Setting up a Home/Business network

Robert Manna

October 31, 2022 13:38

Hello all,

I have a conceptual understanding on the concepts of networking, i.e. VLANs, LANs, Routers, Switches, APs, etc. But I am not in any way a network expert so am looking for some input and advice relative to my goals. Originally I had been thinking of a 'bucket' strategy based upon the FWG and its three physical LAN ports. However after reading more last night, I'm thinking that perhaps a 'layer cake' strategy of VLAN's might be a better approach?

Current Network Gear:

FWG
TP-link 48 port jetstream switch & Omada software controller
Verizon G3100 access point (router) & extender
Intent to upgrade to TP-Link APs in lieu of the Verizon router

Clients:

Business PCs & Family PCs
Windows Server
LAN Multi-function printer/scanner
Smart TVs & Game Console
Mobile/Wireless Devices
Smart Thermostats

Goals

Isolate Business from Family devices
Permit access to the LAN Printer from Business, Family and WiFi
Apply FWG Add Blocking to Business & Family Devices, but not Smart TVs (I've read that add blocking can mess with things like Hulu and other add supported clients)
Apply FWG Content Management policies to Family Devices & WiFi
Have a guest WiFi versus 'Family' WiFi
Isolate Smart Thermostats (may have to wait until I add TP-Link APs that allow for multiple SSIDs)
Route/permit incoming VPN traffic from FWG only to specific Business Client(s).
QoS to prioritize Business Devices over Family/Smart TVs, etc. (this is a nice to have, not required)

Questions:

I know from some additional reading that the G3100 (which has a guest WiFi SSID) tags the Guest SSID with a VLAN 10 tag. If I understand correctly I can therefore set the FWG Guest VLAN to 10 and create a VLAN in my Switch tagged with 10 and that would manage all 'Guest' traffic.
I'm hazy on how best to "share" the printer, should it sit in its own VLAN?
Should I bother with multiple LAN networks on either the FWG or Switch, or should I lag two (or three) of the FWG LAN ports to a pair of ports on the Switch, then use VLAN's in the FWG and Switch to manage traffic and application of policies?
Should the VPN routing be managed with yet another VLAN?
Is there something I missing, am I thinking about this 'all wrong'

Thanks so much for reading and your valuable advice and feedback.

Comments

8 comments

Michael Bierman

October 31, 2022 17:22
I know from some additional reading that the G3100 (which has a guest WiFi SSID) tags the Guest SSID with a VLAN 10 tag. If I understand correctly I can therefore set the FWG Guest VLAN to 10 and create a VLAN in my Switch tagged with 10 and that would manage all 'Guest' traffic.

How is the G3100 setup? What is the order of devices? It isn't clear what mode you plan to run Firewalla in.

I'm hazy on how best to "share" the printer, should it sit in its own VLAN?

Generically, you can put this on a separate VLAN or, you can put it on a particular VLAN and allow other VLANs to access the device.

Should I bother with multiple LAN networks on either the FWG or Switch, or should I lag two (or three) of the FWG LAN ports to a pair of ports on the Switch, then use VLAN's in the FWG and Switch to manage traffic and application of policies?

Can't answer without knowing what the setup is.

Should the VPN routing be managed with yet another VLAN?

VPNs on Firewalla are a separate network.
0

Comment actions Permalink
Robert Manna

October 31, 2022 17:36

Edited
How is the G3100 setup? What is the order of devices? It isn't clear what mode you plan to run Firewalla in.

Ah, sorry, I was not clear on that point! Intend to deprecate the G3100 to functioning as an AP with the FWG functioning as my primary router/security appliance for the entire network directly connected to the ONT. As noted, would eventually replace the G3100 and its extender with TP-Link APs. If the G3100 is too much of a hassle, may go ahead with the new APs sooner than later.

So basic network architecture would be:

ONT -> FWG -> 48 port switch

I was planning to connect all devices to the switch, and only use the FWG LAN ports to connect to the switch, either broken out to separate LAN/VLANs on the switch or lagged together as a single trunk. Alternately I could hang the G3100 off of the FWG directly, but I'm not sure there would be any advantage to that...?
0

Comment actions Permalink
Michael Bierman

October 31, 2022 19:23
ONT -> FWG -> 48 port switch

I was planning to connect all devices to the switch, and only use the FWG LAN ports to connect to the switch, either broken out to separate LAN/VLANs on the switch or lagged together as a single trunk. Alternately I could hang the G3100 off of the FWG directly, but I'm not sure there would be any advantage to that...?

Great, thanks! With one minor exception, I don't know if any significant difference between connecting directly to FW and the switch. If your switch supports LAG you could create a LAG between FWG and the switch which gives you redundancy and greater bandwidth. https://help.firewalla.com/hc/en-us/articles/4409583011091-Link-Aggregation-Groups-LAG-

I know from some additional reading that the G3100 (which has a guest WiFi SSID) tags the Guest SSID with a VLAN 10 tag. If I understand correctly I can therefore set the FWG Guest VLAN to 10 and create a VLAN in my Switch tagged with 10 and that would manage all 'Guest' traffic.

Maybe. Some routers that use a VLAN for Guest mode don't allow that in AP mode. one of this disadvantages of ISP routers like G3100 is the documentation and features are pretty limited. I could not find any documentation or any posts that confirm that you can use the Guest as a VLAN. In any case, you will be limited to the two VLANs. If you want more, you need to choose different APs. Since you are already using Omada you might pick up their APs which support VLANs via multiple SSIDs.

Should I bother with multiple LAN networks on either the FWG or Switch, or should I lag two (or three) of the FWG LAN ports to a pair of ports on the Switch, then use VLAN's in the FWG and Switch to manage traffic and application of policies?

Some people prefer separate LANs vs VLANs. It adds a bit of security. If you have enough ports and the wiring is feasible, it isn't a bad way to go. If either aren't an option, VLANs are the way to go.
1

Comment actions Permalink
Robert Manna

October 31, 2022 20:49
Thanks for the feedback.

For completeness sake, this person seems to know what they're doing, and generally seems to have proven the G3100 uses a VLAN 10 tag on the Guest SSID. If I put it into bridge mode, I don't foresee any issue with the multi-SSID not functioning.

However, in general I agree with your assessment about ISP routers, which is why I'm looking down the road at TP-Link APs. :-)

It sounds/seems to me that it would be easier to only manage what I want with VLANs, and adding in LAN's would make it more complicated, as then I have to somehow set-up routing between the LANs, which I'm not sure how to do.
0

Comment actions Permalink
Michael Bierman

October 31, 2022 23:54
So with some APs (probably not the G3100) Guest networks are done using client isolation, not a VLAN.

The link you shared is promising, however I think they are describing using the G3100 as a router, not in bridge mode.
0

Comment actions Permalink
Robert Manna

November 02, 2022 03:36
So, based on the conversation above, and after further thought I've come up with the following diagram, hopefully it makes some sense. Does this seem reasonable?
0

Comment actions Permalink
Michael Bierman

November 02, 2022 05:51
The wiring looks fine. The segments make sense:
- Business
- Family
- Guest IoT
- Guest
I have to confess that I don't quite follow what FWG Content Mgmt is or what it is for.
0

Comment actions Permalink
Robert Manna

November 02, 2022 12:57
'Content Management' was my euphemism for FWG's Family Protect settings as well as any other parental control settings. :-)
0

Comment actions Permalink

Please sign in to leave a comment.

Comments

Didn't find what you were looking for?