Configuring VLANs with a Managed Switch

Hi guys! Please help set up Vlan with this network configuration:

VLAN10 - Connection between a Wi-Fi router and a switch
VLAN20 - WiFi devices who must have access to the local network and the Internet, as well as to file storage (NAS)
VLAN30 - WiFi devices access for Internet only (Guest WiFi)
VLAN40 - Access for VLAN20 and VLAN50
VLAN50 - Access to VLAN40 and Internet

Are these settings correct?
Do I understand correctly that there should be tagged on the router and switch?

Your assumptions in the drawing are wrong.
The switch would not be able to bridge from VLAN40/50 to VLAN10. You would need to have all VLAN's on the Trunk. Or is your Managed Switch a Router/Switch?
Your wireless router/firewall would need to route between the VLAN's.

Thanks. Then you can configure the connection between the router and the switch?

As mentioned the connection between the Router and the Switch (Trunk) would need to have all VLAN's configured it should carry (in your case VLAN 40 and 50.

And on the router you then need routing between VLAN 20 and VLAN 40/50


Do you need all those VLANs? What are you gaining from separating trusted wifi, wired, and NAS? Just because you can separate devices out doesn't mean you should...


I would start out with two networks: untrusted (guests) and trusted (trusted wifi, wired PCs, and NAS). Otherwise you're going to need to set up a bunch of routing and firewalling between the three separate but basically trusted networks that you propose as VLANs 10, 40 and 50. (Having the NAS and local users of the NAS in the same VLAN is especially recommended because then that heavy traffic can be hardware switched without imposing on the router CPU.)

Back to the original question there are two ways to set up a LAN port on the switch page:

  • "Access" for a regular non-VLAN-aware device like a PC: Untagged in one VLAN, off in all others.
  • "Trunked" to a VLAN-aware switch: Tagged in one or more VLANs, off in others. Don't try to mix tagged and untagged on the same cable-- though the standards say it should work, implementation is often lacking in consumer-grade equipment.

That is, I configure VLAN40 and VLAN50 on the switch, VLAN 20 and VLAN30 on the router. And then I configure tagged on the router and switch.

1 Like

The trunk cable between the router's switch and the standalone switch must use the same VLAN numbers within the switches at both ends. In other words switches can't rewrite packets to change their VLAN numbers. Once numbered and tagged that network uses the same VLAN number configured in all switches.

LAN1 connects to a port on a switch.

As everyone wrote, get rid of VLAN 10 and mark VLAN 20/30 tagged on LAN1.

You then also need to have the Wifi bridged into the respective VLAN.

1 Like

Changed the scheme:

and VLANs setting on the router:

Assuming that LAN1 is your trunk to the managed switch you don't need to tag VLAN30 on that anymore. Other than that this setup looks ok

Though if you go ahead and bring the guest VLAN over to the switch now, it is simple later to set up switch ports to connect untrusted devices like a game console or a wifi AP to extend guest wifi coverage.

You could use the existing VLAN 1 as the trusted network and not have VLAN 20.

Thanks. On the switch, I only configure VLAN1 as tagged without VLAN30.

Well I think we are now having a bit of over crossing ideas of your initial (to complex) solution and an easy straight forward approach.
So not sure how you want us to proceed in giving you ideas for your configuration.
As all devices on your switch are in the trusted LAN you could basically do the LAN1 port VLAN1 as untagged and then you don't need to do anything on your switch. Alternatively you can keep config as above and then on your managed switch would need to tag VLAN1 for any device you want in your trusted zone.

Thank you for help!