VLAN Setup to Extend Home Network

Thanks for the replies.

Unfortunately due to the number of floors and the layout of the house I'm only able to route the one cable.

The fibre broadband comes in at the front of the house on the ground floor and the main router is at the other end of the house on the second floor. The fibre box connects to the router via an outside graded CAT6a cable. However, before the outside CAT6a cable was installed, the router was previously installed on the ground floor on an interior cable. I want to extend my private LAN and guest lan to a second AP/router on this cable using that existing cable.

AP/router_1 and AP/router_2 won't physically talk to each other other directly hence the use of VLAN's as I will now carefully explain:-

  • AP/router_1 will route private LAN (VLAN_2), Guest LAN (VLAN_10) and WAN (VLAN_1) down the physical WAN port thus creating a VLAN trunk.

  • At the other end of this trunk will be a small, 5-port, managed switch where I will split the WAN traffic (VLAN_1) to the fibre modem to acquire a internet connection.

  • The remaining 2 VLAN's (VLAN_2 & VLAN_10) will route down the old CAT6a interior cable from this 5-port switch to another VLAN, OpenWrt supported router/AP (AP/router_2).

  • On AP/router_2 will be the Private LAN and Guest LAN with identical SSID's to AP/router_1. I also intend to utilise the LAN ports on AP/router_2 so that they are on the Private LAN.

In short. AP/router_2 will be an extension of AP/router_1 through it's physical WAN port, which is also being used to provide an internet connection to AP/router_1.

Hope that made sense.

Will

1 Like

This is a "textbook example" of the use of VLANs -- carry multiple, independent packet streams over a single cable.

2 Likes

UPDATE My Netgear Prosafe 24-port Gigabit Switch arrived today and I been playing around with the VLAN's and I have a guest network and a private network set to two different ports. In OpenWrt here's a screenshot of the switch in LuCI

Here's the screenshot of Netgear's VLAN Configuration

Netgear VLAN ID 1 (WAN)

Netgear VLAN ID 5 (Private LAN)

Netgear VLAN ID 10 (Guest LAN)

Netgear PVID
Setting these two tol separate ports I was able to achieve a guest network on port 5 and a private network on port 6. However, I would like to combine the two LAN's together to send to the another OpenWrt router. This will done using the existing cable on the ground floor I mentioned earlier. Do I need these PVID's?

Possible idea; I could be completely wrong. Leaving port Netgear's port 5 dedicated to the Guest LAN and port 6 to the Private LAN, if I were to set port 24 VLANs 5 and 10 both to tagged would this trunk the two LANs on one port ready for the receiving switch to de-trunk them? Please see screenshots.


I think what you want to achieve is possible, however it would be much easier to help you with the configuration if you created a diagram of the devices and the physical connections. It can be an image or you can use asciidraw and paste it here as preformatted text </>

1 Like

I shall download Cisco Packet Tracer and draw up the designs :+1:

Okay Cisco packet tracer was too complex and fiddly. Instead I've used Visio from Microsoft. Here's the result.

AP/Router1 is the main router and connects to the ONT/fibre modem downstairs.

In my previous setup there was a cable between the ONT/fibre modem and AP/router2, hence I want to use VLAN trunking to connect AP/router1 and AP/router2 in-directly using the WAN cable to the trunk (shown at the top of the picture) to bridge them together. The trunk connected upstairs to downstairs simply put.

With this mind I want to route the three VLAN's from AP/router1 through to the 5-port switch where VLAN 20 (WAN) carries on through to the ONT/fibre modem and VLAN's 5 (Guest LAN and VLAN 10 (Private LAN) go off to AP/router2.

In regards to the LAG (Link Aggregation) I hoping to connect all four Gigabit LAN ports on the OpenWrt router to four ports on the 24-port switch. The Netgear ProSafe GS724T supports LAG, however from my understanding LAG has to be supported a both ends so I would need to configure OpenWrt with LAG support??

If I'm correct, I did look on the forums and someone mentioned installing the kmod-bond package. Apart from that how do I physically bond the connections? As my LAN goes through eth0 and the WAN goes through eth1 I thought about segmenting the four physical RJ45 connections on the back into their own VLAN's so I could bond them together somewhere in OpenWrt??

With the trunk on the WAN port and the LAG ports separated it results with the following:-

Looks possible to achieve. Most of the job is done by the switches, so if you configure them correctly there is not much to do in OpenWrt.
On 5-port switch configure one port in access mode (or untagged) for the ONT modem in VLAN20. The other connections are trunk (or tagged) with the VLANs you need.
The same applied for the 24-port switch. Trunk the port towards 5-port switch and trunk the port towards the AP/Router-1.
You cannot have the LAG in different ports with different VLANs though. FIrst you need to configure the LAG for the ports and then you assign VLANs in the LAG interface.
One more thing, it is pointless to add the VLAN20 in the LAG, as your bottleneck is the single connection through the exterior Cat6 cable. In fact I don't see much point in LAG anyway, unless you expect to have vast amount of traffic between Guest and Private VLANs on the upper floor.

1 Like

The reason for the LAG is because I'm planning on connecting my NAS and Dell PowerEdge Server with 4 Gigabit Ethernet leads each (total 8) so that Wi-Fi and cable clients can share traffic more fairly, hence I want to have a 4 LAG link back into the router.

The bottleneck of the SoC having only one or two [R]GMII interfaces to the switch fabric makes me question the value of such a setup.

3 Likes

Wifi clients will hardly tickle the gigabit connection of the wired server.
The wired clients will use the switch fabric rather than the OpenWrt router to communicate with the servers.
So I don't see the point in that.

2 Likes

So you reckon just one connection between the LAN port of the router and the switch would be enough bandwidth for all of the cabled devices wired into the switch?

I would essentially have the following connected to the 24-port switch:-

  • Dell PowerEdge x 4 Gbps ports
  • QNAP-NAS x 4 Gbps ports
  • Desktop PC 1 x Gbps port
  • PS3 x 1 Gbps port
  • PS4 x 1 Gbps port
  • Rock64 single-board computer x 1 Gbps port

One connection from 24-port switch to the LAN port of the router, or if it makes you feel better you can make them 2, one for Private VLAN and one for the Guest. Then one more connection to the WAN port. If you go for the 3 port option, all can be access ports. If you combine Private and Gues VLANs then you need to use a trunk port there. The WAN can still be access.
All the devices attached to the switches and in the same VLAN will not go through the router to communicate with each other.

I'm going to stick with the trunk linking the Private LAN, Guest LAN and WAN on the single WAN port so that I can extend the connection down to the small 5-port switch, and then have a single connection between one of the 4 LAN ports and the switch as like you said the switch fabric will do all of the talking to one another.

1 Like

Going back to topic of the VLAN's in OpenWrt. On my second AP would I need to have a similar switch setup? The incoming WAN port would be untagged and this would be carrying my two LAN's. I would then need to create two VLAN's Private LAN and Guest LAN using the same VLAN ID's as my main AP/router1 and connect them to two DHCP client interfaces?

P.S I suppose if I wanted to connect a wired client to one of the 4 free LAN ports on the second AP/router I would just assign an untagged port to one of the interfaces and set the matching VLAN on the interface settings?

If I were setting it up, the second AP would not provide any services other than the AP itself. I would use tagged VLANs on all your trunks as then there is no question as to how an untagged packet should be handled. (I have my switches' trunked ports and trunked devices set to drop all untagged packets to enforce clear tagging and "prevent" surprises.)

Yes, it's OK to use the port labeled "WAN", though you'll need to assign it to the proper firewall zone (without NAT, DHCP, and all).

I personally use a "special" management VLAN to keep "everybody" from accessing the router and other devices. This may be a later enhancement to consider.

1 Like

Just recently setup VLAN for myself first time, so don't consider myself as expert. Just give you couple of remarks.

  1. Learn basics and terminology (for example trunking and tagging is just different name for same thing). Highly recommend book Packet Guide to Routing and Switching by Oreilly
  2. As you already guessed, you can't set WAN port as tagged, because it would mean you're sending tagged packets to your ISP. Instead you need to tag LAN ports and route all traffic to the WAN.
  3. Also make sure you know your device hw switch. For example in my case one of my routers (in role of AP) doesn't have all ports connected to hw switch, meaning this port (labelled as WAN) cannot be used in VLAN config.

So for trunking the Private LAN, Guest LAN and WAN to the physical WAN port does the above switch configuration look correct?

I don't know if I'm being really thick but I'm struggling to connect to the LAN ports on the back of the router to the switch and then isolate the top and bottom row on the switch, one being Private LAN and the bottom being Guest LAN. Every time I do it I'm unable to acquire a connection and weirdly my PC freezes.

Well, reading your posts once again, you can ignore my comment about sending tagged packets to ISP with WAN port tagging, because I didn't realized you have also modem connected to switch in play. With your switch config, I see at least one potential problem - mixing tagged and untagged packets on WAN port. Some devices support this, but some will just freeze with this config. I would say WAN port should not be part of any private vlan. Normally to access internet from private LAN, you need to setup routing LAN->WAN, but in your case WAN seems to be just regular port.

Unfortunately due to the wiring this is the reason why I'm choosing to use the WAN connection. It provides WAN and the same cable goes back downstairs to another switch to make a wired bridge. The very reason why I'm trying to trunk the two LAN's and WAN.