I am trying to separate my home network into 3 separate VLANS as shown in the diagram below. Unfortunately I do not have a VLAN aware router, so I am not what I am doing is possible. I want to create a family, internal and guest network (Plus WIFI access) and also share the printer across VLAN 20+10. Currently VLAN 20 has internet access and works, however it can access any PC on VLAN 10 but VLAN 10 can't access VLAN 20? VLAN 20 should not be able to access VLAN 10.
I assume this is because when I setup the network switch, Port #2 on the switch is in both VLAN 10 and 20 (10 is default). If I set port only to be in VLAN 20 I don't get any internet.
Is this the right way to do this or would I need a VLAN aware router to accomplish this?
Depends what you exactly want to achieve. In a strict IEEE 802.1Q VLAN sense, each VLAN is a dedicated network, has a dedicated IP subnetwork (as shown on your plan) on each network, and only a L3 router can make IP communication.
With the two consumer routers added, there won't be much luck - because these routers a doing many2one NAT routing (all LAN IPs NAT to a single WAN IP), most likley these can't be configured as "normal" routers connecting two IP subnets so bi-diectional routing beteen the IP subnets as shown would be possible. If the routers would be "normal" routers, adding some static routers would do the job.
You can _try_ your luck configuring a so called asymmetrical VLAN config, with just L2 tricking - all devices run on the same IP subnet. Look here:
Create the VLAN 10, name it "Family (for port 1..8)
Create the VLAN 20, name it "Intranet" (for port 9..12)
Create the VLAN 30, name it "Guest" (for port 13..14) Let's keep port 15 and 16 for future usage, see below
For the moment, keep VLAN 1 eg. [U]ntagged on Port 16 for the management, until the management VLAN is changed e.g. to VLAN 10 (for simplicity). Remove any VLAN membership for VLAN 1 from all ports, eg. 1..24.
Make all ports [U]ntagged members of the VLAN 10.
Set ports 1..8 to PVID 10.
Make ports 9..12 [U]ntagged members of the VLAN 20.
Set ports 9..12 to PVID 20.
Make ports 9..12 [U]ntagged members of the VLAN 20.
Set ports 13..14 to PVID 30.
Name port 8 "InetRouter"
Keep port 8 "InetRouter" as an [U]ntagged member of VLAN 10.
Make port 8 "InetRouter" [U]ntagged member of VLAN 20
Make port 8 "InetRouter" [U]ntagged member of VLAN 30
Name port 12 "Printer"
Make port 8 "Printer" [U]ntagged member of VLAN 10 (reachable for Family VLAN)
Make port 8 "Printer" [U]ntagged member of VLAN 30 (reachable for Guest VLAN)
Note: Intranet VLAN 20 can't reach the Internet - so the printer can't use cloud based supply management (like HP Instant Ink, send notifications, link up to some Intenret based cloud printing, ...)
Connect the Sky router LAN to port 8 "inetRouter".
Connect the printer to port 12 "Printer"
Now you can put up three test systems, one on the "Family" VLAN, port 1..7 (remember: port 8 "InetRouter" is reserved for the Sky router LAN), one on the "Intranet" 9..11, and one on the "Guest" VLAN port 13..14. All will receive an address from the router by DHCP, no static IPs required. Test "Family" can reach the Internet, the Printer, other "Family", but not "Intranet" or "Guest". Test "Intranet" can only reach the "Internet" and the "Printer" [and other "Intranet"] but neither "Guest" nor "Family". Test "Guest" can only reach "Internet" [and other "Guest"], but neither "Intranet" nor "Family".
For the WLAN: If possible configure both other consumer routers plain wireless access points, configure one as "Family" and one as "Guest". Connect the appropriate port (some routers in AP mode require using the WAN port, others the LAN port) to a "Family" port resp. a "Guest" port.
Better solution would be a simple business AP like a WAC124 or WAX204 (if you need just one AP), if considering more look for a mesh-capable WAC505/510/540 or a WAX610 for example.
Configure the switch port #15 (that's why we kept it untouched) for using the VLAN 10 [U]ntagged, PVID 10; VLAN 20 [T]agged, VLAN 30 [T]agged. Configure the access point with three SSIDs - "Family" VLAN 10 untagged, "Intranet" VLAN 20 tagged, and "Guest" VLAN 30. Last step is making the management VLAN 10 untagged, and connect it to Port 15.
The Sky router WiFi will still connect to the "Family" network.
Now associate a test system to each of the three WLAN SSIDs, and run the same tests as above.
@schumaku Thanks for the reply, very detailed but complex without right hardware and I think down the line I could run into issues and spend hours fixing them. I have done more research into this and I've been recommended to get a Ubiquiti Edgeware Router X, which will do all the IP/DHCP stuff for me and I can use other routers as access points/range extenders.
@schumaku Thanks for the reply, very detailed but complex without right hardware and I think down the line I could run into issues and spend hours fixing them. I have done more research into this and I've been recommended to get a Ubiquiti Edgeware Router X, which will do all the IP/DHCP stuff for me and I can use other routers as access points/range extenders.
You have all the hardware required. Your Sky router will do all IP/DHCP stuff for you. A L3 router with multi VLAN and multi-subnet does not make a difference ref. the existing two routers in AP mode - just the same proposal as above - unlikely these routers are supporting multi SSID/VLAN pairs. And have fun with double NAT, have fun with Multicast based IPTV, ...
And even more fun if you get Sky Internet Calls.
And much more fun with printer and other device discovery - being broadcast based, being Multicast and UPnP SSD discovery.
Last but not least, you need to configure the switch 802.1Q VLAN, configure the ports, ...
But hey, if you think adding yet another router makes it easier, up to you. Have fun with UI! And even more fun adding UniFi APs. Yes - I'm managing some bigger venues and helping on a major TV production on plain UniFi environment.
