Help on change of network topology

Hi,

I am a network newbie and in need of your advice.

I have recently changed my ISP and received a unit from the ISP that I cannot put the modem in bridge mode. I don't want to run a double NAT. Thus, I try to reconfigure my network. Please refer to attached images.

Diagram 1 is my current configuration.
Diagram 2 depicts my modifications to avoid double NAT and to upgrade to FTTH in the near future.

OWRT-1 is lan-wan bridged and will provide DoH and probably a few other services.
OWRT-2 is also lan-wan bridged and will hand out IPs to vlan1, 7, 11, and 13.

  1. What do you think about the changes made in Diagram 2? Will it work?
  2. Will a default route or static route or both be required on the switch?

Your suggestions and comments are appreciated.
Thanks.


I don't understand your VLANs -- are those additional routers? Or servers or something else? Your gateway definitions for the VLANs won't work because it is outside the subnets that you have created (i.e. VLAN 11 is 192.168.11.0/24, the gateway must be within that network... the devices cannot use a gateway of 192.168.213.1; a router, of course, can use the 213.1 gateway as its upstream).

Thanks, @psherman for your reply.
The vlans are PCs, WAPs, mobile devices, etc.; but no routers, so I abstracted them away.
The switch is a Netgear managed. I've just found How-to-configure-routing-VLANs-on-a-NETGEAR-managed-switch-with-shared-internet-access. I will follow the how-to and see if it works.

Does one of your routers (either the ISP router or the OpenWrt one) have those VLANs setup for routing?

If not, your network will not function -- your VLANs will not be able to route out of their own subnet (i.e. to each other or to the internet). The switch can keep the VLANs isolated from switching/forwarding perspective, but it cannot route them.

No. The isp unit is very basic. The two OWRTs will not provide routing. The switch can be set up to do vlan routing. My plan is to configure vlan routing on the switch. Thus, the switch will route traffic from vlan7, 11, and 13 to the isp router; then use ACLs to isolate the vlans. This will take care of the switch side.

The issue is the route back to the switch from the isp router, since it supports neither vlans nor static routes.

IMO, using switches to do routing (when supported - only certain models of managed switches offer L2+ and L3 capabilities) is generally not the best option. The routing functionality on all but high end enterprise grade switches tends to be quite basic and generally offers little-to-no granular configuration abilities. The reason that L2+/L3 functionality exists in some switches is to offload inter-VLAN routing from the main router and reduce traffic across the link between the switch and the router. This is good when multiple VLANs need to be able to communicate with each other (let's say two departments in a business) with minimal-to-no firewall filtering.

VLANs have two main purposes:

  • create smaller networks (rather than one monolithic one) to reduce the size of the broadcast domain. This was the original intent and it can dramatically improve network performance when there are hundreds to thousands of nodes.
  • create independent networks for the purposes of security and filtering. Here, the a firewall is used to allow/prohibit/selectively filter inter-VLAN traffic and/or access to other resources such as the internet. In many network infrastructures, the firewall is running in the router.

If the second purpose is your reason for setting up VLANs, you should be planning to run all of the routing and firewall features in a router, not in a switch.

Double NATing is unavoidable, it seems.
Thanks again for your help.

Does your ISP router have the ability to set static routes?

You can let the isp router provide DHCP, NAT and the default gateway. No double NAT needed.

Do you need vlans at all? Your network is small enough to run it all in one C class address range, such as 192.168.1.0/24

@psherman No, it doesn't. It is a basic router.
@jdwl1o1 vlans is a must for my application.

Then double-nat it must be. Unless you can remove the isp router or put it in a true bridge mode.