LowEnd Segmented Wireless and Wired VLAN Networks

I would like to segment my home network into separate VLANs. The goal is to prevent appliances like doorbell cameras and video streaming devices from accessing the LAN that residents use for their personal computers and phones.

That means several WiFi SSIDs that are on separate LAN segments. I have switches that support 802.1q VLAN tagging, but they are still operating as unmanaged switches.

Which firewall would you recommend that supports this kind of networking with VLAN tagging?
Which access points would you recommend that support multiple SSIDs (say 8 different ones) with appropriate VLAN tagging?

Comments

  • edited September 2022

    You could use unmanaged switches, and connect the access point bridges to a vlan tagged broadcast domain instead of the native in access mode, provided that your access points support bridging to vlan tagged interfaces and your router supports creating vlan tagged interfaces. It's not the cleanest solution, but it will work.

    (internet)---wan--[router]--lan(untagged),vlan10(tagged),vlan20(tagged),vlan30(tagged)-->
    --[unmanaged switch]--vlan10(tagged)--[ap1]
    --vlan20(tagged)--[ap2]
    --vlan30(tagged)--[ap3]
    --lan(untagged)--[PC] etc.

  • Which firewall/router? Which access points will support separate SSIDs going to separate VLANS?

  • @xleet said:
    Which firewall/router? Which access points will support separate SSIDs going to separate VLANS?

    I'm very happy with second-hand Aruba WiFi APs I've gotten. Currently have an IAP-225 with 3 SSIDs going to three different VLANs without much fuss. I think the typical maximum you see is 4 SSIDs, though that's if you use both the 2.4 and 5Ghz channels for the same functionality. If you are ok with only having 2.4 on some SSIDs and 5 only on some others you could get away with 8 using something older like an IAP-225. Newer models can do more SSIDs though.

    Ubiquity's products are also an option as well, though I haven't used them in a while so I don't recall how many SSIDs you can have on them.

    Firewall wise, you have many options - all the way from reflashing a consumer grade router with OpenWRT, to building out a pfSense or OPNSense box.

    Configuration wise, you would set each port used for each switch uplink (if you're daisy-chaining them) to trunk, along with all other ports that will have WiFi APs on them. Ports that have other types of devices that aren't related to the network infrastructure should be set to tagged with whatever VLAN they should belong on.

    Every switch manufacturer does this a different way (I'm most familiar with Cisco & Aruba myself) so check your switch documentation for exact steps on how to configure ports as trunks or tagged.

    Thanked by (1)xleet

    Cheap dedis are my drug, and I'm too far gone to turn back.

  • I use old AeroHive APs; Omada, UniFi, and Aruba IAP are fine, too. OPNSense on an old Lenovo m73 (4th gen uSFF). Lots of options for old enterprise gigabit PoE switches: I use an Enterasys C3-series; Juniper EX-4200, Aruba S2500, and ICX6450 are great options as well (some of which even have a couple SFP+ ports).

    Thanked by (1)xleet
  • @xleet - I would suggest you look at whether your devices support WPA2 Enterprise mode. If they do (quite likely for many but I'm a bit wary of embedded devices like Camera's etc.), you can actually have a single SSID (better coverage, signal and less noise/overlap) and have them all get assigned to a specific VLAN based on their authentication credentials. It's a bit heavy effort-wise to setup but it is well worth it in the long run to give you full flexibility to control your network. You'll need some sort of a RADIUS server in your LAN (in addition to VLAN aware switches + Wifi APs) but it is (IMHO) the better solution (you can manage with a single SSID and have fantastic coverage).
    Worst case, you go with a WPA2 SSID for one VLAN and have WPA2 Enterprise for the rest which do support it.

  • edited September 2022

    @seanho said:
    I use old AeroHive APs; Omada, UniFi, and Aruba IAP are fine, too. OPNSense on an old Lenovo m73 (4th gen uSFF). Lots of options for old enterprise gigabit PoE switches: I use an Enterasys C3-series; Juniper EX-4200, Aruba S2500, and ICX6450 are great options as well (some of which even have a couple SFP+ ports).

    Can vouch for Omada. Have their WiFi 6 APs and they even have guest portals if you’re into that (it has a mini site builder for guest login pages).

    Speeds are as advertised and VLAN tagging works in conjunction with an Omada SDN (controller). Once setup, you can adopt APs pretty easily too.

    Edit: I should note that I have a TL-SX3008F, an EAP670, EAP610 and a Linux firewall machine with a two-port SFP+ card.

    Thanked by (1)xleet
  • This is a bump to say thank you to those who responded above.

    Don't stop. I hope to see additional posts from others.

    Tell us how you segment your wireless (and wired) home networks.

Sign In or Register to comment.