I want to separate my sons PC and wifi devices from default network.
Even though im familiar with neworking - subnetting with masks, DNS, DHCP, VPNs (wireguard, openvpn, zerotier) somehow VLANS and tagging has never clicked in my head.
I have classic problem and pretty classic setup - edgerouterX and unifi AP as wifi device. All devices are in the same LAN. What i want is:
- my son’s PC (cable) is separated from default network
- some particular wifi devices are also in this network (separate SSID)
- this network does not have access to default network …
- … except some few things like in this example (wifi) printer - everybody should have access to it
Ive watched 3 videos about Vlans and have seen this tutorial. https://help.ui.com/hc/en-us/articles/115012700967-EdgeRouter-VLAN-Aware-Switch but it doesn’t have double WIFI ssids.
So i still have questions.
- Should i remove my current LAN or should i just tag it with id: 1 (this is tag for default networks right?). I dont want to creat entirely new network as i have things assigned to my IPs (like subdomains but not only that)
- Should i tag eth1,eth2 and eth4 ports with tag id ‘1’ or should i just set ‘untag 1’ for eth3?
- eth4 should be “trunking” port right. Should i just set both tags on it - would it be enough?
This would be fine, except you’re going to need to configure a second network on your router, give it DHCP and DNS, and set up port forwarding rules for your shared devices.
I’ll be the guy though, why do you want to separate these devices from your network?
I don’t use the default VLAN (VLAN1) on my network; I have one port assigned to VLAN1 on my ER-X, which I can plug into for management access to the ER-X. Everything else is on its own VLAN.
I created a few VLANs on my ER-X, and then used simple firewall rules to deny or permit access from one VLAN to the next as needed.
So:
VLAN1 = Unused, assigned to 1 port on ER-X for management. Untagged.
VLAN2 = PCs, phones, etc.
VLAN3 = Smart TVs, other smart devices.
VLAN4 = Guest network.
With that said, your plan would also work.
Add VLAN2 for your kid’s devices. Add your NAT rules for internet access. Add Firewall rules to prevent access between VLANs. Add Firewall rules to allow access from your kid’s network to printer. Trunk port to your access point, as you indicated in your diagram. Separate SSID for your kid’s WiFi stuff, tied to their VLAN. Access port for your kid’s hard-wired devices.
in general, if you want to separate networks vlans would be required so a managed switch, and if one wants security, get a firewall something like pfsense
Why do i need managed switch for in this setup? I mean ERX can create and manage VLANS, unifi can add tags to its wifi networks so why additional device is needed here?
I did this with my wife’s computer since she works for govt. I have an ASUS router and put her computer on guest network. It doesn’t have access to the local LAN only access to internet.
Put him on the guest network
Hey bud, sorry I don’t have any advice to contribute but I’m really curious as to which program you used to draw up this network map. Thanks
Props on the diagram. That looks professional.
Thanks for all your advices guys. Problem has been solved here thanks to user u/mccantech https://www.reddit.com/r/Ubiquiti/comments/17y987i/i\_want\_to\_separate\_my\_sons\_pc\_and\_wifi\_devices/
I wouldn’t use vlan1 almost every on the market defaults to that.
The reason not to use VLAN 1 is that there’s a concept of a native VLAN and VLAN 1 is normally the default native VLAN as well as the default VLAN for any unconfigured port. It’s easier to just not use it. The OP has used it for their existing VLAN. The biggest problem with that is that the management VLAN for the AP would be the same as the tagged VLAN for the wireless clients potentially allowing a WiFi client access to the management port of the AP.
You would probably want three vlans. One VLAN for resources (printing and servers), a second VLAN as the standard data VLAN, and a third VLAN for Kid Data. Uplinks between network devices should be untagged, hosts should be tagged for their appropriate vlan. At the core you these three VLANs should be untagged for the ports going to resources (printing and servers) and the internet… It’s best practice to not use VLAN 1… but in your situation the network is probably not a target of threat actors. The WiFi networks can be added to the main data vlan. If you need the SSIDs separated, the. Make a fourth VLAN for the secondary SSID. These VLANs just need to cross over to whatever resources they need. This can be done with routing or just simple vlan tags on your L3 device…