to also do the pvid port membership. for that i left them all set to vlan 1 (it has to match the untagged vlan) next is the 2nd switch. for vlan 30, i tagged port 1 (which trunks to the the 1st switch), and port 3 (which is connected to the unifi ap). vlan 1 i untag for ports 1 and 3. for ports 2, 4 and 5, i leave them excluded (blank) because those 3 ports will be tagged for vlan 30 for the guest network. Then why wasn't port 3 tagged as well? because as explained earlier, if the device can do vlan tagging within it's settings, i should then leave the port for that tagged. And just a reminder, those tagged ports for guest vlan, should have vlan1 UNTAGGED for the same port (although one youtuber i watched did not do so for some reason without explaining why, yet the netgear documentation for vlan setup said i should do it this way) These were the sources i used to set this up and figure this out ruclips.net/video/fWpffyL4X1Y/видео.html ruclips.net/video/fU3D0_JUoss/видео.html ruclips.net/video/xhmJxYllnWg/видео.html kb.netgear.com/000048453/What-do-I-need-to-know-about-setting-up-VLANs kb.netgear.com/31026/How-to-configure-a-VLAN-on-a-NETGEAR-managed-switch So i tested using an android smartphone to confirm i cannot access vlan1. But i still have internet access. I also verified that the DHCP assignments were correctly using their separate dhcps. I also switch back from guest wifi to NON guest wifi to confirm one had access to the QNAP NAS, and the other didn't. Also smart tv on the wired guest network also worked as intended (has internet connectivity still). So thanks again for your video Mike :} it helped me figure things out somewhat.
Mike, one thing i am confused about, if you setup the fam private network, how do u access pfsense to manage it? to my understanding, the private network in ur case the fam network, will be on a different subnet than the pfsense router is that correct? i initially thought u can use vlan1 default, and create a separate vlan for guest and that would be fine. but apparently that is not recommended due to vlan hopping. so have to create a vlan for private office network different to the default vlan1. so becauz my machine would be on that office vlan network, how do i then connect to pfsense router to manage it? so i'm wondering like how do u do that? is it possible to setup the router gateway and the office vlan so be in the same subnet? while lan1 will use a different subnet than the router gateway? which is the correct setting. and also with the end result of being able to use a pc on the office network vlan and still be able to access pfsense to manage.
These are good questions. My family network it not my main but rather on a different subnet so that it can't access what is on my main network. If I need to access something on the family network, I have a firewall rule that allows for one way communication. I can access it but it is blocked from accessing any device on the main. You are correct in that you should not use VLAN 1 and though you are 100% right, I would say this is a bigger issue in a business although some would disagree. For me, I am more interested in keep away unwanted traffic, virus, and ransomware from my main network. In enterprise or business the answer might be different. Either way, you need a firewall rule to access across different subnets.
@@MikeFaucher Thx. i was going through lawrence's guide as well as urs to see what i may have missed. if it really is the case, where in order to access my pfsense management ui, i would have to use a different machine that is on vlan1 to do so, then that would be a deal breaker for me, cauz i access pfsense frequently so i don't want to be doing that just to access pfsense. then again... maybe i can setup wifi ap that uses lan1. but then id have to manually disable or disconnect my ethernet lan, then connect to the wifi after. also a hassle. then i saw lawrence mention avahi, which allows you to access a device on another subnet. but i think thats only for subnet, not separate vlans.
@@MikeFaucher anyway for now, i'll just keep using vlan1 for my private network, and use vlan30 for my guest wifi. essentially in real usage, i tested that vlan1 and vlan30 are using different subnet and ip ranges alotted to them, so i think it works (even if it's not as strictly as it should be configured). i'm not an expert, but i am guessing that vlan hopping requires a deliberate attack to exploit, rather than malware/ransomware in order to infect devices on a different vlan, but thats just my guess.
Mike....TERRIFIC video...thank you SO MUCH! I discovered vLans today and so far your presentation is the clearest of all I have watched. I have a couple questions.....Can I use my existing ASUS Router (RT-AX58u) to Netgear unmanaged switch? I was hoping to go from my Spectrum cable modem tomy Asus RT-AX58u to a NEW Unifi Flex Mini and back to my unmanaged switch and also use an old second router configured as a WAP plugged into the NEW Unifi flex mini for the WIFI VLan......to be able to create both wired Vlans and WIFI vlans in the home. Or do I have to invest in a router that has vLan capabilities? I am trying to experiment 'on a dime' without investing in a new router if I can. Thanks again........your channel has great content and I appreciate it very much! :) Gregg Stone Dallas TX
Thanks for the feedback, it is appreciated. Unfortunately, most consumer routers do not support VLANs which is a shame. You will have to upgrade your router to take advantage of it.
Thanks for such a prompt reply! So it appears I need BOTH a vLan capable router and a vLan capable managed switch??? I only need 3-4 vLans total. 1. Can you recommend an affordable vLan capable router and switch for a DIY home enthusiast? 2. Can I insert these ahead of my existing ASUS Mesh network (in Node mode)? Thanks again Mike.
@@cookingblue22 My suggestion is that you pick up the Unifi Gateway Lite ($130 but hard to find as it is new), a low-cost UniFi PoE Lite ($109), and run their controller software on your PC. Your Asus router does not support Vlans so it will not be useful as an access point either. This will give you an enterprise-grade firewall, VLANs, and IDS/IPS protection. Alternatively, you can get their Dream Router (also hard to find). If you do not like Unifi or are looking for more of a DIY approach, look at Opensense. Unfortunately, I would not use the Asus if you are looking to upgrade your networking. Hope that helps.
I 'stumbled' across the Dream Router yesterday....which will do what I want with a managed switch or two and maybe an additional UAP......sexy stuff and I love the Unifi browser interface.....but alas, hard to find one!.. Without being a pest, I am just curious....could you elaborate on why the Asus router, set up in AP mode, would not work downstream from one of the Unifi managed switches.....would it not just be a dumb device on whatever vLan it was plugged into on the upstream switch? Thank you again Mike...really appreciate your time and expertise. :)
If you wanted Fam_NET to talk to IOT_Test but not vice versa, is that done at the router? If so, how does that work since the router only has a single port back to the switch (the trunk line). In this example does the router re-tag VLAN 40 to VLAN 80 and send it back out the trunk line to the managed switch?
Yes, this is done through a firewall rule that allows one or more devices to communicate one way. As for how, VLANs are treated a separate network so the IPs are part of that subnet. They are isolated by default, however if I create a rule that allows one IP address to pass through it will honor it. Hope that helps.
Hi Mike, Just been made aware about VLANs and how insecure IoT devices are, my network is currently a flat network with no VLANs and I want to get them setup but I have a question. I have CCTV & doorbell camera, if I move them onto their own VLAN will I get notifications on my personal mobile devices to say that doorbell is ringing for example? From my understanding (which is very limited😄) because effectively they are on different networks they cannot communicate with each other? Thanks Adam
Hi Adam, there are multiple ways this can go. Devices on VLANs can communicate and send you notifications if they connect with a relay cloud service first like what ring does, Camera communicates with the ring server in the cloud from the VLAN. and then Ring communicates back to the phone on any network. If you are talking local devices with no cloud relay, the main concept is you can create a singe (or multiple) device firewall rule which allows the needed devices from your main network to talk to the VLAN but not the other way around. How this is done depends largely on your hardware. A unifi dream machine is the simplest gear to do this with but it can be done with any gear that supports VLANs. I hope this begins to make sense.
@@MikeFaucher Hi Mike, Many thanks for your reply, yes that does help in understanding how notifications from these IoT devices will be sent. I am using a Eufy doorbell with local storage so I don't think it sends anything to the cloud (well not that I am aware of) so I guess I will need to create firewall rules in the router. Like you say everyone's hardware is different which makes the process a little harder to find all the information you need especially when you have never done this before. My network consists of a Netgear R7800 running DD-WRT firmware which has an unmanaged switch connected to it. This unmanaged switch is located on the other side of the house quite some distance away with a mix of IoT & personal devices connected along with a router (Netgear R7000) I turned into an access point to extend my Wi-Fi coverage. At first I was thinking of swapping out that unmanaged switch for a managed one but I do have devices also plugged directly into my primary router (R7800) so am unsure if these could be filtered into VLAN's also via the routers settings but this sounds like I am making setup even more complex for myself. 😄 All this I have not even thought about all the wireless devices.
@@APSuk2 Not sure that the router will support VLANs, so you may need to address that as well. By the way, the Eufy does (or can) phone to the Eufy account as I have one of those as well. At its core, the router is the key to creating VLANs, and you need at least one managed switch. Hope that helps.
Hi mike, so i'm going through your video slowly especially the part for the ubiquiti unifi. I'm setting up for a ac ap lite. as i was going through it, i set the guest network gateway in unifi to the pfsense router dhcp for guest network as well. but then i noticed that the dhcp range i got in wifi was in a different ip range. i found out my issue to be i used the wrong vlan tag. i have 2 vlans created, one for guest wifi and another for guest lan. to simplify, i am atm just using 1 single guest vlan which happens to include wifi and guest lan together. As long as those stuff don't touch my private lan i don't care as much. So while i was back tracking, i noticed i had forgot to change the vlan from guestwifi to guest network. So on my client device (android smartphone), i forget the wifi connection, made the change then reconnected, and it worked. But at this stage i hadn't yet setup any vlan on my managed switches. The only sections that had vlan setup was on my pfsense router where i created the vlan interfaces, the vlan dhcp server, the firewall rules for the vlans; and on the ubiquiti unifi ac ap lite the vlan guest network (this is where the vlan tag is set), and the wifi that is set to guest network vlan. when i connect to guest wifi, it gets the correct guest vlan DHCP range assigned to client devices that login to it. At this point, i wonder whether i still need to setup the vlan settings on the 2 managed switches or not?
Mike, if I was not already subscribed, this video would have earned my sub without a doubt. Excellent presentation and information! Thank you very much!!
How can I connect a non-poe managed switch to an unmanaged poe switch? so that one can take advantage of the advantages of having vlans and other security functions?
Sort of. If you create a VLAN on a managed switch, and plug a non managed switch into it, all the devices on the non managed switch will be on the VLAN. Hope that helps.
@@MikeFaucher on the other hand what's the Best way to increase your Network security only with a non managed switch and your router?, at least my switch has isolation mode
Hm... i tinkered around a bit and got the vlan working (kinda). By chance do you have discord so i can show you what i did? I think i got something wrong. It may be working right now, but i am suspecting it may be leakin vlan where it shouldn't be. could use a 2nd opinion.
@11:36 i understand about the part why u didnt use the ubiquiti to do dhcp, instead dhcp relay from router yeah? that's what i'm doing as well. But the gateway is pointing to your router ya? just wondered because you changed the gateway ip, so i wasn't sure what went on there o-o; let me try and explain. so example vlan1 (the normal default lan basically) has the router at 192.168.0.1 (this is the gateway). The dhcp range for vlan1 private lan network is e.g. 192.168.0.50 -192.168.0.120 The ubiquiti unifi ap device can be a static ip e.g. 192.168.0.10 (it's on the same subnet as the private lan, but not within the dhcp range, to avoid any ip clashing/conflict). This static ip is setup on the ubiquiti unifi rather than on the router. So when creating guest vlan e.g. vlan 50, we create the vlan dhcp for it on the router (i use pfsense), so the range i put e.g. 192.168.5.xxx Then in ubiquiti for that guest vlan network you created, dhcp is disabled aka relay. And the Gateway is 192.168.0.1 is it?
Yes, if you are creating a VLAN with Ubiquiti. The way I set mine up I am using the router to parse the VLAN for both wired and wireless. Both approaches work but in your example everything is on same subnet (.0.xxx) except for the guest network. As for the gateway question. I am using the gateway from the VLAN interface which really points to the main gateway.
@@MikeFaucher i see in pfsense my guest vlan gateway is 192.168.10.5 but my private vlan gateway is on 192.168.0.1 n my qnap nas hosting unifi controller is on 192.168.0.210 so i assume that your lan network on the ubiquiti uses the 192.168.0.1 for gateway yes? but when creating the guest vlan, for gateway u should use 192.168.10.5 ? So then this means - unifi controller on qnap can talk to ubiquiti ap (to control/manage/update) - guest wifi will have internet access - guest wifi cannot contact qnap nas is my assumption correct? Just making sure i understood this correctly :} My original assumption was that i had to use 192.168.0.1 for gateway even for the guest vlan (on the unifi guest vlan network setup) otherwise no internet. didn't know know i was supposed to use the guest vlan gateway in pfsense on the ubiquitie guest vlan network setup (i thought internet would not work if i did that)
I run my unifi controller as a qpkg on the qnap NAS which is on vlan1. So if the unifi ap lite is untagged on the managed switch (but the vlan is tagged within the unifi ap UI), will the unifi ap controller be able to communicate to the wireless ap, while at the same time separating qnap NAS from the Guest wifi setup on the unifi ap guest vlan? This is one part that confuses me X_X: or is it just not possible? to keep the qnap nas and the guest wifi vlan separate. Because the unifi controller hosted on the qnap added complexity to the situation. I unfortunately don't have a separate ubiquiti controller hardware which may have simplified this.
@@MikeFaucher i think i saw ur video u mentioned that the wireless ap unit that connects to the switch is untagged, because the vlans are tagged within the ubiquiti guest vlan ui settings. so i assume that translates as being that the controller on the qnap that is also on the same switch, would be able to connect to the unifi ap (so i can managed the unifi device, update it etc via the controller), but still have the guest vlan wifi separated out/away from the qnap. thx mike.
Mike, The other reason for not untagging the vlan 1 for the tagged for guest vlan, is to prevent vlan hopping it seems. I asked someone about wouldn't blocking on the pfsense router be sufficient? this was what i got in reply to that. "The pfSense firewall will only prevent Layer 3 traffic between VLANs. But to prevent a "VLAN hopping" attack (Layer 2), it is recommended not to expose the native VLAN for normal user traffic. Again, this level of security may not be necessary in every environment, but it is considered best practice." this video kinda explains about vlan hopping and the counter measures against that. his english doesn't sound good but i believe he answered the part @8:50 ruclips.net/video/KYsd_5kzsJg/видео.html
I looked at this and though certainly true, may not be practical or necessary in most home based applications where you are just trying to establish isolation. It certainly does not hurt. Thanks for sharing the video.
@@MikeFaucher i tried making the changes as the video showed. specifically this one ruclips.net/video/fU3D0_JUoss/видео.html my working config is as follows. vlan 30 fpr port 1 and 3 are tagged. pvid is vlan1. port 1 trunked to another switch. and port 3 is trunked to a unifi wireless ap. pvid is also 1. To change to the same as the video, i changed the vlan1 for port 3 to EXCLUDE, and change PVID for it to vlan 30. But making this change broke connectivity for my guest lan, specifically the unifi wireless ap, as i could no longer get DHCP to issue an ip at all. X_X: so confused xd... i did exactly like the video *sigh
I know this is a couple years old, but your explanation of tagged and untagged was very easy, most other videos go on with a heap of stuff.
I did not have my uplink as a tagged port.
Awesome. Glad you got it working. Thanks for the update.
ty mike
@19:10 you mentioned something important. The wireless ap is untagged in the managed switch because the wifi vlans already have the traffic already identified within it. This was a crucial part i wasn't sure about, so thx for that.
Thanks, Mike.
Awesome, the APs carry multiple VLANs and are tagged in the AP. Thanks for the feedback and glad it helped.
Thanks you again Mike......am definitely looking for a Dream Router....very cool piece of gear......but they seem to be in scarce supply! Appreciate all ur help....will try and leave you along now......thanks again :)
No problem, anytime. Keep an on website as the sell fast when they come. If you are like and do not want to wait, they are available for a bit more on Amazon (amzn.to/46ztCJG). Good luck and let me know what you end with.
Ok so i asked in comments for another vlan video, in regards to why the youtuber did not opt to untag vlan1 for the ports tagged by the guest vlan (which was what the netgear documentation said you should do when configuring the vlan).
This was the reply i got
"It's a security measure. But it's up to you if you want to implement it or not since it depends on your own environment. In this case, he decided not to allow the computers and VoIP phone and WiFi endpoints to be able to access the management VLAN."
Thanks for the tip and for the link......Thought they were $199? Is the Ubiquiti different from the Unifi? Is there a downside to a used Dream Machine Pro is I found one for near the same price? I am guessing the Dream Machine Pro does not have built in UAP? Thanks Mike
The dream router is 199 and the dream machine is 299 and is an older model. Both have wifi but the router is wifi 6. BH photo has the dream machine with no mark up for 299. Counter intuitive but you cant go wrong with either.
Hi Mike, Awesome information.. Like you I'm running Amcrest w/Blueiris and a few other cams. I'm running opnsense with vlans for just cams and secure lan seperation. I can't seem to wrap my head around the firewall rules though. I should be able to access/ping my cam_vlan devices from my secure_lan if I have the right rules in place, right? It's the "In", "out" that's so confusing, thanks
Yes you should be able to. I have not used opensense but I am sure you can find the information. I switched to Unifi and they make it very simple and I able to do the same with Sophos when I was using it. Good luck and let us know if you get it working.
Mike i figured it out.
When i was doing the vlan, i forgot to Tag the port connecting from the switch to the router.... doh (my only excuse, not enuff sleep xd). I got too many switches and things on my mind that it just slipped.
Anyway this is what i did to get it to work.
Keep in mind, for my setup, i'm using a pfsense router > managed poe switch > to another managed poe switch in a different room > ubiquiti unifi ap is connected to this 2nd switch
With that in mind, after first configuring the vlan settings on the pfsense router and on the unifi ap, i then proceded to configure the 1st managed switch (the one directly connected to the router first).
Port 1 which is trunking to the other switch, i set the vlan tag 30 (which is for the guest vlan). I also tagged port 15 which is connected to the router (it was explained that if the hardware can do vlan tagging in settings, to tag it. otherwise to use untagged. But in this case i use tag).
vlan1 ports for all ports are all untagged.
because this is a netgear i have to also do the pvid port membership. for that i left them all set to vlan 1 (it has to match the untagged vlan)
next is the 2nd switch. for vlan 30, i tagged port 1 (which trunks to the the 1st switch), and port 3 (which is connected to the unifi ap).
vlan 1 i untag for ports 1 and 3. for ports 2, 4 and 5, i leave them excluded (blank) because those 3 ports will be tagged for vlan 30 for the guest network. Then why wasn't port 3 tagged as well? because as explained earlier, if the device can do vlan tagging within it's settings, i should then leave the port for that tagged. And just a reminder, those tagged ports for guest vlan, should have vlan1 UNTAGGED for the same port (although one youtuber i watched did not do so for some reason without explaining why, yet the netgear documentation for vlan setup said i should do it this way)
These were the sources i used to set this up and figure this out
ruclips.net/video/fWpffyL4X1Y/видео.html
ruclips.net/video/fU3D0_JUoss/видео.html
ruclips.net/video/xhmJxYllnWg/видео.html
kb.netgear.com/000048453/What-do-I-need-to-know-about-setting-up-VLANs
kb.netgear.com/31026/How-to-configure-a-VLAN-on-a-NETGEAR-managed-switch
So i tested using an android smartphone to confirm i cannot access vlan1. But i still have internet access. I also verified that the DHCP assignments were correctly using their separate dhcps. I also switch back from guest wifi to NON guest wifi to confirm one had access to the QNAP NAS, and the other didn't.
Also smart tv on the wired guest network also worked as intended (has internet connectivity still).
So thanks again for your video Mike :} it helped me figure things out somewhat.
Glad it helped. Sounds like you went through all the right steps and fixed every issue. Good luck and thanks for the updates.
Mike, one thing i am confused about, if you setup the fam private network, how do u access pfsense to manage it? to my understanding, the private network in ur case the fam network, will be on a different subnet than the pfsense router is that correct?
i initially thought u can use vlan1 default, and create a separate vlan for guest and that would be fine. but apparently that is not recommended due to vlan hopping. so have to create a vlan for private office network different to the default vlan1. so becauz my machine would be on that office vlan network, how do i then connect to pfsense router to manage it? so i'm wondering like how do u do that?
is it possible to setup the router gateway and the office vlan so be in the same subnet? while lan1 will use a different subnet than the router gateway? which is the correct setting. and also with the end result of being able to use a pc on the office network vlan and still be able to access pfsense to manage.
These are good questions. My family network it not my main but rather on a different subnet so that it can't access what is on my main network. If I need to access something on the family network, I have a firewall rule that allows for one way communication. I can access it but it is blocked from accessing any device on the main. You are correct in that you should not use VLAN 1 and though you are 100% right, I would say this is a bigger issue in a business although some would disagree. For me, I am more interested in keep away unwanted traffic, virus, and ransomware from my main network. In enterprise or business the answer might be different. Either way, you need a firewall rule to access across different subnets.
@@MikeFaucher Thx. i was going through lawrence's guide as well as urs to see what i may have missed. if it really is the case, where in order to access my pfsense management ui, i would have to use a different machine that is on vlan1 to do so, then that would be a deal breaker for me, cauz i access pfsense frequently so i don't want to be doing that just to access pfsense.
then again... maybe i can setup wifi ap that uses lan1. but then id have to manually disable or disconnect my ethernet lan, then connect to the wifi after. also a hassle.
then i saw lawrence mention avahi, which allows you to access a device on another subnet. but i think thats only for subnet, not separate vlans.
@@MikeFaucher anyway for now, i'll just keep using vlan1 for my private network, and use vlan30 for my guest wifi.
essentially in real usage, i tested that vlan1 and vlan30 are using different subnet and ip ranges alotted to them, so i think it works (even if it's not as strictly as it should be configured).
i'm not an expert, but i am guessing that vlan hopping requires a deliberate attack to exploit, rather than malware/ransomware in order to infect devices on a different vlan, but thats just my guess.
Mike....TERRIFIC video...thank you SO MUCH! I discovered vLans today and so far your presentation is the clearest of all I have watched. I have a couple questions.....Can I use my existing ASUS Router (RT-AX58u) to Netgear unmanaged switch? I was hoping to go from my Spectrum cable modem tomy Asus RT-AX58u to a NEW Unifi Flex Mini and back to my unmanaged switch and also use an old second router configured as a WAP plugged into the NEW Unifi flex mini for the WIFI VLan......to be able to create both wired Vlans and WIFI vlans in the home. Or do I have to invest in a router that has vLan capabilities? I am trying to experiment 'on a dime' without investing in a new router if I can. Thanks again........your channel has great content and I appreciate it very much! :) Gregg Stone Dallas TX
Thanks for the feedback, it is appreciated. Unfortunately, most consumer routers do not support VLANs which is a shame. You will have to upgrade your router to take advantage of it.
Thanks for such a prompt reply! So it appears I need BOTH a vLan capable router and a vLan capable managed switch??? I only need 3-4 vLans total. 1. Can you recommend an affordable vLan capable router and switch for a DIY home enthusiast? 2. Can I insert these ahead of my existing ASUS Mesh network (in Node mode)? Thanks again Mike.
@@cookingblue22 My suggestion is that you pick up the Unifi Gateway Lite ($130 but hard to find as it is new), a low-cost UniFi PoE Lite ($109), and run their controller software on your PC. Your Asus router does not support Vlans so it will not be useful as an access point either. This will give you an enterprise-grade firewall, VLANs, and IDS/IPS protection. Alternatively, you can get their Dream Router (also hard to find). If you do not like Unifi or are looking for more of a DIY approach, look at Opensense. Unfortunately, I would not use the Asus if you are looking to upgrade your networking. Hope that helps.
It helps VERY much....thanks so much Mike@@MikeFaucher
I 'stumbled' across the Dream Router yesterday....which will do what I want with a managed switch or two and maybe an additional UAP......sexy stuff and I love the Unifi browser interface.....but alas, hard to find one!.. Without being a pest, I am just curious....could you elaborate on why the Asus router, set up in AP mode, would not work downstream from one of the Unifi managed switches.....would it not just be a dumb device on whatever vLan it was plugged into on the upstream switch? Thank you again Mike...really appreciate your time and expertise. :)
If you wanted Fam_NET to talk to IOT_Test but not vice versa, is that done at the router? If so, how does that work since the router only has a single port back to the switch (the trunk line). In this example does the router re-tag VLAN 40 to VLAN 80 and send it back out the trunk line to the managed switch?
Yes, this is done through a firewall rule that allows one or more devices to communicate one way. As for how, VLANs are treated a separate network so the IPs are part of that subnet. They are isolated by default, however if I create a rule that allows one IP address to pass through it will honor it. Hope that helps.
Hi Mike,
Just been made aware about VLANs and how insecure IoT devices are, my network is currently a flat network with no VLANs and I want to get them setup but I have a question.
I have CCTV & doorbell camera, if I move them onto their own VLAN will I get notifications on my personal mobile devices to say that doorbell is ringing for example?
From my understanding (which is very limited😄) because effectively they are on different networks they cannot communicate with each other?
Thanks
Adam
Hi Adam, there are multiple ways this can go. Devices on VLANs can communicate and send you notifications if they connect with a relay cloud service first like what ring does, Camera communicates with the ring server in the cloud from the VLAN. and then Ring communicates back to the phone on any network. If you are talking local devices with no cloud relay, the main concept is you can create a singe (or multiple) device firewall rule which allows the needed devices from your main network to talk to the VLAN but not the other way around. How this is done depends largely on your hardware. A unifi dream machine is the simplest gear to do this with but it can be done with any gear that supports VLANs. I hope this begins to make sense.
@@MikeFaucher Hi Mike,
Many thanks for your reply, yes that does help in understanding how notifications from these IoT devices will be sent.
I am using a Eufy doorbell with local storage so I don't think it sends anything to the cloud (well not that I am aware of) so I guess I will need to create firewall rules in the router.
Like you say everyone's hardware is different which makes the process a little harder to find all the information you need especially when you have never done this before.
My network consists of a Netgear R7800 running DD-WRT firmware which has an unmanaged switch connected to it.
This unmanaged switch is located on the other side of the house quite some distance away with a mix of IoT & personal devices connected along with a router (Netgear R7000) I turned into an access point to extend my Wi-Fi coverage.
At first I was thinking of swapping out that unmanaged switch for a managed one but I do have devices also plugged directly into my primary router (R7800) so am unsure if these could be filtered into VLAN's also via the routers settings but this sounds like I am making setup even more complex for myself. 😄
All this I have not even thought about all the wireless devices.
@@APSuk2 Not sure that the router will support VLANs, so you may need to address that as well. By the way, the Eufy does (or can) phone to the Eufy account as I have one of those as well. At its core, the router is the key to creating VLANs, and you need at least one managed switch. Hope that helps.
@@MikeFaucher Appreciate your help, I will look into if the router supports VLANs.
Hi mike,
so i'm going through your video slowly especially the part for the ubiquiti unifi. I'm setting up for a ac ap lite.
as i was going through it, i set the guest network gateway in unifi to the pfsense router dhcp for guest network as well. but then i noticed that the dhcp range i got in wifi was in a different ip range. i found out my issue to be i used the wrong vlan tag. i have 2 vlans created, one for guest wifi and another for guest lan. to simplify, i am atm just using 1 single guest vlan which happens to include wifi and guest lan together. As long as those stuff don't touch my private lan i don't care as much. So while i was back tracking, i noticed i had forgot to change the vlan from guestwifi to guest network. So on my client device (android smartphone), i forget the wifi connection, made the change then reconnected, and it worked.
But at this stage i hadn't yet setup any vlan on my managed switches. The only sections that had vlan setup was on my pfsense router where i created the vlan interfaces, the vlan dhcp server, the firewall rules for the vlans; and on the ubiquiti unifi ac ap lite the vlan guest network (this is where the vlan tag is set), and the wifi that is set to guest network vlan.
when i connect to guest wifi, it gets the correct guest vlan DHCP range assigned to client devices that login to it.
At this point, i wonder whether i still need to setup the vlan settings on the 2 managed switches or not?
Mike, if I was not already subscribed, this video would have earned my sub without a doubt. Excellent presentation and information! Thank you very much!!
Awesome. Thanks for comment and for the sub!
How can I connect a non-poe managed switch to an unmanaged poe switch? so that one can take advantage of the advantages of having vlans and other security functions?
Sort of. If you create a VLAN on a managed switch, and plug a non managed switch into it, all the devices on the non managed switch will be on the VLAN. Hope that helps.
@@MikeFaucher on the other hand what's the Best way to increase your Network security only with a non managed switch and your router?, at least my switch has isolation mode
Hm... i tinkered around a bit and got the vlan working (kinda). By chance do you have discord so i can show you what i did? I think i got something wrong. It may be working right now, but i am suspecting it may be leakin vlan where it shouldn't be. could use a 2nd opinion.
@11:36
i understand about the part why u didnt use the ubiquiti to do dhcp, instead dhcp relay from router yeah? that's what i'm doing as well.
But the gateway is pointing to your router ya? just wondered because you changed the gateway ip, so i wasn't sure what went on there o-o;
let me try and explain. so example
vlan1 (the normal default lan basically) has the router at 192.168.0.1 (this is the gateway). The dhcp range for vlan1 private lan network is e.g. 192.168.0.50 -192.168.0.120
The ubiquiti unifi ap device can be a static ip e.g. 192.168.0.10 (it's on the same subnet as the private lan, but not within the dhcp range, to avoid any ip clashing/conflict). This static ip is setup on the ubiquiti unifi rather than on the router.
So when creating guest vlan e.g. vlan 50, we create the vlan dhcp for it on the router (i use pfsense), so the range i put e.g. 192.168.5.xxx
Then in ubiquiti for that guest vlan network you created, dhcp is disabled aka relay. And the Gateway is 192.168.0.1 is it?
Yes, if you are creating a VLAN with Ubiquiti. The way I set mine up I am using the router to parse the VLAN for both wired and wireless. Both approaches work but in your example everything is on same subnet (.0.xxx) except for the guest network. As for the gateway question. I am using the gateway from the VLAN interface which really points to the main gateway.
@@MikeFaucher i see in pfsense my guest vlan gateway is 192.168.10.5
but my private vlan gateway is on
192.168.0.1
n my qnap nas hosting unifi controller is on
192.168.0.210
so i assume that your lan network on the ubiquiti uses the 192.168.0.1 for gateway yes?
but when creating the guest vlan, for gateway u should use 192.168.10.5
?
So then this means
- unifi controller on qnap can talk to ubiquiti ap (to control/manage/update)
- guest wifi will have internet access
- guest wifi cannot contact qnap nas
is my assumption correct? Just making sure i understood this correctly :}
My original assumption was that i had to use 192.168.0.1 for gateway even for the guest vlan (on the unifi guest vlan network setup) otherwise no internet. didn't know know i was supposed to use the guest vlan gateway in pfsense on the ubiquitie guest vlan network setup (i thought internet would not work if i did that)
I run my unifi controller as a qpkg on the qnap NAS which is on vlan1.
So if the unifi ap lite is untagged on the managed switch (but the vlan is tagged within the unifi ap UI), will the unifi ap controller be able to communicate to the wireless ap, while at the same time separating qnap NAS from the Guest wifi setup on the unifi ap guest vlan?
This is one part that confuses me X_X: or is it just not possible? to keep the qnap nas and the guest wifi vlan separate. Because the unifi controller hosted on the qnap added complexity to the situation. I unfortunately don't have a separate ubiquiti controller hardware which may have simplified this.
If I understand, the controller on your QNAP should be on the main network and will communicate to the APs. It is the APs that will create the VLANs.
@@MikeFaucher i think i saw ur video u mentioned that the wireless ap unit that connects to the switch is untagged, because the vlans are tagged within the ubiquiti guest vlan ui settings.
so i assume that translates as being that the controller on the qnap that is also on the same switch, would be able to connect to the unifi ap (so i can managed the unifi device, update it etc via the controller), but still have the guest vlan wifi separated out/away from the qnap.
thx mike.
Mike, The other reason for not untagging the vlan 1 for the tagged for guest vlan, is to prevent vlan hopping it seems.
I asked someone about wouldn't blocking on the pfsense router be sufficient? this was what i got in reply to that.
"The pfSense firewall will only prevent Layer 3 traffic between VLANs. But to prevent a "VLAN hopping" attack (Layer 2), it is recommended not to expose the native VLAN for normal user traffic. Again, this level of security may not be necessary in every environment, but it is considered best practice."
this video kinda explains about vlan hopping and the counter measures against that. his english doesn't sound good but i believe he answered the part @8:50
ruclips.net/video/KYsd_5kzsJg/видео.html
I looked at this and though certainly true, may not be practical or necessary in most home based applications where you are just trying to establish isolation. It certainly does not hurt. Thanks for sharing the video.
@@MikeFaucher i tried making the changes as the video showed. specifically this one
ruclips.net/video/fU3D0_JUoss/видео.html
my working config is as follows. vlan 30 fpr port 1 and 3 are tagged. pvid is vlan1.
port 1 trunked to another switch. and port 3 is trunked to a unifi wireless ap. pvid is also 1.
To change to the same as the video, i changed the vlan1 for port 3 to EXCLUDE, and change PVID for it to vlan 30.
But making this change broke connectivity for my guest lan, specifically the unifi wireless ap, as i could no longer get DHCP to issue an ip at all.
X_X: so confused xd... i did exactly like the video *sigh