NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Question on creating multiple Wireless VLANs for Security (IoT devices, Family WiFi, Guest WiFi)
Hey Everyone,
I'm in the process of re-doing (re-designing) my entire Home Network. I've decided to go the VLAN route for both Wired and Wireless devices. From a security standpoint, I would li...
Hmm...that makes sense. I wonder if this feature will be coming down any time soon or if it's even on the product Roadmap?
If I were to create a few port-based VLANs via my ZyXEL switches. Then, I hardwire the Orbi Router into one of the VLANs...wouldn't that at least cause the entire Orbi ecosystem (Orbi Router, Satellites and anything connected to them via WiFi or Ethernet) to be on that same dedicated VLAN in that ZyXEL Switch's port?
In that same vein, couldn't I also add a few separate APs or re-deploy my old ASUS Routers into AP mode, hard wired into another ZyXEL switch VLAN...just to create/have another separate WiFi VLAN?
Oddly enough, my CenturyLink's Modem does support WiFi VLANs. It's WiFi capabilities only support 2.4Ghz but hell, might not be too bad for guests only.
I know this isn't the best design, but I'm trying here LOL.
Any more thoughts?
BJ
b1ggjoe wrote:
If I were to create a few port-based VLANs via my ZyXEL switches. Then, I hardwire the Orbi Router into one of the VLANs...wouldn't that at least cause the entire Orbi ecosystem (Orbi Router, Satellites and anything connected to them via WiFi or Ethernet) to be on that same dedicated VLAN in that ZyXEL Switch's port?In that same vein, couldn't I also add a few separate APs or re-deploy my old ASUS Routers into AP mode, hard wired into another ZyXEL switch VLAN...just to create/have another separate WiFi VLAN?Any more thoughts?BJ
Yes, yes and yes. You can use wired/orbi on the same VLAN and put your Asus on another. "The right way" is subjective... the right way would having you do it the way you want... but the Orib won't support it. So you either select something that support putting different SSIDs on different VLANs will or hack together something like we are currently discussing. I sent you an example in your PMs since my post keeps disappearing.
- Wow, thank you so much for the incredible reply!!! I’m going to have to dissect this and definitely Whiteboard this.
The reason for the EdgeRouter is because I thought that having a Router with more sophisticated VLAN capabilities would be necessary, especially if I were to put the Orbi in AP mode.
Now that it’s on its way too me, I wonder if it will make things easier, both the EdgeRouter and the ZyXEL switches also support VLANs.
My other concer is the NAS. I know that I can have it physically connected to different VLANs since it does have 4x Gigabit NICs.
I can have it be a part of my private lan on one Nic, then another NIC be a part of the IoT VLAN and restrict access from the IoT side so only the streaming devices like the NVIDIA Shield TV and Amazon FireSticks have access, based on MAC ID ACLs?
Hmmmm.
Lots to think about.
Of course if Netgear releases the required VLAN features for the Orbi...that would be awesome!!
BJ
b1ggjoe wrote:
The reason for the EdgeRouter is because I thought that having a Router with more sophisticated VLAN capabilities would be necessary, especially if I were to put the Orbi in AP mode.
BJYou are on the right track but the EdgeRouter leaves much to be desired... in my opinion. If you only want basic vlan routing without any advanced services/firewall... then go for it. However, it sounds like you really enjoy playing with this hardware and would benefit from a fully featured firewall/gateway like Sophos Home UTM, Untangle, pfsense, etc. Of course those require some more dedicated hardware if you have the budget and desire to learn if you are not already educated in such topics.
b1ggjoe wrote:
My other concer is the NAS. I know that I can have it physically connected to different VLANs since it does have 4x Gigabit NICs.
I can have it be a part of my private lan on one Nic, then another NIC be a part of the IoT VLAN and restrict access from the IoT side so only the streaming devices like the NVIDIA Shield TV and Amazon FireSticks have access, based on MAC ID ACLs?
Of course if Netgear releases the required VLAN features for the Orbi...that would be awesome!!
BJYou can multihome your NAS or route the traffic. If your router isn't up to the challenge (resources/speed), then you can multihome. If you multihome, put the primary interface on your private VLAN and use that VLAN gateway as the default gateway. Then setup the other interface on the IOT VLAN. Not sure if you can then restrict it based on user/IP but I would look into that only allow the IOT/guest devices that need access. Firewalling it off and routing is better if your gateway can handle it.
Don't get your hopes up on Netgear/Orbi offering VLANs per SSID. They have competing products that play in that space. I saw somewhere (but I couldn't find it searching earlier) that the consumer version wouldn't support this and pointed the OP to their netgear WAC line of products. Right now Orbi is only supporting one SSID for your personal use and one for guest. That seems to also be the case with all the other "mesh" consumer products I've seen so far.
The real answer to our goal is to get Meraki, Aruba, Ubiquiti, or similar APs, create a VLAN trunk on your switch and connect the AP. They all operate in AP mode with a dedicated gateway. That will allow the SSIDs to be on different VLANs. They work amazing well but that is too complicated for most consumer users and users want wireless everywhere. Orbi has the benefits of being supposedly easy for people to deploy without wires and covering a large area without a huge decrease in speed like the extenders cause. They were not designed with our use cases in mind.
Yeah, makes sense big time. I may just have to look into those other APs then, as you suggested. As for Firewalling off the NAS, I'm wondering if I should insert a small Firewall appliance, like an Untangle u25x in front of the NAS on the IoT VLAN NIC, or maybe use a built-in security feature such as this:
Then I can get really crazy with the Firewall rules and access controls.
What do you think?
BJ