The title of this post still stands. The thing is...and I just realized this is that for the longest time...only @netadmn was providing feedback. So this entire discussion ended up evolving and going in a few different directions. Also, there were MANY times where @netadmn responded with comprehensive, detailed information. Then for some reason, after he posted his responses, his posts ended up being deleted for some reason. Not sure why.


So, we ended up sending each other PMs as a way to continue the conversation.


I realize now, why the continuity of this entire discussion is not very smooth and seems to be missing entire blocks of Q&A...because it actually is.


My initial posts was to find out what is/was the best way to redesign my home network with an emphasis on *Security*, given the fact that at the time of the OP, I only had a CenturyLink Modem, Orbi RBR50 w/ two satellites and I had just purchased the two ZyXEL Switches.


So I had questions about possibly going the VLAN route. How I wanted possibly 3 different WiFi (V)LANs:


- A private one

- One for my IoT Smart Devices

- One for guests (Guests, Friends and Extended Family Members)


The other issue is that I have recently purchased a QNAP TVS-473 that I wanted to use for both:


- Storing of private/important docs/files


- Store my ever growing movie collection and be able to stream from the NAS to my Smart TVs (Utilizing NVIDIA Shield TV and Amazon Fire TV sticks to pull/stream the movies from the NAS via an SMB/NFS Share by way of either Plex or Kodi).


The reality is that I should have two different NAS devices for this. One for the private/important files and one for the Movie stuff...but at the moment I do not. If I did, that would make life a lot easier for me, with regard to this new network design.


The important NAS could be on a private (V)LAN hardened and locked down. The other could be on the IoT (V)Lan. So that is another issue.


Since this QNAP TVS-473 has 4x Gb NICs, that's where this conversation evolved into Firewall rules for allowing access and so forth. So that the NAS could be a part of two separate (V)LANs.


When I found out about the limitations of the Orbi and VLANs and I saw that the conversation was sort of moving that direction with having a Router that could handle this, I jumped on the EdgeRouterX right away. Especially because it was only $50.


Then when @netadmn made some great points about the sophistication of the Netgate SG-3100, I decided to purchase that and make that my primary Router and possibly Gateway as well.


My thoughts were that I could still put the EdgeRouterX in front of the NAS for an additional layer of security. That was until @netadmn stated that there would be no need, since the Netgate SG-3100 could handle the routing for all of this.


So that is where we are at.


I go back to my questions from yesterday though:


Here's what I'm hoping to do then, with my new setup, given my recent purchases:


Netgate SG-3100 Pfsense Router >>> (ethernet) >>> GS1900-24E >>> (ethernet) >>> GS1900-8


I'm *thinking* of creating a VLAN Trunk between all 3 devices. The reason is that I need to create at least 3 different VLANS. Unfortunately, due to the limitations that my home currently has with the number of CAT 6 runs within my home, I'm going to need to have multiple VLANs be able to utilize the same physical port(s) on the ZyXEL switches.


I'm not sure if VLAN Trunking is a standard feature with these ZyXEL switches...but I'm going to find out.


I have a question into ZyXEL and I'm waiting for their response.


Also, I realize the logic behind your suggestion but in the past, I've never had the luxury of being able to purchase all of my network devices, from the same vendor. Except for work-related purchases.


I realize that there would be a lot of advantages going this route from both a compatibility, management and GUI standpoint...but that has never really been my worry.


Especially since not every Manufacturer excels in making great devices for every category.


So for now, I have a great device...the Netgate SG-3100 that should be able to handle my routing and VLAN needs. An EdgeRouterX that is a great router as well and that I can use to extend to a PoE AP device which I could do in the future. Two Switches which I hope will work, since they were purchased at a great price...and an Orbi System which I look forward to maximizing.



Just had an interesting Chat w/ ZyXEL support regarding my question on the setup above:


ZyXEL Support >> The only way for you to utilize multiple VLANs on the same physical port is if there is a device in your network that is already tagging the traffic before it hits your switch. Otherwise, you can only set the PVID of your switches to 1 VLAN.


BJ>> Aaah, so if my Router supports this...then my setup will work?


ZyXEL Support >> You would need either an Access point or other switch to tag the VLANs before they get to your GS1900 switches as its only possible to set 1 PVID on the switch. If the traffic doesn't have a VLAN tag, it simply takes the VLAN of the PVID you set


BJ>> Hmmm. I also have an 'EdgeRouterX'. I wonder if I can have that sit between my Router and the ZyXEL switches then?
Can I set a different PVID on each port of the ZyXEL switches?


ZyXEL Support >> Yes you can set a different PVID for each port of the Zyxel switch




Need to think about this then...

Thank you for responding!!


Well, the issue is that I was still hoping to utilize the Orbi Ecosystem, since I've already spent the money on it and it's passed the 'Return' period.


Taking your suggestion into account, I was thinking then on either of the following:


1. - Keeping the Orbi and it's Ecosystem (Meaning Wired & Wireless devices) on one VLAN (By physically connecting it to a dedicated VLAN port on one of the Managed VLAN-aware switches...and using the Orbi for the IoT VLAN


2.  - Option #2 would be same as above, but also enabling 'Guest Network' and have Guests/Friends/Extended family use the 'Guest Network' for their WiFi needs.


Then, I could Purchase a few Unifi AP AC PRO AP units and have those be a part of my Private VLAN.


Also, since the EdgeRouterX only has one Passive PoE port...I'm assuming then that I will need to add another PoE Switch to the mix, in order to support more than one PoE Unifi AP AC PRO?



