NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Question on creating multiple Wireless VLANs for Security (IoT devices, Family WiFi, Guest WiFi)
Hey Everyone,
I'm in the process of re-doing (re-designing) my entire Home Network. I've decided to go the VLAN route for both Wired and Wireless devices. From a security standpoint, I would like to have all of my IoT / Smart Devices (Amazon Echo's, Ring Doorbell Pro, etc., bla bla) on their own Wireless VLAN.
I would also like to have a Wireless VLAN just for visiting friends/family/guests.
Lastly, I would like to have a Wireless VLAN for the members of my immediate household. Ideally, I would like to create a specific VLAN for both Wireless and Wired devices, for my immediate household that is.
Here is what I currently have in terms of hardware:
1. - I have an Orbi RBR50 w/ 2x Satellites.
From what I can see, the Orbi Router seems to only support basic VLAN tagging. However, the ORBI does allow for you to create a 'Guest WiFi' and restrict users from even seeing/interacting with each other and etc.
As weird as it may seem, my CenturyLink Fiber Modem seems to have more options for VLAN Management than the Orbi.
2. - I have 2x ZyXEL switches, a GS1900-8 (8-Port) and a GS1900-24E (24-Port).
According to their specs they support the following VLAN/QoS specs:
Traffic Management and QoS
• Port-based VLAN • IEEE 802.1Q VLAN tagging • IEEE 802.3ad LACP • Guest VLAN • Voice VLAN • Storm control • IEEE 802.1p priority queues per port • IEEE 802.1p Queuing method (scheduler) • Input priority mapping • Rate limiting per port (ingress/ egress) • IEEE 802.3x flow control
So that said, since I would like to do some VLAN Magic as stated above, is there a way to do this with the my current hardware? Or do I need to purchase additional hardware like an Netgear Router or a little EdgeRouterX or something?
Also, I'm trying to understand...since I'm using the Orbi RBR50 w/ Two Satellites...I'm not sure how I can create additional WiFi VLANs without adding additional APs or other equipment?
Any thoughts and recommendations welcome!!
BJ
27 Replies
Orbi won't allow you to separate your SSIDs into separate VLANs. If you dig through the debug diagnostic logs, they support some vlans on the switch but they don't let you control them. (go to /debug.htm and run a debug log... look in the basic_debug_log you can see they are separating the wan/lan ports based on your config.
Line 85: hyd.@Vlanid[0]=Vlanid
Line 85: hyd.@Vlanid[0]=Vlanid
Line 86: hyd.@Vlanid[0].ifname='eth1'
Line 87: hyd.@Vlanid[0].vid='1'
Line 88: hyd.@Vlanid[1]=Vlanid
Line 88: hyd.@Vlanid[1]=Vlanid
Line 89: hyd.@Vlanid[1].ifname='eth0'
Line 90: hyd.@Vlanid[1].vid='2'
Line 197: lanwan.@switch[0].enable_vlan='1'
Line 198: lanwan.@switch_vlan[0]=switch_vlan
Line 198: lanwan.@switch_vlan[0]=switch_vlan
Line 199: lanwan.@switch_vlan[0].device='switch0'
Line 200: lanwan.@switch_vlan[0].vlan='1'
Line 200: lanwan.@switch_vlan[0].vlan='1'
Line 201: lanwan.@switch_vlan[0].ports='6 1 2 3 4'
Line 202: lanwan.@switch_vlan[1]=switch_vlan
Line 202: lanwan.@switch_vlan[1]=switch_vlan
Line 203: lanwan.@switch_vlan[1].device='switch0'
Line 204: lanwan.@switch_vlan[1].vlan='2'
Line 204: lanwan.@switch_vlan[1].vlan='2'
Line 205: lanwan.@switch_vlan[1].ports='0 5'
Line 350: network.@switch[0].enable_vlan='1'
Line 351: network.@switch_vlan[0]=switch_vlan
Line 351: network.@switch_vlan[0]=switch_vlan
Line 352: network.@switch_vlan[0].device='switch0'
Line 353: network.@switch_vlan[0].vlan='1'
Line 353: network.@switch_vlan[0].vlan='1'
Line 354: network.@switch_vlan[0].ports='0t 2 3 4 5'
Line 355: network.@switch_vlan[1]=switch_vlan
Line 355: network.@switch_vlan[1]=switch_vlan
Line 356: network.@switch_vlan[1].device='switch0'
Line 357: network.@switch_vlan[1].vlan='2'
Line 357: network.@switch_vlan[1].vlan='2'
Line 358: network.@switch_vlan[1].ports='0t 1'
Line 392: nowan.@switch[0].enable_vlan='1'
Line 393: nowan.@switch_vlan[0]=switch_vlan
Line 393: nowan.@switch_vlan[0]=switch_vlan
Line 394: nowan.@switch_vlan[0].device='switch0'
Line 395: nowan.@switch_vlan[0].vlan='1'
Line 395: nowan.@switch_vlan[0].vlan='1'
Line 396: nowan.@switch_vlan[0].ports='6 1 2 3 4 5'
Line 585: tt3.@switch[0].enable_vlan='1'
Line 586: tt3.@switch_vlan[0]=switch_vlan
Line 586: tt3.@switch_vlan[0]=switch_vlan
Line 587: tt3.@switch_vlan[0].device='switch0'
Line 588: tt3.@switch_vlan[0].vlan='1'
Line 588: tt3.@switch_vlan[0].vlan='1'
Line 589: tt3.@switch_vlan[0].ports='1 2 3 4 5'You can separate your personal and guest devices but they are still on the same subnet. I would also like this feature. I use it on my Aruba gear at work and love it. I'm considering the Ubiquiti UniFi AC APs since I don't care about the router (use pfsense sg-3100). I was being lazy and opportunistic when I bought Orbi from Costco but i really should have done more research.
I'm in an extremely similar situation. I bought the Orbi on a whim at Best Buy. I wish I'd done much more research. I love the Orbi coverage, but the features are terrible. I ended up buying the Ubiquiti AC Pro AP just so I can vlan tag the SSID's.
I currently use pfSense into a Ubiquiti Switch and the Ubiquiti AC Pro AP with 3 tagged SSID's. I love the Ubiquiti products. However, the Orbi obviously had better coverage than the one AP I currently have (especially since I'm renting and can't drill holes through the walls to add more wired APs). However, if Orbi enabled vlan tagging, I'd switch back in a heartbeat.
- Hmm...that makes sense. I wonder if this feature will be coming down any time soon or if it's even on the product Roadmap?If I were to create a few port-based VLANs via my ZyXEL switches. Then, I hardwire the Orbi Router into one of the VLANs...wouldn't that at least cause the entire Orbi ecosystem (Orbi Router, Satellites and anything connected to them via WiFi or Ethernet) to be on that same dedicated VLAN in that ZyXEL Switch's port?In that same vein, couldn't I also add a few separate APs or re-deploy my old ASUS Routers into AP mode, hard wired into another ZyXEL switch VLAN...just to create/have another separate WiFi VLAN?Oddly enough, my CenturyLink's Modem does support WiFi VLANs. It's WiFi capabilities only support 2.4Ghz but hell, might not be too bad for guests only.I know this isn't the best design, but I'm trying here LOL.Any more thoughts?BJ
b1ggjoe wrote:
If I were to create a few port-based VLANs via my ZyXEL switches. Then, I hardwire the Orbi Router into one of the VLANs...wouldn't that at least cause the entire Orbi ecosystem (Orbi Router, Satellites and anything connected to them via WiFi or Ethernet) to be on that same dedicated VLAN in that ZyXEL Switch's port?In that same vein, couldn't I also add a few separate APs or re-deploy my old ASUS Routers into AP mode, hard wired into another ZyXEL switch VLAN...just to create/have another separate WiFi VLAN?Any more thoughts?BJYes, yes and yes. You can use wired/orbi on the same VLAN and put your Asus on another. "The right way" is subjective... the right way would having you do it the way you want... but the Orib won't support it. So you either select something that support putting different SSIDs on different VLANs will or hack together something like we are currently discussing. I sent you an example in your PMs since my post keeps disappearing.
