Router, switch, AP and vlans? How to connect them?

I'm struggling to understand/manage my network as I want and I just ask for a way to configure it, not how to do, just how to configure it and then I'll make it alone.

Basically I have a router (R4S SW), to this is connect a managed switch (Netgear), and then an Access Point (Netgear WAX206 DSA). Now I'm using 3 subnets and the firewall and DHCP on the AP to separated them, in this way:

But I would like to extend my main lan from the router to the AP and then add 2 vlan for the iot and guest zones.

And now I don't know what/how to do this. Is better to use two cables from the switch to AP and use one for the main lan and one for the other vlans? Or create them on the router?

I mean this:

Or create the vlans on the router and bring all of them (tagged/untagge) to the switch?

And in both cases, how to use the tagged and untagged? Because every time I tried I ended or to lock out my pc from the router or to don't have access from the guest/iot zones.

Thanks!

For your network design, I would have your R4S handle all networks, VLANs, their DHCP service and DNS. Keep all that on one device to keep things simple.

Tag all the VLANs exiting your lan port on the R4S and send them to your switch, also configured to recognize the incoming tagged VLANs. At a minimum you need to tag IOT and Guest. You can leave main untagged if you like (most will probably say tag them all, but I leave one VLAN untagged in my set up), but here is the rule: only one vlan can be untagged - otherwise there is no way to tell the different VLANs apart.

Configure the switch to receive all the different tagged VLANs and, depending on how you handle main, untagged or tagged main, on the incoming switch port connected to your R4S lan port. Then route different VLANs to other switch ports as desired. The switch port that your AP is connected to should be configured to have tagged VLANs for IOT and guest at a minimum, and how you deal with main will dictate if main is tagged or untagged on this port.

Configure your AP to receive all the different tagged VLANs (and if untagged, untagged main) on the incoming port connected to your switch port. You'll need to define bridges for all your VLANs to attach them to your SSID's connected to each VLAN, the network file for which is a bit less streamlined on swconfig devices. Do NOT configure DHCP service on the dumb AP (or DNS for that matter) - leave that job for your R4S.

I set up the firewall on my R4S, switch and AP's to recognize all the vlan zones and allow them DNS and DHCP service. Probably just to have that configured as a template on all my devices, but to be honest, I have never removed them to see if things still work. I recognize the firewall on the R4S sold handle it, and a managed switch and dumb AP should not need duplicate firewalls.

4 Likes

Can you clarify this a bit? AFAIK you'll still need to set up a bridge VLAN if you want to link an SSID to a wired interface.

1 Like

Thank you for pointing that out.

I'm so enamored with the streamlined DSA configuration network file syntax, I forgot a "config-bridge-vlan" and "config interface" section in the network file are still entered for each vlan.

I'll edit my post a bit accordingly.

1 Like

@giuliomagnifico this example for an all-in-one router is not exactly what you are after, but the general setup in the files may be helpful nonetheless.

1 Like

Got the setup working thanks to @eginnc @spence suggestions!

EDIT: got also Apple HomeKit/Home working on the separate VLANs.

Now if I join the iot/guest WLAN I'm unable to see open a 192.168.1.x page but I'm able to browse internet and the 'iot' WLAN is able to update the Homekit device, also Alexa devices are working fine obviously.

I'm a bit unsure of two thing, one is about the Netgear switch configuration, since with this firmware and only the GUI interface, is hard to understand...
The router/r4s is on the port 3 of the switch, and the AP/wax206 on the port 4, now I have tagged the port 3-4 with the vlan 1, 20, 50 (the 10 is one more vlan, just in case I will need), is this correct?



And the other is the firewall, I configured it in this way:

root@R4S:~# cat /etc/config/firewall 

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'wg0'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option input 'DROP'
	option forward 'DROP'
	list network 'wan'
	list network 'wan6'
	list network 'modem'

config forwarding
	option src 'lan'
	option dest 'WAN'

config forwarding
	option src 'guest'
	option dest 'wan'

config forwarding
	option src 'iot'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'


config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'


config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'WireGuard'
	list proto 'udp'
	option src 'wan'
	option dest_port '51820'
	option target 'ACCEPT'

config zone
	option name 'iot'
	option output 'ACCEPT'
	list network 'iot'
	option input 'DROP'
	option forward 'DROP'

config zone
	option name 'guest'
	option output 'ACCEPT'
	list network 'guest'
	option input 'DROP'
	option forward 'DROP'

config rule
	option name 'Guest DHCP'
	list proto 'udp'
	option src 'guest'
	option dest_port '67-68'
	option target 'ACCEPT'

config rule
	option name 'Guest DNS'
	option src 'guest'
	option dest_port '53'
	option target 'ACCEPT'

config forwarding
	option src 'lan'
	option dest 'guest'

config forwarding
	option src 'lan'
	option dest 'iot'

config rule
	option name 'IoT DHCP'
	list proto 'udp'
	option src 'iot'
	option dest_port '67-68'
	option target 'ACCEPT'

config rule
	option name 'IoT DNS'
	option src 'iot'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option name 'IoT 80'
	option src 'iot'
	option dest_port '80'
	option target 'ACCEPT'

config rule
	option name 'IoT 443'
	option src 'iot'
	option dest_port '443'
	option target 'ACCEPT'

config rule
	option name 'IoT mDNS'
	list proto 'udp'
	option src 'iot'
	list dest_ip '224.0.0.251'
	option dest_port '5353'
	option target 'ACCEPT'

config rule
	option name 'Netatmo'
	list proto 'tcp'
	option src 'iot'
	option dest_port '25050'
	option target 'ACCEPT'


Thanks for the "final" help :slight_smile:

That looks about right. The Netgear OEM UI shows VLAN 1 untagged by default, and the ports that are in the other VLANs as well are presumably tagged (going on your screenshot for VLAN 20), so should be okay.

1 Like

Perfect thanks for the confirmation!

Yes of course, I posted only one VLAN, others (10, 20 and 50) are the same, tagged on port 3 and 4. The Netgear UI is terrible :sweat_smile:

I also disabled the firewall and dnsmaq on the WAX206/Access Point. All is working, this setup is way easier than have different subnets, it's only a bit harder to "understand mentally" before start to build it!

1 Like

Looks Good! :+1:

^^^ That may be a statement that it is as you planned but if not...
I'm no firewall expert but if you expect to see a 192.168.1.x page from iot and guest networks based on your firewall rules then you could look at rule hit counters in nft (assuming that you are on firewall 4 on your R4S).
CLI: nft list ruleset
Luci: https://192.168.1.2/cgi-bin/luci/admin/status/nftables
Follow the chain. If a rule you expected to be used for the access has counter '0' then figure out why. Unfortunately with multiple devices in the source network, the counter may be going up if those other devices make use of the rule but that is a clue as well.

Also, I see in your WAX206 screen shot that you have IP addresses on the guest and iot interfaces. That is not needed for forwarding Ethernet frames through the WAX206.

If you don't want potential malware on iot or guest devices to bypass your firewall by setting their own gateway to the IP on the WAX206, then remove the IP config from those interfaces.

In luci, set "Protocol" to "Unmanaged" for interfaces "guest" and "iot".

In cli, it should look something like these:


config interface 'guest'
	option proto 'none'
	option device 'br-lan.20'

config interface 'iot'
	option proto 'none'
	option device 'br-lan.50'

Access from networks other than 'lan' to manage the WAX206 via its lan interface IP address is then controlled by the firewall.

I agree that the netgear switch VLAN setup looks correct.

2 Likes

No it's perfect thanks!

Oh, great tip yes, already done!

config interface 'iot'
        option device 'br-lan.50'
        option proto 'none'

config interface 'guest'
        option device 'br-lan.20'
        option proto 'none'

Another tip that I can share, is about the (cool?) dashbords that I'm making with Prometheus and Grafana,

I went crazy to understand why the exporter wasn't working anymore with the "new layout" of the interfaces, so I tried br-lan, br-lan.1, eth0/1, etcc... but nothing, the only solution that I found to have the node-exporter to correct write the metrics on localhost:9100/metrics is... put an asterisk on
/etc/config/prometheus-node-exporter-lua. This worked for both R4S and WAX206. Probably the exporter "doesn't understand" the VLANs as interfaces.

:face_with_raised_eyebrow:

config prometheus-node-exporter-lua 'main'
        option listen_interface '*'
        option listen_port '9100'
        option listen_ipv6 '0'

...maybe this stupid fix could be useful for someone else.

1 Like

Yes already did it, it’s in the last post above your! :slightly_smiling_face:

Thanks anyway for the suggestion!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.