Improving my network topology

As I have comented in other thead, I want to create an IOT network in my home isolated from main home lan and internet.
In the other thread, I was given ideas of how to configure firewall, vlans and other things and was adviced about the need of installing another openwrt router, and use isp router only as bridge, and that is I would like to do.
But I need advice about the phisical and logical topology of the network.

I am going to explain how it is now (I put here the network diagram):

image1234×853 40.8 KB

In my house there is a comunications cabinet (very small, just an electric cabinet indeed) were arrive TV cable from the outside and fiber.
All ethernet cat 6 wires from the 5 rooms are connected directly to that cabinet.
So there is a 1 Gb switch (conmutable and non managed) installed there.
As it is quite small, the fiber optical wire was extended from there to a room (room 1 in the backside of the home) were reside a couple of computers connected to the ISP gateway and the home lan, and it provides WIFI access to the home SSID (connected to the home lan).

In the front side of the home, as the wifi does not reach there, I have installed a better (fritzbox 4040) router with openWRT, which is the DHCP server the home LAN (the gateway is the ISP router) and DNS server usind dnsmasq to integrate dns with dhcp leases, forming a .home domain and being the DNS primary server for the entire home LAN. DNS queries for other domains are redirected to well known DNS servers in internet.

As I said, now I want to add a second separate lan for iot (let us call it iot) accesible from wifi with its own ssid and isolated. So I will use vlan 15 for iot net traffic, where for now will be connected the wifi iot in the main router and the router in the other room (to substitute the ISP router).

I can think of two possible configuration: just adding a new vlan with other IP net (192.168.3.0) and a DHCP server and DNS server in the other router.
One of the routers would be the DNS and DHCP server for home network (the new main router) and the other for the iot network, with separate IP networks and connected between them through a VLAN (15) for iot traffic. New SSID WIFIs would be created in both routers in order to provide access to iot wifi device. If there were some ethernet device in the future, the corresponding switch port would be assigned to the VLAN 5.
I seems quite simple and similar to what I have now, with all home devices in the same IP network and iot devices in another network.
Thus the switches would not have to send packets to the routers when two devices in the same IP network interconnect among them, it can be solved at the layer 2 using MACs (once the MAC have been discovered).

More or less like this:

image1213×824 52 KB

An alternative would be to let each router assign DHCP adresses to the devices that connect to it in separate IP networks (one for iot and one for the home lan) so there would be 2 IP networks for iot and 2 for home lan that would, with static routes to send traffic from home IP net to home IP net and IOT IP net and iot IP net.
The advantage would be knowing by IP to which router a devices is connected.
But it would be more comples and ... less efficient?

If a device connected to one router has to send packets to a device connected to the other router it will have to send the packet to the other router and be dispateched at level 3, the switch won't be able to distribute that traffic.
Devices connected to the switch is not known, which router would be connected to?

I think the previous aproach can be easier and better, but am not sure if there can be problems.

There isn't really a way to accomplish this without either laying a dedicated -second- cable between "main OpenWrt router" and "OpenWrt router 2" XOR replacing the unmanaged 4 port switch with a managed one, capable to transporting multiple VLANs (trunk port). While -in theory- you could also use a GRE tunnel to transport the IoT network through the main network, but that's a complexity that's hardly advisable.

mmm, that may be why I am not getting it to work, even if I have revised all the config one time and another.
At the logical level it seemed feasible, but I see the problem is phisical.

SO I need a managed switch (I suppose that cannot be acomplish with a layer 2 switch, it is a pity).

I had beleived that transporting packets with vlan id won't affect layer 2 switches, as mac adress were the same and the switch just had to drop the packet at the connection with the correct MAC.

Thank you, thing are getting more complicated, I am not sure if it deserves the effort (isolating iot devices).

What about creating separate networks at each router and interconnect them using static IPs?

There would remain the problem to unify them at DNS level in one domain (.iot).

I mean a DHCP server at router 2 serving 192.168.3.0 address and another DHCP at router 1 serving 192.168.4.0 and sending traffic from one to the other network through the the same port as the home lan (192.168.2.0).

Even managed switches are L2. Some managed switches have L2+ or L3 features.

Unmanaged switches are designed for a single network (untagged) only. Their behavior is undefined for passing 802.1q tagged ethernet frames. Some unmanaged switches will do this without issue, others may cause severe network issues. Regardless, because they are not configurable, unmanaged switches will still rely on another managed switch (or a router with VLAN support such as an OpenWrt device) to enable a tagged network to be connected to an ethernet device that expects untagged networks. There are several other risks/disadvantages to using an unmanaged switch with tagged networks, too. The bottom line is that only managed switches should be used in this application.

You should never have multiple DHCP servers on the same network (network here means both the logical network as well as the physical infrastructure when using unmanaged switches). The results will be random and unpredictable, and will cause all sorts of headaches. This needs to be handled with VLANs (i.e. tagged networks, managed switches)

Thank you for the clarification about managed/unmanaged switches.

You say some unmanaged or even managed switches are capable of transporting tagged data without issue.

But if there are risks then a managed switch will be needed.

Or may be a smal router with gigabit ports and openWRT with all routing deactivated, just acting as a switch.

Recomendations?

They won't be at the same IP network just one for each.

Main router woul have DHCP activated at the lan interface and serve adresses 192.168.2.0.
All pcs connected to the switch or routers port (not dropped from the lan) would obtain adress from it, as it would be serving the lan interface.

Another DHCP server at the iot interface serving say 192.168.3.0. In that interface will be connected the iot WIFI served by main router, and may be one port with some iot device (that port would be added to iot vlan as untagged, and off in the home vlan).

In router 2, a DHCP server serving 192.168.4.0 in the interace iot, formed by the iot wifi created in that router, and may be some port dedicated to iot vlan and dropped from the home vlan (bat ports would be untagged, so no tagged traffice reaches the intermediate switch.

traffic from 192.168.3.0 and 192.168.4.0 will be redirected though routes.

I will try the previous config in a test environment with the two routers connected among them with no switch.
If that works, then will have to see if thje switch can be substituted (I have a TPlink TL-WR1043 with 5 Gb ports and a WAN that may be can do the work with openWRT, configuring all ports in untagged mode for vlan 1 and tagged for vlan 15).

Will try. Thanks.
Your recommendations on the best solution will be greatly wellcome.

What an unmanaged switch does with tagged packets is undefined, it may do whatever the vendor (didn't-) think about during the design phase.

If you have a spare router lying around that can run OpenWrt, use that. Otherwise, you can buy very inexpensive smart/managed switches from quite a few manufacturers. Stay away from the entry level TP-Link switches, though (TL-SG1xxE series, for example).

This is fine, but they must also be physically (or logically with proper VLAN support) isolated from each other.
The problem would be this: if you take 2 standard consumer routers, each with its own subnet (for example 192.168.1.0/24 and 10.0.1.0/24), and plug them each into a standard unmanaged switch, there would be two DHCP servers on the same physical link when you plug in a computer. So, when that computer makes a DHCP request, there would no deterministic way to know/guarantee which DHCP server would respond. Therefore, you must never 'join' two networks together with an unmanaged switch.
Wifi is a slightly different story -- if you have unique SSIDs for each network, that is, in effect, isolating the two networks, so that is okay.
And, of course, with VLANs you can create trunk ports to enable the sharing of the same physical infrastructure (cables, managed switches, etc.) with multiple networks.

If you have two or more networks created by 2 or more routers, these routes must be installed on each of the routers, and the firewalls on the routers must also be set to allow for this to work. The switches will not have anything to do with this.

OK. So I need a managed switch as the middle man among routers.

But I suppose an openWRT router would do too... a TL with 4 Gb LAN + 1 Gb should be able to do the work.
I will take out antennes, and deactivate wifi and other not used modules. That router has been in the cabinet serving internet connection and wifi until I moved the fibre out of the cabinet to the main room.

I think it can be cheaper than seeking for a managed router, and probably better (as all routers would have openWRT).

I will try configuring two routers with no swtich, and if it works, then adding the managed switch in between (the TPL).

I will try creating the separate IP networks too. But I like it less, more configuration and separate nets, than need to be integrated at the DNS level later, and it seems more error prone.

All managed switches are capable of working with tagged networks. That is why this category exists.

Unmanaged switches do not universally fail to work, but because of the fact that the behavior is undefined, you may discover that things fail badly, unpredictably, and even sometimes intermittently. That is the fundamental reason why I always tell people that they should never use unmanaged switches with tagged networks. period. There are other reasons, too, but the unpredictability of the behavior (with risks that could include major network issues) and the lack of configurability, combined with the availability of relatively inexpensive basic VLAN aware managed switches, there's just never a good reason to take a risk with an unmanaged switch.

Used ZyXEL gs1900-8 L2 smart-managed switches regularly sell for under 20 EUR on the popular second hand markets. Their OEM firmware is fine, but if you search a little further, you can do a lot more with them.

Thanks, yes, it seems that the more clean aproach would be to replace the intermediate switch.

As I have a TL WR1043ND with 1 Gb ethernet that has previously been serving at the cabinet, it seems the obvious solution.
I was going to use it as the main router for a while and once everything was correct, substitute it for something better. But may be It will have better use as a switch.
Its wifi is a bit obsolet (just N and not at the quickest speed).

With separate networks, a problem I can think of is itinerating from one WIFI AP to the other.
The name and password is the same in both routers, so you can move from one point to another without having to reconnect, the device reconnects automatically to the strongest signal.

But I don't know if the IP and gateway can be changed when you move from one AP to another.

And yes, with the vlan config, it can be difficult to configure at the low level (layer 2 and 3) but then everything is easier and with less config to do, no so error prone.

Thank you, but for the photo it seems to big.

You don't have an idea how small the cabinet is.

It is not a communication cabinet. Just an electric connections box integrated in the wall with all cables (tv, phone and ethernet) coming to it. And there is the fibre, and a tv distributir.
Beign able to put there the TL WR1043 was an odysse.

This is best handled by having a single logical network across multiple physical access points. This way, when the client roams from one AP to the next, the network configuration (IP, subnet mask, router, DNS) are all the same. On a properly tuned and configured network, this roaming can be (nearly) seamless with a human user potentially not noticing the transition at all.

If you have multiple APs setup with the same SSID and password, but using different logical networks, the clients will be able to roam from one AP to the next, but the experience will not be good -- possibly up to a few seconds for the connection to be broken and then re-established.

Yes, that was the problem I see with the aproach of several nets.
You have confirmed the problems I had anticipated.

So it is clear that the best solution would be to substitute the switch.
I have it solved with the tl, but as a managed switch seems quite cheap, if there is one with 5 ports and really small size, it would be better to buy one too.

I will try to implement the 2 router config with two old routers using vlans, and the put the tplink in the middle and configure vlans in it too and see if I can have it working before doing it in the actual router.

By the way I am looking for a good inexpensive router with wifi AC or ACx (better) for being my main router.

Any idea. I have a fritz!box 4040 that will remain as the second router, may be they have one more advance for not too much, will seek in tplink too.

gs1900-8_vs_tl-wr1043ndv1800×490 119 KB

That's probably a matter of perspective…

I had expected it bigger.

May be too long for the space, but it is narrower.

I have to take meassures.

I suppose there is no one similar with 5 or 6 ports, that would be perfect, it would not take so much space and would be easier to put than the tplink.

Thank you again.

I think this is too strong a statement. The SG108e is a home/small business workhorse that works just fine on the inside of a firewall. There are some security concerns if you have a port directly connected to the internet, but even that I personally am not too concerned if it uses a private non-standard network address (like say 172.30.14.0/24) and a proper cryptographically randomly generated password (say from some keepass version).

If it's on the inside of a firewall I think it's a fine switch, inexpensive, and not very physically large.

Some of the other issues that earlier versions had have been mitigated by the current firmwares on the v3 or later devices (the only thing they're selling now). (I do wish they'd have a setting to make it listen on only the one management vlan)

I didn't say they were terrible or anything super strong... just that I'd stay away from them. Aside from the security considerations, they also have an issue where they could pick up an IP via DHCP from any of the networks (if the switch is set to DHCP) because you can't set a management VLAN. I have one of these (the 105E) and I also have one at my dad's house (the 116E). I regret the purchase of these units because there are more capable units for the same price. I advise against this series of switches for these and other reasons. (I do actually really like my TP Link T1600G-28PS, so I'm not saying that I don't like any TP-Link switches)

But I have seen the zyxel in amazon and it is about 120€.
Well it is the PoE version, could not found other one.

There is some zyxel 1200-5 but it seems they are not supporte by openWRT.

(well, here it is too late, so I am going to bed, thank you all very much, will continue reading tomorrow).

Yeah, they're not terrible, if you can find ZyXEL devices cheaper then sure, go for it, and the higher grade switches like the T1600G-28 and similar are really quite nice. On Amazon right now the 8 port ZyXEL is $65 where as the tplink is $30

I haven't found anything that routinely is available and compares in price, and I NEVER use DHCP for switches, so the main "bug" for me is the potential security issue where if you have a port directly connected to the internet it's technically possible under some circumstances for an internet person to send packets to the switches management interface. That'd be hard to exploit in practice and with a good password essentially impossible to exploit.

agreed with @ariznaf that pricing is not always great on competing products.

THere's no need to run the OpenWrt on the switch, you can use stock firmware on these switches.