VLANs

[gonegreynow]

Morning all
Having now purchased my first switch (an 8 port Netgear managed switch), I would like to set up 2 VLANs. One for my main PC, printer, etc. The other for my security camera (s).
The camera(s) plugs into the same switch as it provides POE. I will be viewing the camera feeds via a separate laptop (and not my main PC). The laptop will connect to my router either via wifi or i will use an ethernet cable into port 5 on the switch.
Port 8 takes the incoming feed from my router/modem/firewall.
Ports 5,6 and 7 will be reserved for the cameras (and laptop).
Ports 1,2,3 and 4 will be reserved for my main home LAN.
I don’t have any interest in being able to connect to my camera when I’m not at home and I don’t want security alerts.
I have watched so many YT videos and read articles about VLANs. I think I’ve grasped the basic concept but what I can’t get my head round is tagged v untagged.
Any guidance would be very much appreciated.
My thinking is;
Ports 1,2,3 and 4 will be in VLAN 88 (or some other random number). untagged.
Ports 5,6 & 7 will go into a separate VLAN (call it 99 for now). Assume this is untagged, as well??
I don’t want anything in ports 1,2,3 & 4 to be able to talk to anything in ports 5,6, and 7 and vice versa.
If the above ‘untagging’ is correct, what do I do about port 8 which takes the incoming connection from my router/modem/firewall?
Should it be in both VLANs and tagged??
Thanks

 

[ChrisD.]

Port 8 would be a trunk port, or it would need to carry all VLANs you want to use on that switch. Trunk is easiest, I'm not familiar with how Netgear managed switches do this.
Ports 1-4 would be set as VLAN 88, there's no configuration needed on the clients.
Ports 5-7 would left as normal ports, which would be native VLAN, or sometimes known as untagged. Or you can also configure a second VLAN and use that.
You need to configure the appropriate firewall rules on your firewall/router to block traffic between the VLANs. You also need to ensure that the 'CCTV' laptop is also on VLAN 88 otherwise it won't be able to view the feeds. There's also nothing wrong with allowing traffic into VLAN 88, if you want to view the cameras from other networks.

 

[gonegreynow]

Port 8 would be a trunk port, or it would need to carry all VLANs you want to use on that switch. Trunk is easiest, I'm not familiar with how Netgear managed switches do this.
Ports 1-4 would be set as VLAN 88, there's no configuration needed on the clients.
Ports 5-7 would left as normal ports, which would be native VLAN, or sometimes known as untagged. Or you can also configure a second VLAN and use that.
You need to configure the appropriate firewall rules on your firewall/router to block traffic between the VLANs. You also need to ensure that the 'CCTV' laptop is also on VLAN 88 otherwise it won't be able to view the feeds. There's also nothing wrong with allowing traffic into VLAN 88, if you want to view the cameras from other networks.

Many thanks for taking the time to reply.
At the moment, I have the router plugged into port 8 and my main PC into port 1. The switch is in its default configuration. So I guess that currently, port 8 is acting as a ‘trunk’ port by default.
To prove that the camera works, I have been plugging it in to port 7 (POE enabled), for very short periods of time.
Despite your helpful comments - many thanks - I am beginning to wonder if I’m not trying to achieve something which is beyond my skill set.
Despite being reasonably IT literate, I hadn’t realised that I’d need to play around with firewall rules as well. For so long now, I’ve simply relied on the default firewall rules within my router/modem (currently a Fritzbox 7530). I have to hold my hand up and say that I’m more than a bit wary of playing around with firewall rules. as I’m not sure I’d know what I was doing. That said, if there was an ‘idiots’ guide on-line, I’d be very happy to spend time and learn.
In my ignorance, I hadn’t realised that there would be additional settings outside of the managed switch.
I guess I could always take the easy option of routing the camera feed and laptop onto a guest network (port 4 on my Router) and isolating it from my main LAN entirely. But that would mean me having to run another ethernet cable from the router (downstairs) to the switch (upstairs). I’m not sure I can face doing that again!
Thanks. I really appreciate your help.

 

[ChrisD.]

You need a router which supports multiple LAN subnets, I’m not sure your box does. It’s not enough to do it on the switch alone.

Although if you want a truly local network to the switch it would be possible, but nothing would be able to communicate outside (or into) VLAN 88, and the devices would not have a default gateway. Plus you’d have to plug your CCTV laptop into VLAN 88, using a port on the Netgear.

 

[gonegreynow]

You need a router which supports multiple LAN subnets, I’m not sure your box does. It’s not enough to do it on the switch alone.

Although if you want a truly local network to the switch it would be possible, but nothing would be able to communicate outside (or into) VLAN 88, and the devices would not have a default gateway. Plus you’d have to plug your CCTV laptop into VLAN 88, using a port on the Netgear.

Thanks again.
Despite me thinking that I’d at least researched the fundamentals before jumping in with purchases of kit, I’d clearly not gone far enough to make sure I had a fair idea of what I was doing. It simply hadn’t sunk in that my router needed to be VLAN capable, too!!
I now need a rethink, although all is not lost.
One final question, if I may?
Would Setting up ethernet port 4 on my router as a “guest” network, running a cable from that port to the switch and only having the security camera and CCTV laptop plugged into the switch (nothing else plugged into the switch). provide me with some sort of ‘isolated’ solution?
I know that I said I couldn’t face the prospect of running another Ethernet cable from ground floor to first floor, but perhaps that/s what I’m going to have to do and/or physically move the switch. I would then leave my main PC connected to port 1 on my router which is what I was doing before the switch arrived.
One other option is to buy a new router (not sure about my skill level flashing a router with, say, OpenWRT), but I sense that I would soon find myself underwater again, struggling to piece everything together.

 

[alex24]

Why do you want to VLAN exactly? I would assume it’s because you don’t want certain devices to communicate together but it seems like you are in control of both so what is the use case? Asking as there may be an easier solution to achieve your aim.

On my Netgear managed switch there are various ways to setup VLAN so it isn’t always obvious. This basically describes the process.

 

[gonegreynow]

Why do you want to VLAN exactly? I would assume it’s because you don’t want certain devices to communicate together but it seems like you are in control of both so what is the use case? Asking as there may be an easier solution to achieve your aim.

On my Netgear managed switch there are various ways to setup VLAN so it isn’t always obvious. This basically describes the process.

Thanks. Your assumption is spot on. I’m reading too many articles (not on here) and watching many videos suggesting that IOT devices and security cameras should be isolated from the main network. Hence I would like to do the same if I can.
I’m now not a million miles off having a basic understanding of what needs to take place in the managed switch, but because the router also needs to be “VLAN aware”, I’m basically no further forward as my router doesn’t give me that option.

 

[Armageus]

Does the Fritzbox have firewall options to block outgoing traffic for certain IP addresses? If so blocking your cameras from being able to access the internet should be just as effective as putting them on a separate VLAN (assuming you are worried about them "phoning home" etc)

 

[Rabtech]

Going back to basics. There are two types of vlan 'tagging' systems - Cisco trunk/access and others use tagged/untagged (some include PVID also like your netgear switch). We will concentrate on the non Cisco method for now. Tagged traffic is where the switch or device at the other end applies the vlan tag to the traffic, its generally firewalls, switches, access points and ip phones that do this. Untagged is where the switch or other device applies the vlan tag to the port in question, making the end device on that vlan so to speak, without the end device being aware its on that vlan at all. Firewall rules you create can dictate what can talk between vlans if you wish to do so.

As a vlan is a separate 'layer 2' network, any vlans on top of the 'base vlan' needs to have its own gateway, firewall rules and DHCP/DNS setup. It's good practice to make the third octet of the subnet the vlan number if possible - so the subnet for your vlan 99, I would use 192.168.99.0/24. DHCP set to 192.168.99.100-199, DNS set to 1.1.1.1 and 8.8.8.8 respectively (don't forget to do this, many people do). The firewall rule by default would give internet access however you may need to put in a specific block firewall rule so traffic doesn't route between vlans.

On a pfsense box, on a simple two vlan network - you would use a 'base vlan' - which is vlan 1 by default, factory reset the netgear switch and that is now also 'flat' on vlan 1 untagged. Your pfsense box and switch would 'sit' on this vlan and be able to talk to each other fine. Then build the extra vlans you need on top, remembering to tag the uplink port on the switch to the pfsense box with each vlan 'tagged', the base vlan untagged and the pvid should match the untagged vlan also. From your example all you need to do then is set ports 5,6,7 to untagged vlan 99 and the PVID to vlan 99, with no access to vlan 1 (in the same vlan section in the switch web GUI). The devices on ports 5,6,7 will then get an IP from the vlan 99 DHCP server and DNS set to 1.1.1.1 and 8.8.8.8 as per my example. If you want to use an access points with different SSID's or even a single SSID with different passwords for different networks (PPSK/DPSK etc) then the switch port the access point plugs into would need to be tagged with all the vlans for all the SSID's you create - this is how you make guest, iot, cctv wireless networks.

Get a 6th gen+ i5 HP/Dell SFF machine from ebay and a dual Intel 1Gb PCI-E network card to start with pfsense, you will also need an access point (I'd suggest Unifi) - however you could use your fritzbox as a basic single vlan access point for now to save on cost. Once you've got your head round the two vlan setup, you can expand. I have 6 vlans for example, admin, guest, media, IOT, Work, CCTV with various rules on the firewall between each network - The work vlan for example has internet access only for my work laptop/work phone and access to the printer on my admin network only (granted via specfic firewall rule). The Media network has ipads, other tablets, firesticks on it, it gives internet access only with access to my media server on the admin vlan only (again granted via specific firewall rule).

 

[ChrisD.]

I would use 192.168.99.0/24. DHCP set to 192.168.99.100-199, DNS set to 1.1.1.1 and 8.8.8.8

Nice post, but it's better to have clients use a local DNS server (typically a router in most homes) and have the router do the lookups.

 

[Rabtech]

Nice post, but it's better to have clients use a local DNS server (typically a router in most homes) and have the router do the lookups.

I would agree that the base/admin vlan in this case should point to the router for DNS, do you really need internal DNS on other vlans, for example work laptops, iot devices, CCTV devices etc?

 

[ChrisD.]

I would agree that the base/admin vlan in this case should point to the router for DNS, do you really need internal DNS on other vlans, for example work laptops, iot devices, CCTV devices etc?

In my case yes, as I run Adguard Home and filter my DNS traffic.

 

[fezster]

I will be viewing the camera feeds via a separate laptop (and not my main PC). The laptop will connect to my router either via wifi or i will use an ethernet cable into port 5 on the switch.
Port 8 takes the incoming feed from my router/modem/firewall.
Ports 5,6 and 7 will be reserved for the cameras (and laptop).
Ports 1,2,3 and 4 will be reserved for my main home LAN.

The important thing to remember is that each VLAN will be on it's own subnet (ip address range). This means that:

1. Using a VLAN isolates it from any other VLAN (think of it as using 2 separate switches unconnected to one another)
2. The subnet used on each VLAN cannot speak to one another without a router, even if the VLANs were able to see one another (i.e. you link your 2 switches together using an RJ45 cable, but a computer on Switch 1 still cannot speak to a computer on Switch 2 because they are on different subnets).

To answer your question - Your bolded part above is important - your laptop has 2 interfaces:

1. Ethernet plugged into Port 5 which is:
a) On the same VLAN as your cameras (so able to see them)
b) On the same subnet as your cameras (so able to speak to them)

This allows your laptop to access your cameras.

*Without a separate DHCP server, these ip addresses may need to be manually assigned

2. Wifi which is linked to your router. This allows your laptop to still have internet access over Wifi.

 

[gonegreynow]

Going back to basics. There are two types of vlan 'tagging' systems - Cisco trunk/access and others use tagged/untagged (some include PVID also like your netgear switch). We will concentrate on the non Cisco method for now. Tagged traffic is where the switch or device at the other end applies the vlan tag to the traffic, its generally firewalls, switches, access points and ip phones that do this. Untagged is where the switch or other device applies the vlan tag to t.

Thank you so much for such a comprehensive reply.
I’ve had a quick read but realise I need to go through it all again a few times before it all sinks in.

 

[gonegreynow]

The important thing to remember is that each VLAN will be on it's own subnet (ip address range). This means that:

1. Using a VLAN isolates it from any other VLAN (think of it as using 2 separate switches unconnected to one another)
2. The subnet used on each VLAN cannot speak to one another without a router, even if the VLANs were able to see one another (i.e. you link your 2 switches together using an RJ45 cable, but a computer on Switch 1 still cannot speak to a computer on Switch 2 because they are on different subnets).

To answer your question - Your bolded part above is important - your laptop has 2 interfaces:

1. Ethernet plugged into Port 5 which is:
a) On the same VLAN as your cameras (so able to see them)
b) On the same subnet as your cameras (so able to speak to them)

This allows your laptop to access your cameras.

*Without a separate DHCP server, these ip addresses may need to be manually assigned

2. Wifi which is linked to your router. This allows your laptop to still have internet access over Wifi.

Thank you for taking the time to reply. Much appreciated.
I think I’m starting to understand the basics at switch level but I am concerned about the implications of needing a VLAN aware router/firewall.
Nothing to do with the cost of new kit, but down to me never having had much (any)experience of changing firewall rules beyond what is the default on my domestic/ISP supplied home routers.