Reply
d_rick
Aspirant

Network Segmentation - how to do it?

Hi,

 

I am trying to segment my home network so that devices i don't own / manage (PS4, DirecTV, amplier, TV, etc.) all go onto their own subnet which won't traverse onto the rest of my SOHO. There appears to be no way to do this with the R8000 by itselt, so i'm thinking if i dust off the R7000 and use it, this might be possible.

 

SOHO Environment -

Charter cable -> Meraki MX60 untrust port in my office

 

MX60 port 1 dumps into Netgear GS716T / internal VLAN 1 for all devices (currently)

MX60 port 2 dumps into Netgear powerline adapter/ VLAN 2 which feeds my security system

MX60 has firewall rule that 192.168.1 can't talk to 192.168.2 and vice versa

 

GS716T/VLAN 1 then runs long haul via ethernet cable from back of house to front of house and dumps into R8000 which is the primary AP for the house

 

So my question is, how can i add the R7000 onto the network and have all that traffic live on VLAN2 and be isolated with the security system traffic?

 

I tried adding the R7000 on the network in router mode - putting internet port as DHCP / connected into a LAN port on the R8000, LAN is manually set to 192.168.2.100 and then having it DHCP the rest of the clients - but this doesn't touch the Meraki and as such the rules don't work.

 

Is there a way to accomplish this with my limitations on devices being in different parts of the house?

 

TIA

D

 

 

 

 

Model: R7000|Nighthawk AC1900 Dual Band WiFi Router,R8000|Nighthawk X6 AC3200 Smart WIFI Router
Message 1 of 9
TheEther
Guru

Re: Network Segmentation - how to do it?

I'm not intimately familar with the MX60, but after quickly perusing the online documentation, I think you can configure ports 1 and 2 to be in different subnets, 192.168.1.0/255.255.255.0 and 192.168.2.0/255.255.255.0.  Assuming that you set up the firewall rules correctly to prohibit the two subnets from talking to each other, then all that remains is to set up the R7000 as an AP and hang it off of port 2.

Message 2 of 9
d_rick
Aspirant

Re: Network Segmentation - how to do it?


@TheEther wrote:

I'm not intimately familar with the MX60, but after quickly perusing the online documentation, I think you can configure ports 1 and 2 to be in different subnets, 192.168.1.0/255.255.255.0 and 192.168.2.0/255.255.255.0.  Assuming that you set up the firewall rules correctly to prohibit the two subnets from talking to each other, then all that remains is to set up the R7000 as an AP and hang it off of port 2.


Hi Ether,

 

So i tried to explaing this in original post, but the two devices are not in the same room. That is my issue

Model: R7000|Nighthawk AC1900 Dual Band WiFi Router,R8000|Nighthawk X6 AC3200 Smart WIFI Router
Message 3 of 9
TheEther
Guru

Re: Network Segmentation - how to do it?


@d_rick wrote:

So i tried to explaing this in original post, but the two devices are not in the same room. That is my issue


Which two devices are not in the same room?

 

Message 4 of 9
d_rick
Aspirant

Re: Network Segmentation - how to do it?


@TheEther wrote:

@d_rick wrote:

So i tried to explaing this in original post, but the two devices are not in the same room. That is my issue


Which two devices are not in the same room?

 


The R7000 & R8000 are sitting right next to each other. The MX60 is in another room - so it's impossible to plug the R7000 into the MX60

Message 5 of 9
TheEther
Guru

Re: Network Segmentation - how to do it?

It might help for you to draw a picture that shows how you want to segregate your devices.

 

Going by your original post, I thought you wanted to put a bunch of devices onto VLAN2, which is hanging off of port 2 of the MX60.  You could, for example, insert the R7000 in one of two ways:

  1. MX60===VLAN2===R7000===Powerline===switch====wired devices
  2. MX60===VLAN2===Powerline===R7000===wired devices

Pick the one that puts the R7000 closest to the wireless devices that you want on VLAN2.

 

OTOH, a completely different option is to multiplex several VLANs onto that Ethernet cable feeding your R8000.  I've never tried it but both the R7000 and R8000 claim to support VLAN tagging.  You can set them up so that the R7000 tags it traffic for VLAN2 and the R8000 tags it traffic with VLAN1.  Then set up the MX60 to run both VLAN1 and VLAN2 on port 1.  Finally, connect the R7000 WAN port to one of the R8000's LAN ports.  You would still need firewall rules to segregate both VLANs from each other.

 

If neither of these meet your needs, then please provide the picture.  Smiley Happy

Message 6 of 9
d_rick
Aspirant

Re: Network Segmentation - how to do it?

So i had a two AV5101 powerline adapaters laying around, so i tried that route, "picture" below.

 

MX60===VLAN3===Rear Powerline===Front Powerline===GS108===R7000 & wired devices

 

1st the good news - i've segmented all devices i wanted onto a subnet and am now using the Meraki for DHCP and the R7000 as AP only. I mirrored the VLAN/PL setup i used for security system, so that should work (this setup also uses another set of NetGear PL adapters).

 

Now for the bad news - the bandwidth has dropped by 80% in this config. I cannot get anything above 10 Mbps throughput on this segment now. The PL's are rated as "Gigabit", but running two pairs of them has been problematic in the past.

 

On my other segment i get full rated bandwidth on both LAN and wireless no less (60/5) -

 

MX60===VLAN1===50ish foot CAT 6 cable run in attic===R8000 AP===iphones, ipads, laptops

 

Model: R7000|Nighthawk AC1900 Dual Band WiFi Router,R8000|Nighthawk X6 AC3200 Smart WIFI Router
Message 7 of 9
TheEther
Guru

Re: Network Segmentation - how to do it?

Unfortunately, Powerline is very much hit or miss, as you have discovered.

 

Either run another Ethernet cable or try overlaying multiple VLANs onto your existing Ethernet, as I suggested earlier.

 

Message 8 of 9
d_rick
Aspirant

Re: Network Segmentation - how to do it?


@TheEther wrote:

Unfortunately, Powerline is very much hit or miss, as you have discovered.

 

Either run another Ethernet cable or try overlaying multiple VLANs onto your existing Ethernet, as I suggested earlier.

 


Yeah - now i remember why i stopped using it before. It's literally a 0 or a 1 (i.e. it works or it doesn't) and there is no configuration or tuning that you can do.

 

I'm sorting through how to set up up the VLAN's properly on both the Meraki and my core switch and make sure they line up. The setup on this for the GS716 is not intuitive at all.

Message 9 of 9
Top Contributors
Discussion stats
  • 8 replies
  • 7201 views
  • 0 kudos
  • 2 in conversation
Announcements