× NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Orbi WiFi 7 RBE973

Help with topology and approach

IamOzymandias
Aspirant

Help with topology and approach

I'm hoping to get some advice on topology and approach to accomplish my goals using the Netgear stack identified here. Please let me know what additiona info would be helpful to have. Thanks in advance! 

 

Netgear stack

  • Cable Modem - CM1200
  • Router/Wifi - X4S/R7800 - FW V1.0.2.68
  • Managed Switch - GS110TPP - FW V7.0.1.16

Goals

  • Create 3 VLANs - Home lab, Media/IoT (Roku, Nest, etc), and Personal Devices (PC/tablet/phone)
  • Allow a small number of external/WAN IP addresses (freinds/coworker/collaboratorss) traffic into LAN for purpose of access to Home Lab VLAN - do not allow any of this external traffic into other VLANs. I don't want to hand out certs and give VPN access to my whole LAN
  • Do not allow Media/IoT VLAN to communicate with any other VLAN, but allow some/all personal devices to connect to Media/IoT for management
  • Allow some/all personal devices on LAN to connect to home lab VLAN
    All 3 VLANs will have access to the internet

Environment

  • All IP addresses are currently on the same subnet - can subnet out if better/easier
  • Mostly Linux (CentOS and Debian/Ubuntu), some MacOS and Windows 10
  • DNSmasq provides DNS for lab
  • Nighthawk/R7800 provides DHCP for any non-static IP addresses

Progress

  • 3 VLANs are configured, but am not confident in the final topology so looking for some good practices before I move further
Model: GS110TPP|8-Port Gigabit PoE+ Ethernet Smart Managed Pro Switch with 2 Copper Ports and Cloud Management
Message 1 of 4

Accepted Solutions
schumaku
Guru

Re: Help with topology and approach

Well, the switch can be configured into three VLANs of course. Each VLAN is it's own broadcast domain, think of three different non-managed switches. On the IPv4 layer, each VLAN does require it's own IP subnet.

 

Your consumer router can handle only one LAN, do many2one NAT for one IP subnet, inlcuding limited port forwarding to IP addresses on that very same subnet. If using that network as an intermediate transport net for connecting it's hard to hide - certainly with that same consumer router again.

 

That's why @DaneA correctly pointed to a basic small business router with the ability to deal with multiple LANs/VLANs, multiple subnets, many-to-one NAT for multiple subnets ... Of course, you can "design" an experimental environment with one or two similar crap routers esblishing double-NAT, .... Personally I would look into a small but performant security router appliance. 

View solution in original post

Message 4 of 4

All Replies
DaneA
NETGEAR Employee Retired

Re: Help with topology and approach

@IamOzymandias,

 

Welcome to the community! 🙂 

 

Since the R7800 does not support VLAN, I recommend you the BR500.  The BR500 supports VLAN and can be configured to provide local IP addresses to each VLAN configured on the GS110TPP.  To know more about the BR500, check its data sheet here

 

Kindly check the article below and use it as reference guide: 

 

How do I set up one or more VLANs between a NETGEAR ProSAFE firewall and a smart switch?

 

 

Regards,

 

DaneA

NETGEAR Community Team

Message 2 of 4
IamOzymandias
Aspirant

Re: Help with topology and approach

So, the managed switch is not sufficient to create VLANs to accomplish this work?

Message 3 of 4
schumaku
Guru

Re: Help with topology and approach

Well, the switch can be configured into three VLANs of course. Each VLAN is it's own broadcast domain, think of three different non-managed switches. On the IPv4 layer, each VLAN does require it's own IP subnet.

 

Your consumer router can handle only one LAN, do many2one NAT for one IP subnet, inlcuding limited port forwarding to IP addresses on that very same subnet. If using that network as an intermediate transport net for connecting it's hard to hide - certainly with that same consumer router again.

 

That's why @DaneA correctly pointed to a basic small business router with the ability to deal with multiple LANs/VLANs, multiple subnets, many-to-one NAT for multiple subnets ... Of course, you can "design" an experimental environment with one or two similar crap routers esblishing double-NAT, .... Personally I would look into a small but performant security router appliance. 

Message 4 of 4
Discussion stats
  • 3 replies
  • 1725 views
  • 2 kudos
  • 3 in conversation
Announcements