- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
Help with topology and approach
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm hoping to get some advice on topology and approach to accomplish my goals using the Netgear stack identified here. Please let me know what additiona info would be helpful to have. Thanks in advance!
Netgear stack
- Cable Modem - CM1200
- Router/Wifi - X4S/R7800 - FW V1.0.2.68
- Managed Switch - GS110TPP - FW V7.0.1.16
Goals
- Create 3 VLANs - Home lab, Media/IoT (Roku, Nest, etc), and Personal Devices (PC/tablet/phone)
- Allow a small number of external/WAN IP addresses (freinds/coworker/collaboratorss) traffic into LAN for purpose of access to Home Lab VLAN - do not allow any of this external traffic into other VLANs. I don't want to hand out certs and give VPN access to my whole LAN
- Do not allow Media/IoT VLAN to communicate with any other VLAN, but allow some/all personal devices to connect to Media/IoT for management
- Allow some/all personal devices on LAN to connect to home lab VLAN
All 3 VLANs will have access to the internet
Environment
- All IP addresses are currently on the same subnet - can subnet out if better/easier
- Mostly Linux (CentOS and Debian/Ubuntu), some MacOS and Windows 10
- DNSmasq provides DNS for lab
- Nighthawk/R7800 provides DHCP for any non-static IP addresses
Progress
- 3 VLANs are configured, but am not confident in the final topology so looking for some good practices before I move further
Solved! Go to Solution.
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well, the switch can be configured into three VLANs of course. Each VLAN is it's own broadcast domain, think of three different non-managed switches. On the IPv4 layer, each VLAN does require it's own IP subnet.
Your consumer router can handle only one LAN, do many2one NAT for one IP subnet, inlcuding limited port forwarding to IP addresses on that very same subnet. If using that network as an intermediate transport net for connecting it's hard to hide - certainly with that same consumer router again.
That's why @DaneA correctly pointed to a basic small business router with the ability to deal with multiple LANs/VLANs, multiple subnets, many-to-one NAT for multiple subnets ... Of course, you can "design" an experimental environment with one or two similar crap routers esblishing double-NAT, .... Personally I would look into a small but performant security router appliance.
All Replies
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Help with topology and approach
Welcome to the community! 🙂
Since the R7800 does not support VLAN, I recommend you the BR500. The BR500 supports VLAN and can be configured to provide local IP addresses to each VLAN configured on the GS110TPP. To know more about the BR500, check its data sheet here.
Kindly check the article below and use it as reference guide:
How do I set up one or more VLANs between a NETGEAR ProSAFE firewall and a smart switch?
Regards,
DaneA
NETGEAR Community Team
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Help with topology and approach
So, the managed switch is not sufficient to create VLANs to accomplish this work?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well, the switch can be configured into three VLANs of course. Each VLAN is it's own broadcast domain, think of three different non-managed switches. On the IPv4 layer, each VLAN does require it's own IP subnet.
Your consumer router can handle only one LAN, do many2one NAT for one IP subnet, inlcuding limited port forwarding to IP addresses on that very same subnet. If using that network as an intermediate transport net for connecting it's hard to hide - certainly with that same consumer router again.
That's why @DaneA correctly pointed to a basic small business router with the ability to deal with multiple LANs/VLANs, multiple subnets, many-to-one NAT for multiple subnets ... Of course, you can "design" an experimental environment with one or two similar crap routers esblishing double-NAT, .... Personally I would look into a small but performant security router appliance.