Confused about default VLAN and filtering

bagelwoof · May 14, 2025, 2:52am

I want to segment out to a few different VLANS with the LAN itself only servicing the network devices with a dedicated port on the router for connecting a laptop for device management.

My end goal is probably almost accurately described in a table like so:

VLAN Name	VLAN ID	Subnet	Purpose
LAN	0?	10.10.0.0/24	Network infrastructure
Residents	1	10.10.1.0/24	Here there be peeps
Servers	2	10.10.2.0/24	Servers, serving.
IoT/NoT	4	10.10.4.0/22	My LIGHTS and stuff
Guest	8	10.10.8.0/24	Visitors
Work	16	10.10.16.0/24	The Jerb

I've set up the default LAN with a 10.10.0.0/24 subnet. I'm proably going to not have it do DHCP and traffic from it to go basically anywhere, maybe anywhere private. The other VLANs will have variable but predictable access to whatever. Like IoT doesn't get to talk to anything public, ever, for example. Guest and Work only get to see the Internet, while I'll probably punch a hole to a printer for Work.Residents get to talk to anything but things on the LAN, which should only allow access to management interfaces (web, SSH) from devices on the LAN with an IP address in the right range.

Where I'm stuck is with LAN and VLAN filtering. Maybe it's LAN and VLAN? This is why I'm stuck. I'm going to have the router, 4-5 switches, 4 WAPs, and maybe a "wireless wire" bridge to an outbuilding.

I understand how to set up trunking (kinda, mostly, under EdgeOS) and having some ports only handle tagged traffic for one VLAN. That's part of setting up multiple SSIDs on the WAPs - they each direct to a different VLAN.

My questions:
Say I have a trunked port on the router that connects to a managed switch, which also has at least two trunked ports because there's a WAP or something hanging off of it. If my LAN traffic is untagged, originating from an untrunked/dedicated port on the router.

Will I be able to talk to the network devices to manage them from a laptop connected to that port?

Is untagged traffic blocked on a port for which VLAN filtering is enabled?

psherman · May 14, 2025, 6:07am

When you are on the same L2 network as your target, you can always connect to it (unless it is blocked with a host-level firewall). If you are on a different L2 network, the traffic will go to the router where it will be subject to the routing/firewall engines. If those allow inter-vlan routing (in whole, or for the specific traffic in question), you'll be able to make the connection. If the firewall doesn't allow it, then the connection will not be possible.

All that to say that the tagged/untagged status or trunk vs access port angle is not relevant to the inter-vlan routing. Tagging is simply a means of enabling multiple networks to coexist on a single port/cable while still being able to identify the traffic that belongs to each VLAN and keep those flows separate.

No. VLAN filtering is not related to tagged vs untagged on any individual port... it is simply the mechanism by which the VLANs are enabled in general (without it, you can only have a single subnet/network defined with the ports in the bridge).

That said, I have found that the option/checkbox isn't necessary. If it is not checked but bridge-vlans are present in the config, it will be enabled implicitly under the hood. So I'm not really sure what the purpose is for that option being exposed to the user.

brada4 · May 14, 2025, 7:18am

vlan 0 and sometimes 1 have special uses.
do not use them for management as due to bugs eg hostap may connect unrelated networks to one of them.