This topic has been marked solved and closed to new posts due to inactivity. We hope you'll join the conversation by posting to an open topic or starting a new one.
I'm hoping to get some advice on topology and approach to accomplish my goals using the Netgear stack identified here. Please let me know what additiona info would be helpful to have. Thanks in advance!
Netgear stack
Cable Modem - CM1200
Router/Wifi - X4S/R7800 - FW V1.0.2.68
Managed Switch - GS110TPP - FW V7.0.1.16
Goals
Create 3 VLANs - Home lab, Media/IoT (Roku, Nest, etc), and Personal Devices (PC/tablet/phone)
Allow a small number of external/WAN IP addresses (freinds/coworker/collaboratorss) traffic into LAN for purpose of access to Home Lab VLAN - do not allow any of this external traffic into other VLANs. I don't want to hand out certs and give VPN access to my whole LAN
Do not allow Media/IoT VLAN to communicate with any other VLAN, but allow some/all personal devices to connect to Media/IoT for management
Allow some/all personal devices on LAN to connect to home lab VLAN All 3 VLANs will have access to the internet
Environment
All IP addresses are currently on the same subnet - can subnet out if better/easier
Mostly Linux (CentOS and Debian/Ubuntu), some MacOS and Windows 10
DNSmasq provides DNS for lab
Nighthawk/R7800 provides DHCP for any non-static IP addresses
Progress
3 VLANs are configured, but am not confident in the final topology so looking for some good practices before I move further
Well, the switch can be configured into three VLANs of course. Each VLAN is it's own broadcast domain, think of three different non-managed switches. On the IPv4 layer, each VLAN does require it's own IP subnet.
Your consumer router can handle only one LAN, do many2one NAT for one IP subnet, inlcuding limited port forwarding to IP addresses on that very same subnet. If using that network as an intermediate transport net for connecting it's hard to hide - certainly with that same consumer router again.
That's why @DaneA correctly pointed to a basic small business router with the ability to deal with multiple LANs/VLANs, multiple subnets, many-to-one NAT for multiple subnets ... Of course, you can "design" an experimental environment with one or two similar crap routers esblishing double-NAT, .... Personally I would look into a small but performant security router appliance.
Since the R7800 does not support VLAN, I recommend you the BR500. The BR500 supports VLAN and can be configured to provide local IP addresses to each VLAN configured on the GS110TPP. To know more about the BR500, check its data sheet here.
Kindly check the article below and use it as reference guide:
Well, the switch can be configured into three VLANs of course. Each VLAN is it's own broadcast domain, think of three different non-managed switches. On the IPv4 layer, each VLAN does require it's own IP subnet.
Your consumer router can handle only one LAN, do many2one NAT for one IP subnet, inlcuding limited port forwarding to IP addresses on that very same subnet. If using that network as an intermediate transport net for connecting it's hard to hide - certainly with that same consumer router again.
That's why @DaneA correctly pointed to a basic small business router with the ability to deal with multiple LANs/VLANs, multiple subnets, many-to-one NAT for multiple subnets ... Of course, you can "design" an experimental environment with one or two similar crap routers esblishing double-NAT, .... Personally I would look into a small but performant security router appliance.
