NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Question on creating multiple Wireless VLANs for Security (IoT devices, Family WiFi, Guest WiFi)
Hey Everyone,
I'm in the process of re-doing (re-designing) my entire Home Network. I've decided to go the VLAN route for both Wired and Wireless devices. From a security standpoint, I would li...
Orbi won't allow you to separate your SSIDs into separate VLANs. If you dig through the debug diagnostic logs, they support some vlans on the switch but they don't let you control them. (go to /debug.htm and run a debug log... look in the basic_debug_log you can see they are separating the wan/lan ports based on your config.
Line 85: hyd.@Vlanid[0]=Vlanid
Line 85: hyd.@Vlanid[0]=Vlanid
Line 86: hyd.@Vlanid[0].ifname='eth1'
Line 87: hyd.@Vlanid[0].vid='1'
Line 88: hyd.@Vlanid[1]=Vlanid
Line 88: hyd.@Vlanid[1]=Vlanid
Line 89: hyd.@Vlanid[1].ifname='eth0'
Line 90: hyd.@Vlanid[1].vid='2'
Line 197: lanwan.@switch[0].enable_vlan='1'
Line 198: lanwan.@switch_vlan[0]=switch_vlan
Line 198: lanwan.@switch_vlan[0]=switch_vlan
Line 199: lanwan.@switch_vlan[0].device='switch0'
Line 200: lanwan.@switch_vlan[0].vlan='1'
Line 200: lanwan.@switch_vlan[0].vlan='1'
Line 201: lanwan.@switch_vlan[0].ports='6 1 2 3 4'
Line 202: lanwan.@switch_vlan[1]=switch_vlan
Line 202: lanwan.@switch_vlan[1]=switch_vlan
Line 203: lanwan.@switch_vlan[1].device='switch0'
Line 204: lanwan.@switch_vlan[1].vlan='2'
Line 204: lanwan.@switch_vlan[1].vlan='2'
Line 205: lanwan.@switch_vlan[1].ports='0 5'
Line 350: network.@switch[0].enable_vlan='1'
Line 351: network.@switch_vlan[0]=switch_vlan
Line 351: network.@switch_vlan[0]=switch_vlan
Line 352: network.@switch_vlan[0].device='switch0'
Line 353: network.@switch_vlan[0].vlan='1'
Line 353: network.@switch_vlan[0].vlan='1'
Line 354: network.@switch_vlan[0].ports='0t 2 3 4 5'
Line 355: network.@switch_vlan[1]=switch_vlan
Line 355: network.@switch_vlan[1]=switch_vlan
Line 356: network.@switch_vlan[1].device='switch0'
Line 357: network.@switch_vlan[1].vlan='2'
Line 357: network.@switch_vlan[1].vlan='2'
Line 358: network.@switch_vlan[1].ports='0t 1'
Line 392: nowan.@switch[0].enable_vlan='1'
Line 393: nowan.@switch_vlan[0]=switch_vlan
Line 393: nowan.@switch_vlan[0]=switch_vlan
Line 394: nowan.@switch_vlan[0].device='switch0'
Line 395: nowan.@switch_vlan[0].vlan='1'
Line 395: nowan.@switch_vlan[0].vlan='1'
Line 396: nowan.@switch_vlan[0].ports='6 1 2 3 4 5'
Line 585: tt3.@switch[0].enable_vlan='1'
Line 586: tt3.@switch_vlan[0]=switch_vlan
Line 586: tt3.@switch_vlan[0]=switch_vlan
Line 587: tt3.@switch_vlan[0].device='switch0'
Line 588: tt3.@switch_vlan[0].vlan='1'
Line 588: tt3.@switch_vlan[0].vlan='1'
Line 589: tt3.@switch_vlan[0].ports='1 2 3 4 5'
You can separate your personal and guest devices but they are still on the same subnet. I would also like this feature. I use it on my Aruba gear at work and love it. I'm considering the Ubiquiti UniFi AC APs since I don't care about the router (use pfsense sg-3100). I was being lazy and opportunistic when I bought Orbi from Costco but i really should have done more research.
- Hmm...that makes sense. I wonder if this feature will be coming down any time soon or if it's even on the product Roadmap?If I were to create a few port-based VLANs via my ZyXEL switches. Then, I hardwire the Orbi Router into one of the VLANs...wouldn't that at least cause the entire Orbi ecosystem (Orbi Router, Satellites and anything connected to them via WiFi or Ethernet) to be on that same dedicated VLAN in that ZyXEL Switch's port?In that same vein, couldn't I also add a few separate APs or re-deploy my old ASUS Routers into AP mode, hard wired into another ZyXEL switch VLAN...just to create/have another separate WiFi VLAN?Oddly enough, my CenturyLink's Modem does support WiFi VLANs. It's WiFi capabilities only support 2.4Ghz but hell, might not be too bad for guests only.I know this isn't the best design, but I'm trying here LOL.Any more thoughts?BJ
I also forgot to add that I did order an EdgeRouter X. Just in case I needed it. I do have a few other devices (old hardware) that I do not mind inserting into this equation, just to be able to get it done correctly:
- ASUS RT-AC68U
- ASUS RT‑N66U
- SonicWALL TZ210
- Linksys WRT54G (yes, the one and only)
DaneA ... Thought I would add you to this, since I've seen the kind of help that you have provided in the past...very awesome!!
Thanks!
BJ
You could certainly do that... create VLANs and then put the physical APs on different VLANs. The APs would be connected to access ports as untag pvid. You will want some gateway that has multiple interfaces or a trunk with sub interfaces to handle the routing out to the internet and route/allow/deny access between the VLANs. You will likely need to deploy them in AP mode only unless you want each AP to route too with static routes but that would be messy. Much easier to have the gateway do that routing and also serve as a single DHCP/DNS/NTP for each VLAN it serves. pfsense would be a great solution for your gateway.
What is your goal with the EdgeRouterX?
Here is a quick example based on your original goal:
VLAN100 for internet access (or plug gateway right into modem/ONT)
VLAN2 192.168.2.x/24 for wired/wireless... Orbi in AP mode
VLAN3 192.168.3.x/24 for IOT AP and share that with guest (segment guest traffic) ASUS RT-AC68U in AP mode
Create pfsense firewall with 3 interfaces (or 2 with 1 trunked for LAN) to serve as the gateway for the two LAN VLANs
Create firewall rules that allow 192.168.2.x (wired/wireless) -> 192.168.3.x IOT devices
Create firewall rules that deny 192.168.3.x IOT devices -> 192.168.2.x (wired/wireless)
Allow 192.168.2.x and 192.168.3.x -> internet (you can get as strict as you want with your outbound rules...)
Use OpenDNS and/or pfblocker for 192.168.3.x IOT/Guest network for basic content filtering to limit guest internet access liability and block IOT from known malware sites so they are less likely to join a botnet.
Setup OpenVPN for remote access to services and to protect yourself on open wireless networks (public)
Depending on your level of "smart home" you might want to think about what services/igmp/etc. you need to route between the VLANs if you need to use chromecast, multiroom speakers, etc. It can get complicated reall quick. These devices are designed to just work and when you start segmenting them you need to account for their protocols and how they work between subnets if necessary.
I'm in a similar boat. I'm rebuilding my network upgrading from Sophos Home UTM (on an old workstation) as my gateway and Asus AC66U as my AP. I just had more devices than the Asus could handle but it served me well for 5 years. I've just deployed a pfsense (netgate) sg-3100 for my vpn/gateway/firewall/etc. I selected Orbi because I was excited about 5Ghz everywhere to get rid of some 2.4Ghz interference (neighbors APs, zigbee, etc.) and I got it on sale RBK53 (RBR50+2 RBS50) for $389. Based on prices at other stores, it was a great buy so I grabbed it. I'm not 100% I'll keep it yet...
b1ggjoe wrote:
If I were to create a few port-based VLANs via my ZyXEL switches. Then, I hardwire the Orbi Router into one of the VLANs...wouldn't that at least cause the entire Orbi ecosystem (Orbi Router, Satellites and anything connected to them via WiFi or Ethernet) to be on that same dedicated VLAN in that ZyXEL Switch's port?In that same vein, couldn't I also add a few separate APs or re-deploy my old ASUS Routers into AP mode, hard wired into another ZyXEL switch VLAN...just to create/have another separate WiFi VLAN?Any more thoughts?BJYes, yes and yes. You can use wired/orbi on the same VLAN and put your Asus on another. "The right way" is subjective... the right way would having you do it the way you want... but the Orib won't support it. So you either select something that support putting different SSIDs on different VLANs will or hack together something like we are currently discussing. I sent you an example in your PMs since my post keeps disappearing.
- Wow, thank you so much for the incredible reply!!! I’m going to have to dissect this and definitely Whiteboard this.
The reason for the EdgeRouter is because I thought that having a Router with more sophisticated VLAN capabilities would be necessary, especially if I were to put the Orbi in AP mode.
Now that it’s on its way too me, I wonder if it will make things easier, both the EdgeRouter and the ZyXEL switches also support VLANs.
My other concer is the NAS. I know that I can have it physically connected to different VLANs since it does have 4x Gigabit NICs.
I can have it be a part of my private lan on one Nic, then another NIC be a part of the IoT VLAN and restrict access from the IoT side so only the streaming devices like the NVIDIA Shield TV and Amazon FireSticks have access, based on MAC ID ACLs?
Hmmmm.
Lots to think about.
Of course if Netgear releases the required VLAN features for the Orbi...that would be awesome!!
BJ
I'm in an extremely similar situation. I bought the Orbi on a whim at Best Buy. I wish I'd done much more research. I love the Orbi coverage, but the features are terrible. I ended up buying the Ubiquiti AC Pro AP just so I can vlan tag the SSID's.
I currently use pfSense into a Ubiquiti Switch and the Ubiquiti AC Pro AP with 3 tagged SSID's. I love the Ubiquiti products. However, the Orbi obviously had better coverage than the one AP I currently have (especially since I'm renting and can't drill holes through the walls to add more wired APs). However, if Orbi enabled vlan tagging, I'd switch back in a heartbeat.
