VLAN Guidance

[champ222]

Hi All

i'm in the process of planning a network overhaul. I currently, i have the following:

Virginmedia hub doing wifi and routing. Ethernet to Rack, where it goes into a 16 port 1GB Mikrotik switch.

Wired devices to switch:

1. Gaming PC 1
2. Gaming PC 2
3. NUC for family use
4. NUC running Linux - always on. i remotely connect to this to download torrents, browse the web etc, and to move downloaded stuff to the NAS. I use PIA VPN on this, but i dont use the VPN on anything else (except the occasional use in my gaming PC to get around certain recent restrictions)
5. NAS
6. NAS - Backup
7. Printer
8. Apple TV - online streaming and video from NAS
9. TV (currently unplugged)
10. Bedroom TV (also currently unplugged)

Wifi devices:

My phone
My tablet
Steam Deck
Wifes phone
2x Kids phone
2x Kids tablet
3 Ring cameras
Dishwasher (why i dont know)
Soon to be EV charger
Harmony Hub.
Alexa
etc

So i'm a bit of a networking noob. but i manage just about. im planning on getting a Unifi UCG-Fiber, plus AP(s) plus a switch of some description. I need to work out what switch i want. i like the 8 port 2.5Gbe switch with 10Gb uplink (USW-Flex-2.5G-8) but its £150. two of the 5 port 2.5Gbe switches would also work potentially.

currently, i'm a bit restricted by ports in the office. Long term, we will be building an extension, and the PC stuff will be on the other side of the house from the rack. so the 8 port with the 10Gbe link would be ideal, and most of the PC stuff would go in that room anyway. This would likely mean, not a lot plugged into the 16 port switch, though that would increase over time i expect as kids get older.

Eventually the Mikrotik would likely be replaced with another unifi switch, but in the short term, id connect it to the SFP+ port on the gateway with a DAC cable.

So... VLANS. I was thinking of something like:

1. Me - Gaming PC 1, Gaming PC 2, My phone, steam Deck.
2. Main - Mikrotik Switch (and therefore everything plugged into it) Family NUC, My tablet, wifes phone, Printer, NAS and backup NAS
3. Kids - Kids Phones, kids tablets
4. Guest - guests
5. IOT - Ring cameras x3, Dishwasher, Alexa, EV charger etc.

Does that sound reasonable?

The things i'm not sure about:

1. Can i assign the SFP+ port on the gateway to a VLAN? making everthing on the mikrotik on "Main"
2. The NUC running linux. potentially on iffy websites, but i need it to see the NAS. best way to isolate this?
3. NAS and Backup NAS. id want these on the 2.5Gbe switch, but would these be better on Main? or Me?
4. The logitech harmony hub. i connect to this from my phone, but its over the network rather than the internet. This ok on IOT? or better on Main?

If you are still with me, thanks.

NOTE, i'll ditch the ring cameras in favour of POE unifi cameras at some point, but we need some building work to happen first, that that is a while away

 

[Vestas]

Something to bear in mind is that most clients are going to be connecting wirelessly.

That means you don't want too many VLANs as (usually) you're going to want to create a SSID for each VLAN. Multiple SSIDs have significant overheads, especially with legacy clients (anything 802.11n and below) so you'd probably want to minimise those.

You probably just want :

1. Management VLAN, wired only;
2. Guest/Kids VLAN, wireless only;
3. Main VLAN, wired/wireless;
4. IOT, wired/wireless.

That gives you three SSIDs which is about as much as you ever want to run in terms of airtime efficiency and 4 VLANs, which is about as much as you ever want to run on a home network (YMMV).

 

[robj20]

Something to bear in mind is that most clients are going to be connecting wirelessly.

That means you don't want too many VLANs as (usually) you're going to want to create a SSID for each VLAN. Multiple SSIDs have significant overheads, especially with legacy clients (anything 802.11n and below) so you'd probably want to minimise those.

You probably just want :

1. Management VLAN, wired only;
2. Guest/Kids VLAN, wireless only;
3. Main VLAN, wired/wireless;
4. IOT, wired/wireless.

That gives you three SSIDs which is about as much as you ever want to run in terms of airtime efficiency and 4 VLANs, which is about as much as you ever want to run on a home network (YMMV).

Why does it matter how many SSIDs you run, I've never seen an issue with more.

 

[Vestas]

Why does it matter how many SSIDs you run, I've never seen an issue with more.

Wi-Fi SSID Overhead Calculator.xlsx

Shared with Dropbox

www.dropbox.com

Lowest Basic Rate vs Number of SSIDs – Wait, but Wi-Fi?

Its more of a deployment/airtime usage thing. One AP not so much but it adds up. Also the encryption used has knock on effects - some extreme for legacy kit because it enforces a maximum phy rate on all clients.

Legacy clients are what ruins wifi - unfortunately most of us have them

 

[ChrisD.]

I have my Harmony Hub on an IoT network which can only talk to the internet, HA and my phone control it fine without issue, just set up UniFi zone based firewalls correctly.

That means you don't want too many VLANs as (usually) you're going to want to create a SSID for each VLAN. Multiple SSIDs have significant overheads, especially with legacy clients (anything 802.11n and below) so you'd probably want to minimise those.

Just use PPSK and have multiple VLANs on the same SSID and the password used defines what VLAN the client lands on.

 

[robj20]

Interesting. Never thought of assigning VLANS any other way than different SSIDs might have to look into that if for no other reason than to tidy things up into a single SSID I have 3 at the minute.
Main/Management
Family
IOT

 

[champ222]

All good info. Thanks guys.

PPSK vs multiple SSID (or a combination of the two) what going to be one of my next questions.

 

[Vestas]

I have my Harmony Hub on an IoT network which can only talk to the internet, HA and my phone control it fine without issue, just set up UniFi zone based firewalls correctly.


Just use PPSK and have multiple VLANs on the same SSID and the password used defines what VLAN the client lands on.

Which requires auth per user which I was trying to avoid for the guy. Baby steps with VLANs are usually the best way to learn - and not "rage reset" everything because you screwed up inter-VLAN routing again

The SSID overheads are best thought about as "how many SSIDs can you see on the same channel as you?". On 2.4GHz in an urban area 30%+ of the channel is probably taken up by beacons/probes. Best to keep SSIDs to a minimum as a good neighbour.

 

[robj20]

Looks like it's not a great idea for a single SSID because for things like IOT you want WPA2 only.
In fact the way I have my network setup I don't think there's a better way than having the 3 SSIDs.

 

[ChrisD.]

Which requires auth per user which I was trying to avoid for the guy.

What do you mean auth per user?

 

[Vestas]

What do you mean auth per user?

Password defines VLAN groups is effectively RADIUS yes? That's what I mean.

In addition what do you do about clients which won't auth with that setup? There's a lot of old crap in people's houses which won't even retry WPA2-PSK if they get booted on WPA3 auth.

Minimal SSIDs in domestic setups is easier. Its not the best way. Its just easier.

 

[Vestas]

Main/Management

I just noticed this.

We've all done it but don't. Not these days when AI-assists (Claude) can compromise AWS instances within 10 minutes

Move your "Main" VLAN to a different network & put management/default wired only on limited ports. Its a lot more secure and unless you're eternally tinkering its not that inconvenient.

 

[ChrisD.]

Password defines VLAN groups is effectively RADIUS yes? That's what I mean.

No, it’s not like that. The client joins like they join any network. The password entered dictates what network they go on. I’ve been running it since EA years ago and never had an issue even with IoT devices.

 

[robj20]

I just noticed this.

We've all done it but don't. Not these days when AI-assists (Claude) can compromise AWS instances within 10 minutes

Move your "Main" VLAN to a different network & put management/default wired only on limited ports. Its a lot more secure and unless you're eternally tinkering its not that inconvenient.

Why would it be less secure. My Main/Maintenance is basically my mobile, pc, server and NAS plus all the cctv. Everything else is either on Family or IOT the difference between those two is IOT has very limited access to anything on the network just internet access.
Family can't access any stuff on Main and has some internet filters.
Main and family are both WPA3 only, IOT is WPA2 only.

It's already infinitely more secure than the vast majority of people's with the ISPs router with every device on the same LAN.