Reply

Question on creating multiple Wireless VLANs for Security (IoT devices, Family WiFi, Guest WiFi)

b1ggjoe
Apprentice

Question on creating multiple Wireless VLANs for Security (IoT devices, Family WiFi, Guest WiFi)

Hey Everyone,
 
I'm in the process of re-doing (re-designing) my entire Home Network. I've decided to go the VLAN route for both Wired and Wireless devices. From a security standpoint, I would like to have all of my IoT / Smart Devices (Amazon Echo's, Ring Doorbell Pro, etc., bla bla) on their own Wireless VLAN.
 
I would also like to have a Wireless VLAN just for visiting friends/family/guests.
 
Lastly, I would like to have a Wireless VLAN for the members of my immediate household. Ideally, I would like to create a specific VLAN for both Wireless and Wired devices, for my immediate household that is.
 
Here is what I currently have in terms of hardware:
 
1. - I have an Orbi RBR50 w/ 2x Satellites.
 
From what I can see, the Orbi Router seems to only support basic VLAN tagging. However, the ORBI does allow for you to create a 'Guest WiFi' and restrict users from even seeing/interacting with each other and etc.
 
As weird as it may seem, my CenturyLink Fiber Modem seems to have more options for VLAN Management than the Orbi.
 
2. - I have 2x ZyXEL switches, a GS1900-8 (8-Port) and a GS1900-24E (24-Port).
 
According to their specs they support the following VLAN/QoS specs:
 
Traffic Management and QoS 
• Port-based VLAN • IEEE 802.1Q VLAN tagging • IEEE 802.3ad LACP • Guest VLAN • Voice VLAN • Storm control • IEEE 802.1p priority queues per port • IEEE 802.1p Queuing method (scheduler) • Input priority mapping • Rate limiting per port (ingress/ egress) • IEEE 802.3x flow control
 
 
So that said, since I would like to do some VLAN Magic as stated above, is there a way to do this with the my current hardware? Or do I need to purchase additional hardware like an Netgear Router or a little EdgeRouterX or something?
 
Also, I'm trying to understand...since I'm using the Orbi RBR50 w/ Two Satellites...I'm not sure how I can create additional WiFi VLANs without adding additional APs or other equipment?
 
Any thoughts and recommendations welcome!!
 
BJ
Model: RBR50| Orbi AC3000 Tri-band WiFi (Router Only)
Message 1 of 28
netadmn
Apprentice

Re: Question on creating multiple Wireless VLANs for Security (IoT devices, Family WiFi, Guest WiFi)

Orbi won't allow you to separate your SSIDs into separate VLANs. If you dig through the debug diagnostic logs, they support some vlans on the switch but they don't let you control them. (go to /debug.htm and run a debug log... look in the basic_debug_log you can see they are separating the wan/lan ports based on your config.

 

Line 85: hyd.@Vlanid[0]=Vlanid
Line 85: hyd.@Vlanid[0]=Vlanid
Line 86: hyd.@Vlanid[0].ifname='eth1'
Line 87: hyd.@Vlanid[0].vid='1'
Line 88: hyd.@Vlanid[1]=Vlanid
Line 88: hyd.@Vlanid[1]=Vlanid
Line 89: hyd.@Vlanid[1].ifname='eth0'
Line 90: hyd.@Vlanid[1].vid='2'
Line 197: lanwan.@switch[0].enable_vlan='1'
Line 198: lanwan.@switch_vlan[0]=switch_vlan
Line 198: lanwan.@switch_vlan[0]=switch_vlan
Line 199: lanwan.@switch_vlan[0].device='switch0'
Line 200: lanwan.@switch_vlan[0].vlan='1'
Line 200: lanwan.@switch_vlan[0].vlan='1'
Line 201: lanwan.@switch_vlan[0].ports='6 1 2 3 4'
Line 202: lanwan.@switch_vlan[1]=switch_vlan
Line 202: lanwan.@switch_vlan[1]=switch_vlan
Line 203: lanwan.@switch_vlan[1].device='switch0'
Line 204: lanwan.@switch_vlan[1].vlan='2'
Line 204: lanwan.@switch_vlan[1].vlan='2'
Line 205: lanwan.@switch_vlan[1].ports='0 5'
Line 350: network.@switch[0].enable_vlan='1'
Line 351: network.@switch_vlan[0]=switch_vlan
Line 351: network.@switch_vlan[0]=switch_vlan
Line 352: network.@switch_vlan[0].device='switch0'
Line 353: network.@switch_vlan[0].vlan='1'
Line 353: network.@switch_vlan[0].vlan='1'
Line 354: network.@switch_vlan[0].ports='0t 2 3 4 5'
Line 355: network.@switch_vlan[1]=switch_vlan
Line 355: network.@switch_vlan[1]=switch_vlan
Line 356: network.@switch_vlan[1].device='switch0'
Line 357: network.@switch_vlan[1].vlan='2'
Line 357: network.@switch_vlan[1].vlan='2'
Line 358: network.@switch_vlan[1].ports='0t 1'
Line 392: nowan.@switch[0].enable_vlan='1'
Line 393: nowan.@switch_vlan[0]=switch_vlan
Line 393: nowan.@switch_vlan[0]=switch_vlan
Line 394: nowan.@switch_vlan[0].device='switch0'
Line 395: nowan.@switch_vlan[0].vlan='1'
Line 395: nowan.@switch_vlan[0].vlan='1'
Line 396: nowan.@switch_vlan[0].ports='6 1 2 3 4 5'
Line 585: tt3.@switch[0].enable_vlan='1'
Line 586: tt3.@switch_vlan[0]=switch_vlan
Line 586: tt3.@switch_vlan[0]=switch_vlan
Line 587: tt3.@switch_vlan[0].device='switch0'
Line 588: tt3.@switch_vlan[0].vlan='1'
Line 588: tt3.@switch_vlan[0].vlan='1'
Line 589: tt3.@switch_vlan[0].ports='1 2 3 4 5'

 

You can separate your personal and guest devices but they are still on the same subnet. I would also like this feature. I use it on my Aruba gear at work and love it. I'm considering the Ubiquiti UniFi AC APs since I don't care about the router (use pfsense sg-3100). I was being lazy and opportunistic when I bought Orbi from Costco but i really should have done more research.

Message 2 of 28
b1ggjoe
Apprentice

Re: Question on creating multiple Wireless VLANs for Security (IoT devices, Family WiFi, Guest WiFi)

Hmm...that makes sense. I wonder if this feature will be coming down any time soon or if it's even on the product Roadmap?
 
If I were to create a few port-based VLANs via my ZyXEL switches. Then, I hardwire the Orbi Router into one of the VLANs...wouldn't that at least cause the entire Orbi ecosystem (Orbi Router, Satellites and anything connected to them via WiFi or Ethernet) to be on that same dedicated VLAN in that ZyXEL Switch's port?
 
In that same vein, couldn't I also add a few separate APs or re-deploy my old ASUS Routers into AP mode, hard wired into another ZyXEL switch VLAN...just to create/have another separate WiFi VLAN?
 
Oddly enough, my CenturyLink's Modem does support WiFi VLANs. It's WiFi capabilities only support 2.4Ghz but hell, might not be too bad for guests only.
 
I know this isn't the best design, but I'm trying here LOL.
 
Any more thoughts?
 
BJ
Message 3 of 28
b1ggjoe
Apprentice

Re: Question on creating multiple Wireless VLANs for Security (IoT devices, Family WiFi, Guest WiFi)

I also forgot to add that I did order an EdgeRouter X. Just in case I needed it. I do have a few other devices (old hardware) that I do not mind inserting into this equation, just to be able to get it done correctly:

 

- ASUS RT-AC68U

 

- ASUS RT‑N66U

 

- SonicWALL TZ210

 

- Linksys WRT54G (yes, the one and only) 

 

@DaneA ... Thought I would add you to this, since I've seen the kind of help that you have provided in the past...very awesome!!

 

Thanks!

 

BJ

Message 4 of 28
netadmn
Apprentice

Re: Question on creating multiple Wireless VLANs for Security (IoT devices, Family WiFi, Guest WiFi)

You could certainly do that... create VLANs and then put the physical APs on different VLANs. The APs would be connected to access ports as untag pvid. You will want some gateway that has multiple interfaces or a trunk with sub interfaces to handle the routing out to the internet and route/allow/deny access between the VLANs. You will likely need to deploy them in AP mode only unless you want each AP to route too with static routes but that would be messy. Much easier to have the gateway do that routing and also serve as a single DHCP/DNS/NTP for each VLAN it serves. pfsense would be a great solution for your gateway.

 

What is your goal with the EdgeRouterX?

 

Here is a quick example based on your original goal:

 

VLAN100 for internet access (or plug gateway right into modem/ONT)

VLAN2 192.168.2.x/24 for wired/wireless... Orbi in AP mode

VLAN3 192.168.3.x/24 for IOT AP and share that with guest (segment guest traffic)  ASUS RT-AC68U in AP mode

Create pfsense firewall with 3 interfaces (or 2 with 1 trunked for LAN) to serve as the gateway for the two LAN VLANs

Create firewall rules that allow 192.168.2.x (wired/wireless) -> 192.168.3.x IOT devices

Create firewall rules that deny 192.168.3.x IOT devices -> 192.168.2.x (wired/wireless)

Allow 192.168.2.x and 192.168.3.x -> internet (you can get as strict as you want with your outbound rules...)

Use OpenDNS and/or pfblocker for 192.168.3.x IOT/Guest network for basic content filtering to limit guest internet access liability and block IOT from known malware sites so they are less likely to join a botnet.

Setup OpenVPN for remote access to services and to protect yourself on open wireless networks (public)

 

Depending on your level of "smart home" you might want to think about what services/igmp/etc. you need to route between the VLANs if you need to use chromecast, multiroom speakers, etc. It can get complicated reall quick. These devices are designed to just work and when you start segmenting them you need to account for their protocols and how they work between subnets if necessary.

 

I'm in a similar boat. I'm rebuilding my network upgrading from Sophos Home UTM (on an old workstation) as my gateway and Asus AC66U as my AP. I just had more devices than the Asus could handle but it served me well for 5 years. I've just deployed a pfsense (netgate) sg-3100 for my vpn/gateway/firewall/etc. I selected Orbi because I was excited about 5Ghz everywhere to get rid of some 2.4Ghz interference (neighbors APs, zigbee, etc.) and I got it on sale RBK53 (RBR50+2 RBS50) for $389. Based on prices at other stores, it was a great buy so I grabbed it. I'm not 100% I'll keep it yet...

Message 5 of 28
netadmn
Apprentice

Re: Question on creating multiple Wireless VLANs for Security (IoT devices, Family WiFi, Guest WiFi)

I keep trying to reply but it's erasing my post over and over... Why? 

Message 6 of 28
netadmn
Apprentice

Re: Question on creating multiple Wireless VLANs for Security (IoT devices, Family WiFi, Guest WiFi)


@b1ggjoe wrote:
 
If I were to create a few port-based VLANs via my ZyXEL switches. Then, I hardwire the Orbi Router into one of the VLANs...wouldn't that at least cause the entire Orbi ecosystem (Orbi Router, Satellites and anything connected to them via WiFi or Ethernet) to be on that same dedicated VLAN in that ZyXEL Switch's port?
 
In that same vein, couldn't I also add a few separate APs or re-deploy my old ASUS Routers into AP mode, hard wired into another ZyXEL switch VLAN...just to create/have another separate WiFi VLAN?
  
Any more thoughts?
 
BJ

Yes, yes and yes. You can use wired/orbi on the same VLAN and put your Asus on another. "The right way" is subjective... the right way would having you do it the way you want... but the Orib won't support it. So you either select something that support putting different SSIDs on different VLANs will or hack together something like we are currently discussing. I sent you an example in your PMs since my post keeps disappearing. 

Message 7 of 28
b1ggjoe
Apprentice

Re: Question on creating multiple Wireless VLANs for Security (IoT devices, Family WiFi, Guest WiFi)

Wow, thank you so much for the incredible reply!!! I’m going to have to dissect this and definitely Whiteboard this.

The reason for the EdgeRouter is because I thought that having a Router with more sophisticated VLAN capabilities would be necessary, especially if I were to put the Orbi in AP mode.

Now that it’s on its way too me, I wonder if it will make things easier, both the EdgeRouter and the ZyXEL switches also support VLANs.

My other concer is the NAS. I know that I can have it physically connected to different VLANs since it does have 4x Gigabit NICs.

I can have it be a part of my private lan on one Nic, then another NIC be a part of the IoT VLAN and restrict access from the IoT side so only the streaming devices like the NVIDIA Shield TV and Amazon FireSticks have access, based on MAC ID ACLs?

Hmmmm.

Lots to think about.

Of course if Netgear releases the required VLAN features for the Orbi...that would be awesome!!

BJ
Message 8 of 28
netadmn
Apprentice

Re: Question on creating multiple Wireless VLANs for Security (IoT devices, Family WiFi, Guest WiFi)


@b1ggjoe wrote:

The reason for the EdgeRouter is because I thought that having a Router with more sophisticated VLAN capabilities would be necessary, especially if I were to put the Orbi in AP mode.

BJ

You are on the right track but the EdgeRouter leaves much to be desired... in my opinion. If you only want basic vlan routing without any advanced services/firewall... then go for it. However, it sounds like you really enjoy playing with this hardware and would benefit from a fully featured firewall/gateway like Sophos Home UTM, Untangle, pfsense, etc. Of course those require some more dedicated hardware if you have the budget and desire to learn if you are not already educated in such topics.

Message 9 of 28
netadmn
Apprentice

Re: Question on creating multiple Wireless VLANs for Security (IoT devices, Family WiFi, Guest WiFi)


@b1ggjoe wrote:

My other concer is the NAS. I know that I can have it physically connected to different VLANs since it does have 4x Gigabit NICs.

I can have it be a part of my private lan on one Nic, then another NIC be a part of the IoT VLAN and restrict access from the IoT side so only the streaming devices like the NVIDIA Shield TV and Amazon FireSticks have access, based on MAC ID ACLs?

Of course if Netgear releases the required VLAN features for the Orbi...that would be awesome!!

BJ

You can multihome your NAS or route the traffic. If your router isn't up to the challenge (resources/speed), then you can multihome. If you multihome, put the primary interface on your private VLAN and use that VLAN gateway as the default gateway. Then setup the other interface on the IOT VLAN. Not sure if you can then restrict it based on user/IP but I would look into that only allow the IOT/guest devices that need access. Firewalling it off and routing is better if your gateway can handle it.

 

Don't get your hopes up on Netgear/Orbi offering VLANs per SSID. They have competing products that play in that space. I saw somewhere (but I couldn't find it searching earlier) that the consumer version wouldn't support this and pointed the OP to their netgear WAC line of products. Right now Orbi is only supporting one SSID for your personal use and one for guest. That seems to also be the case with all the other "mesh" consumer products I've seen so far.

 

The real answer to our goal is to get Meraki, Aruba, Ubiquiti, or similar APs, create a VLAN trunk on your switch and connect the AP. They all operate in AP mode with a dedicated gateway. That will allow the SSIDs to be on different VLANs. They work amazing well but that is too complicated for most consumer users and users want wireless everywhere. Orbi has the benefits of being supposedly easy for people to deploy without wires and covering a large area without a huge decrease in speed like the extenders cause. They were not designed with our use cases in mind.

Message 10 of 28
b1ggjoe
Apprentice

Re: Question on creating multiple Wireless VLANs for Security (IoT devices, Family WiFi, Guest WiFi)

Yeah, makes sense big time. I may just have to look into those other APs then, as you suggested. As for Firewalling off the NAS, I'm wondering if I should insert a small Firewall appliance, like an Untangle u25x in front of the NAS on the IoT VLAN NIC, or maybe use a built-in security feature such as this:

 

https://www.qnap.com/en/news/2018/qnap-and-netgate-showcase-nas-with-pfsense-joint-solution-for-netw...

 

Then I can get really crazy with the Firewall rules and access controls.

 

What do you think?

 

BJ

Message 11 of 28
netadmn
Apprentice

Re: Question on creating multiple Wireless VLANs for Security (IoT devices, Family WiFi, Guest WiFi)


@b1ggjoe wrote:

 

https://www.qnap.com/en/news/2018/qnap-and-netgate-showcase-nas-with-pfsense-joint-solution-for-netw...

 

Then I can get really crazy with the Firewall rules and access controls.

 

What do you think?

 

BJ


I'm a pretty new user of pfsense (netgate sg-3100 + 32GB SSD ). I've been running it a couple months now. I'm an administrator of Check Point, Cisco ASA, SonicWALL firewalls, etc. and pfsense was simple to setup compared to most of those. The feature set is amazing with it's package manager and the community support is superb. LOTs of free pfsense training videos and if you buy their hardware, you get a fantastic book and access to their hangouts which are essentially training videos on how to implement certain features. You can get delayed (free) feeds from Emerging Threats, Snort for use in Snort/Suricata and GeoIP from MaxMind for pfblockerng. Plenty of free threat intelligence feeds or DNS filtering services to add more security that put PiHole to shame. (PiHole interface is amazing but I digress)

Message 12 of 28
netadmn
Apprentice

Re: Question on creating multiple Wireless VLANs for Security (IoT devices, Family WiFi, Guest WiFi)

Netgear doesn't want you to know what I think... they keep deleting my replies! I'll send another PM.

Message 13 of 28
b1ggjoe
Apprentice

Re: Question on creating multiple Wireless VLANs for Security (IoT devices, Family WiFi, Guest WiFi)

What's weird is that when you first make your posts, I do see them in the email notification, but they dissapear from here. Very weird.

 

Wow, Pf-Sense sounds amazing. Maybe I will put a Pf-Sense appliance in front of that QNAP NAS, within the IoT VLAN. Both their SG-1000 and SG-3100 are reasonbly priced.

 

Hopefully, since 4K movies will be streaming outbound from the NAS, there won't be an issue with any Firewall overhead.

 

Man, it's too bad I can install PF-Sense on my SonicWALL TZ210 and utilize that hardware. It seems at least more powerful than the SG-1000.

 

Hmmm...what to do...

 

BJ

Message 14 of 28
netadmn
Apprentice

Re: Question on creating multiple Wireless VLANs for Security (IoT devices, Family WiFi, Guest WiFi)


@b1ggjoe wrote:

What's weird is that when you first make your posts, I do see them in the email notification, but they dissapear from here. Very weird.

 

Wow, Pf-Sense sounds amazing. Maybe I will put a Pf-Sense appliance in front of that QNAP NAS, within the IoT VLAN. Both their SG-1000 and SG-3100 are reasonbly priced.

 

Hopefully, since 4K movies will be streaming outbound from the NAS, there won't be an issue with any Firewall overhead.

 

Man, it's too bad I can install PF-Sense on my SonicWALL TZ210 and utilize that hardware. It seems at least more powerful than the SG-1000.

 

Hmmm...what to do...

 

BJ


My posts have been disappearing on me all day... only forum I've ever had that happen to me. Very odd... Even if I repost... It stays for a few and then goes away. I've gotten wise and composed in notepad which is why my formatting and grammar is terrible. Smiley Wink

 

4K is only what?.. 25Mbps? So, the sg1000 should do it but if you have the budget, splurge on the sg3100. The sg1000 is only good for about 125Mbps from what I've seen in tests and that is no where near what modern internet connections top out. The sg3100 is good for gigabit. If you decide to build your own, take the hardware requirements serious and ensure you select something with the aes-ni. If you are in no rush, there are rumors tha a device between the 1000 and 3100 will be announced soon.

Message 15 of 28
netadmn
Apprentice

Re: Question on creating multiple Wireless VLANs for Security (IoT devices, Family WiFi, Guest WiFi)


@netadmn wrote:

If you are in no rush, there are rumors tha a device between the 1000 and 3100 will be announced soon.

I think I have that wrong... I think the new device is replacing the 4xxx series so there will be a reasonable option between the sg3100 and xg7100

Message 16 of 28
b1ggjoe
Apprentice

Re: Question on creating multiple Wireless VLANs for Security (IoT devices, Family WiFi, Guest WiFi)

So I said, 'what the hell' LOL. I just purchased a Netgate SG-3100 w/ 32GB M.2 SATA SSD. So what I'm 'thinking' is making this then, my *Main Router/Firewall'. I'm also considering eliminating the CenturyLink Fiber Modem altogether, and replacing it with this bad boy.

 

I'll have to look at what VLAN options I have with this and start from there.

 

Then behind it, the Orbi Router+Satellite ecosystem. Also, I'm keeping the EdgeRouterX and using it as a pure Firewall to sit in front of the QNAP NAS.

 

As for adding additional APs on a different VLANs...either I will buy some brand-new APs or re-purpose my ASUS Routers...not sure yet.

 

Wife likes to buy furniture and stuff from 'Magnolia Farms' and I like to buy Network stuff...LOL...she usually wins.

 

I'm thinking though, shouldn't I use the SG-3100 to create and manage my VLANs from there...or should I do this with the ZyXEL switches?

 

Wondering if there is an advantage of perhaps using both??

 

Hmmm...

Message 17 of 28
netadmn
Apprentice

Re: Question on creating multiple Wireless VLANs for Security (IoT devices, Family WiFi, Guest WiFi)


@b1ggjoe wrote:

Also, I'm keeping the EdgeRouterX and using it as a pure Firewall to sit in front of the QNAP NAS.

 

I'm thinking though, shouldn't I use the SG-3100 to create and manage my VLANs from there...or should I do this with the ZyXEL switches?

 

Wondering if there is an advantage of perhaps using both??

 

Hmmm...


You shouldn't need the EdgeRouterX as a dedicated firewall. That would put the NAS on it's own subnet which is kind of silly IMO. Only keep the EdgeRouterX if you need to extend PoE and ethernet ports to another spot in the house and only have one ethernet drop in that room. The sg3100 is better hardware and can handle it for you. Start watching some videos so you know what you are doing... if you are not familar with VLAN access/trunk/hybrid, then get a solid understanding of how and why you use them.

 

You can use VLANs on both the pfsense firewall and the switch. If your WAN port is plugged directly into the CenturyLink ONT (they have ethernet hand off?) then you don't need a VLAN for WAN. If you need to jump through a switch (due to distance from ONT, etc.) then you will use two untagged VLAN ports for those interfaces.

 

The LAN port(s) on the pfsense box can be setup as individual untagged uplinks on access ports for the switch or you can share one interface and trunk it. Your preference. If one pfsense port will be used per VLAN, the switch ports will be configured as access ports if the VLAN assignment is one to one. Neither side will be trunked. If you plan to carry more than one VLAN over a port, it will need to be trunked (tagged) and the opposite (pfsense) end will be tagged. You setup your Orbi, APs, NAS, wired workstations, etc. as untagged ports with memgership/pvid on the VLAN you want them to belong to. Since pfsense will be DNS/DHCP for all, you don't need ip helper addresses.

Message 18 of 28
b1ggjoe
Apprentice

Re: Question on creating multiple Wireless VLANs for Security (IoT devices, Family WiFi, Guest WiFi)

Wow, I can't thank you enough for all of your help. This is freakin awesome!

 

At the moment, I have CAT6 running from the ONT to the CenturyLink C1100T Modem. I get pretty awesome speeds:

 

IMG_0256[1].JPG

 

 

 

 

 

 

 

 

 

 

 

 

 

A few months back, I was hoping to eliminate the modem altogether and just use the Orbi as my main gateway. Since CenturyLink uses VLAN Tagging, I had to configure the Orbi with VLAN Tagging set to 201 along with the PPPoE credentials.

 

Oddly enough and I need to create a separate post asking Netgear about this, but I noticed that I would never even get close to the speeds in the picture above, when I used the Orbi as my main gateway. I would get probably no more than 500-650mbps up/down.

 

I had thought for sure, with the great hardware specs on the Orbi, that it would do a way better job of handling the routing demands with Fiber speeds. So not sure what's up with that.

 

I know that with the little EdgeRouterX, it had the same issue when it was first launched. Then it was addressed by enabling 'Hardware Offloading', which would then allow it to route at those speeds, but at the sacrifice of being able to utilize QoS. 

 

I hope to use the SG-3100 then, as my main gateway. I'm pretty sure that it will have no problem being able to handle the Fiber connection.

 

I'm going to have to take your various responses and create some sort of diagram to figure this out LOL.

 

On the EdgeRouterX...if it's not needed to protect the NAS, then your suggestion would be perfect and I could purchase a few PoE APs for another Wireless VLAN.

 

I'll be spending this weekend watching all of those Pfsense videos LOL

 

BJ

Message 19 of 28
netadmn
Apprentice

Re: Question on creating multiple Wireless VLANs for Security (IoT devices, Family WiFi, Guest WiFi)


@b1ggjoe wrote:

  

A few months back, I was hoping to eliminate the modem altogether and just use the Orbi as my main gateway. Since CenturyLink uses VLAN Tagging, I had to configure the Orbi with VLAN Tagging set to 201 along with the PPPoE credentials.

 

Oddly enough and I need to create a separate post asking Netgear about this, but I noticed that I would never even get close to the speeds in the picture above, when I used the Orbi as my main gateway. I would get probably no more than 500-650mbps up/down.

 

I had thought for sure, with the great hardware specs on the Orbi, that it would do a way better job of handling the routing demands with Fiber speeds. So not sure what's up with that.

 

I know that with the little EdgeRouterX, it had the same issue when it was first launched. Then it was addressed by enabling 'Hardware Offloading', which would then allow it to route at those speeds, but at the sacrifice of being able to utilize QoS. 

 

I hope to use the SG-3100 then, as my main gateway. I'm pretty sure that it will have no problem being able to handle the Fiber connection.

 

I'm going to have to take your various responses and create some sort of diagram to figure this out LOL.

 

On the EdgeRouterX...if it's not needed to protect the NAS, then your suggestion would be perfect and I could purchase a few PoE APs for another Wireless VLAN.

 

I'll be spending this weekend watching all of those Pfsense videos LOL

 

BJ


From what I've read, the Orbi doesn't have the specs to run at gig to the WAN. The sg-3100 will definitely do gig but but not over VPN. Encrytion adds a lot of overhead to the CPU and slows things down. You'll love it for your use case. If you configured Orbi with VLAN/PPoE, then sg-3100 will need the same config. If you use the switch to uplink pfsense to cl, then you will configure two access ports on VLAN 201. There are benefits to running everything through the switch (like sniffing and sending traffic flows).

 

the sg-3100 will give you great speeds (doing speed tests) until you decide enable QoS. With your connection you should never need it as you'll never saturate your link.QoS will slow down your speed test results due to queuing. This is NOT a bad thing. I use it to prioritize my traffic. It is moving traffic to queues to ensure I have a good experience with the real time services I care about and slowing down my email or web pages in the background that I care less about. The slow down is so minimal you'll never notice it. Most people will never ever hit their subscribed speeds. A 4K stream is 25Mbps. I have a 150/150 fiber line and with 4 people (2 adults, 2 kids) all who stream (wife works remote), we rarely ever utilize >50Mbps. essentially we've been told by our ISP that we NEED BLAZING FAST SPEED when you'll never use it. That is how they increase profits and over subscribe bandwidth.

 

I suggest you create an account on the pfsense forum site and also join the reddit /r/pfsense sub. Lots of helpful people in those places to help you when you get stuck. Your purchage will give you the gold sub which includes a huge book that will easly teach you advanced networking... highly recommend you do lots of reading before you jump in. Your experience will be much better if you understand what you are getting into before you try. Or, at minimum get a base config and then start adding. Don't do it all at once. Your family will thank you for less downtime too... Smiley Wink

Message 20 of 28
b1ggjoe
Apprentice

Re: Question on creating multiple Wireless VLANs for Security (IoT devices, Family WiFi, Guest WiFi)

Great feedback from everyone!! I guess my issue now, is that I need to diagram out what I currently have as far as cabling and ports.

 

In a perfect world, I could configue Pfsense so that each LAN port would be dedicated to a different VLAN and go downwards from there.

 

Unfortunately, I'm thinking that I may have to go another option and create a VLAN Trunk since I may have to have multiple VLANs on the same port, due to the limitations of how my cable and ports are currently layed out.

 

I'm going to try to throw something together, perhaps a simple sketch or Visio, so that you guys can see what I'm dealing with.

 

OBTW, Right now...since I'm still waiting on both my Pfsense Firewall and EdgeRouterX to arrive...and since I haven't installed my 24-port ZyXEL Managed Switch just yet, here's what I have layed out:

 

1 Gbps CenturyLink Modem C1100T  >>> Orbi Router (Router Mode) + Satellites >>> Ethernet ports

 

(I haven't fully setup the ZyXEL Switches just yet)

 

Is there any advantage if I do this:

 

1 Gbps CenturyLink Modem C1100T  >>> Netgate SG+3100 >>> Orbi Router (AP Mode) + Satellites >>> Ethernet ports

 

instead of this...

 

ONT  >>> Netgate SG+3100 >>> Orbi Router (AP Mode) + Satellites >>> Ethernet ports

 

So basically, is there any advantage in keeping the CenturyLink Modem C1100T as the primary Gateway as it stands now, then adding the Netgate SG-3100 behind it?

 

Thanks!

 

BJ

 

 

 

 

 

Message 21 of 28
netadmn
Apprentice

Re: Question on creating multiple Wireless VLANs for Security (IoT devices, Family WiFi, Guest WiFi)


@b1ggjoe wrote:

Great feedback from everyone!! I guess my issue now, is that I need to diagram out what I currently have as far as cabling and ports.

 

In a perfect world, I could configue Pfsense so that each LAN port would be dedicated to a different VLAN and go downwards from there.

 

Is there any advantage if I do this:

 

1 Gbps CenturyLink Modem C1100T  >>> Netgate SG+3100 >>> Orbi Router (AP Mode) + Satellites >>> Ethernet ports

 

instead of this...

 

ONT  >>> Netgate SG+3100 >>> Orbi Router (AP Mode) + Satellites >>> Ethernet ports

 

So basically, is there any advantage in keeping the CenturyLink Modem C1100T as the primary Gateway as it stands now, then adding the Netgate SG-3100 behind it?

 

Thanks!

 

BJ

 


@Case850 has a great point which is why I previously asked your interest level... I still think your overall experience will be better with pfsense once you learn it. Just the level of flexability/options on such a system you won't get from EdgeRouterX. If you want a set it and forget it option... do that. If you want to play with traffic and have a lot more options, you were right in the sg3100 option. The EdgeRouterX may not have been a waste of $ if you could use it to extend PoE and also provide ethernet uplink elsewhere. I may purchase a couple of those.. they have great benefit if they fit in the overall design.

 

I'm assuming (based on previous posts) you have an ethernet hand off and already tried ONT -> ORBI? Why did you go back to the CL modem? Do you rent it or own it?

 

I helped a buddy do an install recently where we briged the ISP modem (xfinity) because they needed the cable modem for MoCA and wasn't preparend to pay $ for a new modem.. Since you are ethernet, I don't know how that could help you. It just adds an extra hop for no reason. The only thing I can really think of is support. Your ISP may not spend as much time with you troubleshooting your own equipment than they would if you are using theirs.... If this is important to you, it may be worth it to keep it around in case you need to revert back to prove to the ISP the problems are on their side. If you don't use ISP standard equipment... it's easier for them to blame your equipment.

Message 22 of 28
fender87
Aspirant

Re: Question on creating multiple Wireless VLANs for Security (IoT devices, Family WiFi, Guest WiFi)

I'm in an extremely similar situation. I bought the Orbi on a whim at Best Buy. I wish I'd done much more research. I love the Orbi coverage, but the features are terrible. I ended up buying the Ubiquiti AC Pro AP just so I can vlan tag the SSID's.

 

I currently use pfSense into a Ubiquiti Switch and the Ubiquiti AC Pro AP with 3 tagged SSID's. I love the Ubiquiti products. However, the Orbi obviously had better coverage than the one AP I currently have (especially since I'm renting and can't drill holes through the walls to add more wired APs). However, if Orbi enabled vlan tagging, I'd switch back in a heartbeat.

Message 23 of 28
fender87
Aspirant

Re: Question on creating multiple Wireless VLANs for Security (IoT devices, Family WiFi, Guest WiFi)

Haha. Yes, I do really own them. I’ve owned an Orbi for about a year now. I have never experienced any of the reliability issues described throughout the forums.
Message 24 of 28
b1ggjoe
Apprentice

Re: Question on creating multiple Wireless VLANs for Security (IoT devices, Family WiFi, Guest WiFi)

Hey there @Case850

 

Well, you're right. I can be a big kid in a candy store LOL. However, at the same time...I wanted to make sure that I had the correct hardware for what I was going to do. Not too worried about jumping the gun, since I use Amazon Prime so I don't really pay for shipping.

 

To your other thought...I can tell you as the one that actually created this post, this wasn't an attempt to lobby for any feature. Just trying to find out the best way to carry out what I wish to accomplish.

 

@netadmn,

 

So you had a question about why I switched back to the CenturyLink Modem as my primary Gateway, instead of using the Orbi as my previous Gateway. I wrote about my experience here in a separate post:

 

https://community.netgear.com/t5/Orbi/Best-Practices-when-using-Orbi-Router-to-handle-a-1GB-Fiber/m-...

 

Slowly but surely, all of your awesome recommendations are starting to sink in. Let me run this by you, to make sure that I'm on the right track then:

 

Here's what I'm hoping to do then, with my new setup:

 

Netgate SG-3100 Pfsense Router >>> (ethernet) >>> GS1900-24E >>> (ethernet) >>> GS1900-8

 

I'm *thinking* of creating a VLAN Trunk between all 3 devices. The reason is that I need to create at least 3 different VLANS. Unfortunately, due to the limitations that my home currently has with the number of CAT 6 runs within my home, I'm going to need to have multiple VLANs be able to utilize the same physical port(s) on the ZyXEL switches.

 

Do you think then, that this will be possible?

 

I'm not sure if VLAN Trunking is a standard feature with these ZyXEL switches...but I'm going to find out.

 

Thanks!

 

BJ

Message 25 of 28
Top Contributors
Discussion stats
  • 27 replies
  • 9297 views
  • 4 kudos
  • 3 in conversation
Announcements