Help with switches, VLANs and connections
-
If I understand your question correctly, your wireless devices will be on one of two different VLANS, a guest VLAN (with its separate SSID on your Omada APs) and a "home" VLAN for your own wireless devices.
1. The three Omada APs will need to connect to a switch that supports VLANs.
2. Configure the Omada APs to associate each SSID with a VLAN ID.
3. Configure the ports that connect this switch to the APs as a trunk ports (a port that carries ethernet frames that already have VLAN IDs in them).
4. Configure the port connecting this switch to the Firewalla as a trunk port.
5. Configure the LAN port on the Firewalla connecting to this switch for both of the wireless VLAN IDs (and a separate management VLAN to communicate to the management interface of the APs).
For your wired devices, the switch you choose can be a simpler switch without VLAN capability, if you don't need to separate the traffic of one wired device from that of another device. If you do need separation, you will need another switch like the one you used for the APs.
1. Configure VLAN IDs for each group of wired devices that need to be separated. In this case, the switch will add the VLAN ID into the Ethernet frame for each incoming frame and remove it from each outgoing frame.
2. Configure each individual port with the VLAN ID for the device to which it attaches.
3. Configure the port connecting to the Firewalla as a trunk port.
4. Configure the Firewalla LAN port with all of the VLAN IDs of your wired devices.
I hope this has been helpful.
-Bob
-
Thank you very much for your response Bob. It was extremely helpful although somewhat confusing but every time I run into that I just do more research which I need.
So just a couple of comments and another couple questions. So my Wi-Fi network will be comprised of a lot of devices. So cable modem --> FWG+ --> one managed switch connected to one of the available LAN ports on the FGW+ and connected as a VLAN. Three ethernet cables will come out of that switch to form my entire Wi-Fi network with the three Omada APs. I then would like to break up the entire Wi-Fi network into possibly a handful of VLANs. For example one would be for kitchen appliances, one would be for Guest Wi-Fi, one would be for cell phones, one for the Ring camera doorbell and Nest thermostat and possibly another for any other random devices like iRobot and Onkyo reciever. This way all these devices connected to the Wi-Fi will only be comprised of smaller segmented VLANS which won't be able to access each other. Do I have that right in my explanation and understanding?
Next, cable modem --> FWG+ --> second managed switch connected to one of the available ports on the FGW+ with the VLAN option checked. These will be hardwired ethernet as mentioned. These are items like my PS5, desktop computer, work laptop computer and a few other devices. The thing here is I literally want every device separate. For example, if I download and infect my desktop PC with malware, I want it to stop there and not have any ability to infect any other wired devices on the same switch. In this case, every connected device on that switch would have its own VLAN setup. Do I have this understanding correct? I believe you explained this very well and I think I am understanding it.One thing. When you say "Configure the port connecting this switch to the Firewalla as a trunk port" how exactly do you do that. I've only seen two options when choosing what to make a port, LAN or VLAN (obv not counting WAN port 4).
Thanks again so much for your time and help. It is very much appreciated.
-
It sounds like you have a good understanding of my response. The only thing to clear up is “trunk ports”.
On the Firewalla, check VLAN for the port and list all the VLAN IDs that should be allowed on that port. This is essentially how to configure a trunk port on the Firewalla.
On the switch, there will likely be three configurations available for each port; tagged, untagged, and trunk.
The tagged and untagged options are used for “access ports”, a port connected to a single device, e.g., your PC or PS5. The tagged option will add a VLAN ID to incoming traffic and remove a VLAN ID from outgoing traffic. You will configure this port with a single VLAN ID. The untagged option will not add a VLAN ID to incoming traffic. The untagged option may simply be the lack of checking the “VLAN” checkbox for the port.
The trunk option is used on links between network equipment, e.g., between the switch and APs or Firewalla. The switch may require you to configure all of the VLAN IDs that will be allowed to pass through that port.
-
Yes. Thank you again for that explanation. Now I have a much better understanding of how the switch is to be used with regards to VLANs and how trunking is used and more importantly, why it is used.
I have looked into so many switches and decided on one that is most likely incredibly overkill for my purposes however I think the reasons I chose it make sense unless you think otherwise.
There were plenty of cheaper, unmanaged 2.5Gb switches out there but obviously they didn’t support VLANs and my needs. I have Xfinity Gigabit service because services like 10Gb+ from fiber optic companies is not offered in my area. So basically I didn’t even want a switch with the 10Gb SPF ports.
Initially in this journey, I spent time trying to just put good Wi-Fi routers in Bridge or AP mode but many good routers would rather you didn’t do that so they take away a lot of other options within the various routers when you switch to them to those modes. Somewhere on this message board someone turned me onto the Omada brand devices since they’re actually designed with being put in AP mode in mind primarily and therefore are more compatible in that mode and easier to work with. So I went with the three TP-Link EAP660 HD | Omada WiFi 6 AX3600 Wireless 2.5G Access Point as mentioned previously. Since I didn’t have much luck with other companies, I figured I would give TP-Link switches a look since they would probably be quite compatible with the Omada units. Although pricey, I chose two TP-Link TL-SG3210XHP-M2 | Jetstream 8 Port Multi-Gigabit L2+ Managed PoE Switches. One for the Omadas/Wi-Fi across the house and a second for all the wired devices within the house. The unit has an RJ45 2.5Gb console port that can be run to a spare laptop with the controller software. It also has the 10Gb SPF ports but most had them. They will just remain disconnected. I also looked into the controller software of these switches and while there is quite a bit that it offers, what I need to do seems pretty straightforward. And they are specifically compatible with the Omadas so that should be helpful with setup and monitoring.
Any thoughts on the devices or just any other useful info please keep it coming. These switches will arrive very soon and then I will begin booking everything up. I imagine once I’m working on it things will start to make even more sense…I hope, lol.
Please sign in to leave a comment.
Comments
5 comments