vlans

Toggle sidebar Toggle sidebar
Firetrak

Firetrak

Member
Oct 24, 2014
131
0
76
So basically I need a segment a network, never done it before. I know I can create a physical Y shaped network with 3 routers, but that seems to silly, surely I can do this with just one router and a smart/managed switch.

One side will have credit card info. The other side will have the rest of the traffic like web browsing, cameras etc..

Whats the best way to do this.

I figured vlans, but its really hard to find a vlan router for under $200 that anyone sells, except online stores.

My other thought was subnetting, but not really experienced in that either.

Any help would be super useful.

So far I was thinking of buying these two items.

switch supports vlan
2 xNETGEAR 8 Port Gigabit Smart Switch - Lifetime Warranty (GS108T) - Newegg.com

router doesn't unless i flash it with some other firmware, please advise?
ASUS RT-N66U Dual-Band Wireless-N900 Gigabit Router - Newegg.com

I think i settled on getting the Asus RT-N66U and flashing the firmware to use DD-WRT, what say you good people?

Would this be the correct physical set up as well.

RT-N66U router, Lan port1 > switch1 >...
RT-N66U router, Lan port2 > switch2 >...

switch1 > browsing machines using 192.168.2.xxx
switch2 > credit card terminals using 192.168.3.xxx

Lastly by using that kind of setup, do the switches need to support vlans, considering they are physically separated?

OR can i do vlan using only 1 switch and simply have port 1 and 2 connect to the same vlan supported switch?
 
Last edited:
John Connor

John Connor

Lifer
Nov 30, 2012
22,840
617
121
I use DD-WRT. I would try the gurus at the DD-WRT forums and see what they say. I have never used a Vlan before.
 
M

Mushkins

Golden Member
Feb 11, 2013
1,631
0
0
If you want to use VLANs, you're not going to do it on a $40 SOHO switch or router, it's just not gonna happen.

That being said, you *can* create two separate networks (192.168.1.x and 192.168.5.x or whatever) and not route between them, but we'd really need to know more about what you're trying to accomplish here. Does the equipment on the two networks need to talk to each other? You mention credit cards so I'm assuming you need to be PCI-DSS compliant.
 
Scarpozzi

Scarpozzi

Lifer
Jun 13, 2000
26,389
1,778
126
Mushkins said:
If you want to use VLANs, you're not going to do it on a $40 SOHO switch or router, it's just not gonna happen.

That being said, you *can* create two separate networks (192.168.1.x and 192.168.5.x or whatever) and not route between them, but we'd really need to know more about what you're trying to accomplish here. Does the equipment on the two networks need to talk to each other? You mention credit cards so I'm assuming you need to be PCI-DSS compliant.
Click to expand...

I want to say my old Linksys running DD-WRT could have done vlans. VLANS are just subnets featuring tagged traffic. Most home networks aren't complex enough to really need them because you don't typically use trunks. Concept is you can have 2-10-20 (whatever the limit is) vlans on one trunk. You hook up ONE cable to ONE port and can allow your NIC to select the network or networks it needs to bind to in the software.

Most cheap switches don't have managed ports and are glorified hubs. It require the capability to put different subnets on each port and or tag traffic to enable vlans. You'll likely need a few small business class switches to do this.
 
K

kevnich2

Platinum Member
Apr 10, 2004
2,465
8
76
If part of your network is going to have credit card info running through it, this sounds like a business. Surely you can afford an ACTUAL managed switch and router. You can get a Dell 7048 off ebay for $800 This would do both vlan's as well as L3 routing in one package.
 
alkemyst

alkemyst

No Lifer
Feb 13, 2001
83,967
19
81
kevnich2 said:
If part of your network is going to have credit card info running through it, this sounds like a business. Surely you can afford an ACTUAL managed switch and router. You can get a Dell 7048 off ebay for $800 This would do both vlan's as well as L3 routing in one package.
Click to expand...

QFT...do not rely on home consumer goods for this. They are not as protected as business-class gear either.

With a device like this just set up two VLAN interfaces (or three if you want a separate manangement VLAN)

Point your default-gateway to your WAN address (or set up a default route).

Then assign whatever interfaces you want for each vlan, the management VLAN can be reached through the virtual interface.

Turn off TELNET and HTTP (I'd recommend HTTPS too). Setup a crypto key for SSH.
 
Firetrak

Firetrak

Member
Oct 24, 2014
131
0
76
Hi guys sorry for the late response, been working all weekend on this and this is what I did in the end.

I bought a Zyxel USG 20W, probably the best router/firewall i've used. High learning curve, but so many features.

I also got 2 netgear smart/managed GS105E switches.

With the Zyxel I was able to virtually attached ports 1-2 to one subnet and ip and ports 3-4 to another ip and subnet using Port roles.

So basically making two lans.

I then created firewall rules for neither lan to talk or see each other.

One lan is used just for credit cards and the credit card server the other for everyone else.

The router I got had a vlan option, but to be honest it wasn't needed.

I turned off FTP, SSH, Telnet and VPN. As the network needs to be PCI Compliant so I wanted to er on the side of caution and to be honest, its only 30 mins from me and i'd rather be there to work on it if need be.

Thanks so much for all the help thought guys.

oh and lastly i tried to flash dd-wrt to my n66u asus router, but it would have non of it, drove me crazy.
 
Last edited:
A

avos

Member
Jan 21, 2013
74
0
0
The last small business that came to me to set things up for them I used a Ubiquiti 3 port EdgeRouter and 1 of those netgear smart switches you linked. Also a Unifi AP. They wanted a Private LAN, Guest Wifi, Secure Wifi, and a Credit card reader LAN. (Or rather that is what I suggested) That was the best setup I could come up with for right around 300 bucks and it has been working excellently for them.

I will say though. If you want to use the edgerouter as a zone based firewall, be prepared to make a lot of cli entries.

Basically on the EdgeRouter I have 1 port as the WAN, 1 Port is Private LAN and vlan tagged sub-interface for the CC LAN. The 3rd port I have for Guest Wifi and a vlan tagged sub-interface for Secure WLAN.

In your case however if you just want 2 networks, you wouldn't need to deal with vlans on the router at all. Just use port 2 as LAN and port 3 and CC LAN.
Only down side to doing it this way is that you need to run 2 cables to the switch instead of one. Each cable would then go into a port that was Untagged and had the PVID set for which vlan it goes to.

Then on the switch you would create your VLAN. If you are using only 1 interface and vlans on the router leave the PVID to 1 and tag the port for your other vlan. Leaving the Default_VLAN untagged.

Then simply change the PVID to your CC LAN VLAN on whichever port the CC Reader is plugged into. Also change that port to have that VLAN as the Untagged traffic and remove it from the Default VLAN.

I'm hesitant to recommend the EdgeRouter for this though. I love them for the price point, but to do anything fancy you need to feel comfortable using vyatta directly. There are some great guides on their forum to follow for a setup like this though.
 
Firetrak

Firetrak

Member
Oct 24, 2014
131
0
76
avos said:
The last small business that came to me to set things up for them I used a Ubiquiti 3 port EdgeRouter and 1 of those netgear smart switches you linked. Also a Unifi AP. They wanted a Private LAN, Guest Wifi, Secure Wifi, and a Credit card reader LAN. (Or rather that is what I suggested) That was the best setup I could come up with for right around 300 bucks and it has been working excellently for them.

I will say though. If you want to use the edgerouter as a zone based firewall, be prepared to make a lot of cli entries.

Basically on the EdgeRouter I have 1 port as the WAN, 1 Port is Private LAN and vlan tagged sub-interface for the CC LAN. The 3rd port I have for Guest Wifi and a vlan tagged sub-interface for Secure WLAN.

In your case however if you just want 2 networks, you wouldn't need to deal with vlans on the router at all. Just use port 2 as LAN and port 3 and CC LAN.
Only down side to doing it this way is that you need to run 2 cables to the switch instead of one. Each cable would then go into a port that was Untagged and had the PVID set for which vlan it goes to.

Then on the switch you would create your VLAN. If you are using only 1 interface and vlans on the router leave the PVID to 1 and tag the port for your other vlan. Leaving the Default_VLAN untagged.

Then simply change the PVID to your CC LAN VLAN on whichever port the CC Reader is plugged into. Also change that port to have that VLAN as the Untagged traffic and remove it from the Default VLAN.

I'm hesitant to recommend the EdgeRouter for this though. I love them for the price point, but to do anything fancy you need to feel comfortable using vyatta directly. There are some great guides on their forum to follow for a setup like this though.
Click to expand...

Hi Avos thanks for the response, I went with a Zyxel USG 20 Firewall/router and two of those swtiches. So lan1 went to one switch, lan2 to another and both had two different subnets. Plus firewall rules to keep them completely separated, then i put the wifi on the dmz.

I'd still love to know how to do vlans though and honestly i am not a networking guru by any stretch so it puts me off a little the complexity.
 
dave_the_nerd

dave_the_nerd

Lifer
Feb 25, 2011
16,797
1,474
126
ldollard said:
Hi Avos thanks for the response, I went with a Zyxel USG 20 Firewall/router and two of those swtiches. So lan1 went to one switch, lan2 to another and both had two different subnets. Plus firewall rules to keep them completely separated, then i put the wifi on the dmz.

I'd still love to know how to do vlans though and honestly i am not a networking guru by any stretch so it puts me off a little the complexity.
Click to expand...

VLANs by themselves aren't all that complicated. It's just that they weren't the only piece of the puzzle for your problem.

Look at the two switches you bought.

◘◘◘◘◘◘◘◘ | ◘◘◘◘◘◘◘◘

You already understand that they are logically, as well as physically separate.

Imagine them duct taped together.

◘◘◘◘◘◘◘◘◘◘◘◘◘◘◘◘

Physically, no longer separate, but logically still separate - they will continue to behave as two switches.

Now, imagine if you could pick, for each port, which switch it belonged to.

◘◘◘◘◘◘◘◘◘◘◘◘◘◘◘◘

That's how VLANs work. Except that instead of 2 virtual switch choices, you have a crapton of them. (around 4,000.)

◘◘◘◘◘◘◘◘◘◘◘◘◘◘◘◘
 
Firetrak

Firetrak

Member
Oct 24, 2014
131
0
76
dave_the_nerd said:
VLANs by themselves aren't all that complicated. It's just that they weren't the only piece of the puzzle for your problem.

Look at the two switches you bought.

◘◘◘◘◘◘◘◘ | ◘◘◘◘◘◘◘◘

You already understand that they are logically, as well as physically separate.

Imagine them duct taped together.

◘◘◘◘◘◘◘◘◘◘◘◘◘◘◘◘

Physically, no longer separate, but logically still separate - they will continue to behave as two switches.

Now, imagine if you could pick, for each port, which switch it belonged to.

◘◘◘◘◘◘◘◘◘◘◘◘◘◘◘◘

That's how VLANs work. Except that instead of 2 virtual switch choices, you have a crapton of them. (around 4,000.)

◘◘◘◘◘◘◘◘◘◘◘◘◘◘◘◘
Click to expand...

why cant you live in Los Angeles haha.

I basically understand the concept, i just dont know how to tag the ports if thats the term and basically program the router. As sadly the documentation for the zyxel i got it really bloody sparse.

Honestly the install at the restaurant went well. And if I had more time, i'd prefer to have gone the vlan route just for a learning experience.

I have another restaurant to do in 2 weeks and in saying that I have a $200 budget for my router.

Other than the zyxel usg 20, is there anything else in that range that can do vlans, that you understand and if your willing to help me program?
 
Last edited:
A

azazel1024

Senior member
Jan 6, 2014
901
2
76
Look at the management console. Go under the VLAN tag. Should be relatively straight forward. The router doesn't need to support VLANs if the switch does. Most switches (and probably routers) you tag each port with which VLAN group you want. Easy peasy. Just tag the ports with VLAN 1, 2 or 3 as appropriate. Then the internet port (if you want all of them to get out) connected to the router you make a member of 1, 2 and 3.

A $80 semi-managed 8 port switch of a $130 semi-managed 16 port switch will handle VLANs just fine.
 
dave_the_nerd

dave_the_nerd

Lifer
Feb 25, 2011
16,797
1,474
126
This is half-true. The router would need to support VLANs as well. Google "router on a stick."

But yeah, there are too many different switches, with too many different configuration methods. That's solidly in Gotta-RTFM territory.
 
Firetrak

Firetrak

Member
Oct 24, 2014
131
0
76
Both the router and switches i got support vlans, so i'll just need to get them early enough for the next build and figure it all out.
 
A

Adamantine

Junior Member
Jul 7, 2008
20
0
0
Cisco enterprise switches configure the vlans via the interface (meaning the actual port), whereas non cisco enterprise managed switches typically add the interface to the VLANs. There's also a Linux way of doing things, except I don't really mess with that crap even though I run tomato on my Netgear R7000. The linux command structure doesn't seem to be anything like the enterprise command structure.

See example below for VLAN config:

Cisco:
VLAN 10
name internet_lan
VLAN 20
name cc_lan

Interface gigabit ethernet 0/1:
switchport mode access
switchport access vlan 10

Interface gigabit ethernet 0/2:
switchport mode access
switchport access vlan 20

Interface gigabit ethernet 0/8
switchport mode trunk


Non cisco:

VLAN 10 name internet_lan
tagged ethernet 8
untagged ethernet 1

VLAN 20 name cc_lan
tagged ethernet 8
untagged ethernet 2

If the config doesn't look like either of the two above examples, then it's probably linux based. If it's linux, good luck with that shit.
 
Last edited:
Firetrak

Firetrak

Member
Oct 24, 2014
131
0
76
Adamantine said:
Cisco enterprise switches configure the vlans via the interface (meaning the actual port), whereas non cisco enterprise managed switches typically add the interface to the VLANs. There's also a Linux way of doing things, except I don't really mess with that crap even though I run tomato on my Netgear R7000. The linux command structure doesn't seem to be anything like the enterprise command structure.

See example below for VLAN config:

Cisco:
VLAN 10
name internet_lan
VLAN 20
name cc_lan

Interface gigabit ethernet 0/1:
switchport mode access
switchport access vlan 10

Interface gigabit ethernet 0/2:
switchport mode access
switchport access vlan 20

Interface gigabit ethernet 0/8
switchport mode trunk


Non cisco:

VLAN 10 name internet_lan
tagged ethernet 8
untagged ethernet 1

VLAN 20 name cc_lan
tagged ethernet 8
untagged ethernet 2

If the config doesn't look like either of the two above examples, then it's probably linux based. If it's linux, good luck with that shit.
Click to expand...

haha, getting it tonight so i'll play with it then. :)
 
You must log in or register to reply here.

TRENDING THREADS

COMPANY
RESOURCES
FOLLOW
Top Bottom