Search the Community

Hello, I'm thinking about building a homelab however I am not sure about VLANs and some other stuff. Please note that I haven't bought any ubiquity gear, nor a rack, the only thing I own from this image is the unraid desktop machine (i3-10100, 16GB ram, 20TB), my gaming PC and my work laptop (with the ts3 plus dock for the laptop). Would love some guidance on how to do this, given the following diagram: The setup itself is basically an idea, when I get a new place to have everything properly setup. The 2 intel nucs would be 64GB i7 machines running a proxmox cluster for tinkering and testing, while the unraid machine, while having a few docker containers running (10) to only have plex exposed to the world. Raspberry PI is there to monitor everything else, every service and every machine and to send notifications if something is wrong/down. I am hesitant on buying Power Backup and/or Power Distribution Professional to monitor the power usage as well as to have an UPS, however the power supply from ubiquiti seems to only power their own devices, not other devices such as the intel NUCs. Overall, I need to find a case to transplant the storage from the unraid fractal design case to a rack and to move the PC to the rack if possible. The idea is to have unraid in a rack as well as the PC, while the PC being in the rack is a plus I still need to figure out if having a PC in the rack is something I am willing to invest in. The questions I have: - Should I cut back on some VLANs? - The only service I have exposed to the world is a plex server running in a docker container on Unraid - Should I add IoT devices on their own network, including the Apple TV 4k? My concern is if I am able to airplay/cast to the device - I've read that VLANs by default have access to other VLANs in ubiquity software, should this be disabled? I want to make sure I plan this appropriately as this hobby can get expensive real quick.

So I'm setting up a new home network soon. I have my pfSense router, 1 16 port gigabit unmanaged switch and a 5 port unmanaged switch (will not need all ports, its just what I have), and 3 Engenius EAP1300 WAPs. I want to setup my network so that there are 2 networks. 1 for all home devices and 1 for IoT/guest but the IoT/guest will be WiFi only on a seperate SSID. The WAPs I have, have an option for it to be a guest network and setup its own DHCP server for the guest network but I want to have the pfSense router controlling everything and not the WAPs. I want the DHCP server and firewall rules going through the pfSense router. I was wondering how I could create a second subnet for the IoT/guest network and how to manage it all through the router. I would usually just do vlans but these are unmanaged switches. Am I asking too much and should I just go with the WAPs to do all the work?

I am currently trying to deploy a vlan at my house to separate my IoT devices from the rest of my network. Here's an overview of my network setup and what I'm trying to do: Hardware Router/firewall: Protectli Vault 4 Port running opnsense Switch: Netgear managed 8 port MS108EUP WAP: netgear wax630e wifi 6e access point On my router I have my default lan addresses (192.168.1.0/24) as well as a vlan set up for my IoT devices (10.0.0.0/24). My switch is plugged into that with Advanced 802.1Q VLAN switching enabled. Off of that switch I have a couple different devices including my wap with 2 different ssids set up, one for default lan and one for vlan1. So far I have been able to get either Ethernet vlans working or wifi vlans, but not both. I have a feeling it has to do with how I'm tagging each port on the switch, but it feels like I've tried everything. Can someone tell me what I'm doing wrong or if this is even possible with my current set up?

Hello everyone! I'm a networking student that's planning to redo my vlan and trunks. Currently I've got a 3750X and a 3750G. The 3750X is my "core" while my 3750G hosts my vSphere traffic. I'm looking to redo my VLAN's since only one seems to work anymore. Also, the switches aren't trunked together since they don't necessarily need to communicate with one another. *Side Note*, I may need to reset my switch, my CLI isn't letting in authenticate. I'm able to get into the WebUI however "invalid password" on CLI. My Current VLAN setup: VLAN 10: 10.1.8.0/24 - CoreLAN+WiFi VLAN 20: 10.1.9.0/25 - Active Directory Lab (has active clients) VLAN 30: 10.1.9.129/28 - Guest WiFi (captive portal + WPA2 Personal) VLAN 40: 10.1.9.145/29 - DMZ VLAN 50: 10.1.3.0/24 ? - vSphere + JumpServer traffic (Only on 3750G) *These subnets are subject to change, AD lab needs a /24.* It appears that the only VLAN for WiFi working is VLAN 10. 20 & 30 aren't working (they used to). I have AP's plugged into Gi 0/1/2, 0/1/4, 0/1/6. The trunk port from my firewall is Gi 0/1/1. WiFi SSID's *not real SSID's* Secure - VLAN 10 AD Lab - VLAN 20 Guest - VLAN 30 I need some guidance on how to set this up correctly with the correct native VLAN and trunks. I have no problem assigning the VLAN's to ports, but I don't fully understand how to configure the trunks correctly. Thanks!

Hello all! New member here but long time viewer of LTT on YouTube. I was wondering, and cannot wrap my head around a doubt. I have surfed through multiple forums but cannot find a credible enough answer, so I decided to try here as well. Basically, my setup includes but is not limited to: 1 MikroTik router, multiple vlans, one unraid server (with the usuals for movies, tv series and torrent handler. Will not go into detail, but if you know, you know). And finally two ISPs. I have failover configured and it works properly. What I want to know is this: 1. Will the VPN tunnel to Windscribe, in this particular case, leak packets (of the torrents) out of the tunnel if I configure ECMP on the router to bind both ISP speeds? 2. Do commercial VPNs connect from one origin IP (let's say, ISP1) to their VPN servers on whatever city, and country it might be? 3. Should I just route torrent traffic through one ISP and forget about torrenting through ECMP and do a kill switch configuration on the router when failover? This would be considering that ECMP will be configured but torrenting will just go through one ISP with marked packets. Please, I'm requesting everybody's knowledge come into play in this one post. If additional information is needed to clear doubts, say no more and I'll provide what I have and what I do know. Thanks all .

Hi. I have a rather large Ubiquiti UniFi network with many switches and a USG Pro 4. There are two buildings connected together. I made a vlan for each building and there are camera servers and viewers on both that need to be able to connect to each other. These clients/computers/servers have static IPs set in the network IP 4 settings. When I am trying to connect to a server with static IP on the other vlan I am not able to connect. When the server is using DHCP and the viewer is using static IP I am not able to connect. When using DHCP on both I am able to connect. When both is on the same vlan and both is using static IP I am able to connect. Is it possible to get two clients with static IPs to connect to each other when they're on different vlans and if yes, how do I do it? Thanks. Roger J.

I am attempting to add a Unifi AP to my network and through it set up multiple VLANS. I understand how to create the wireless network and add the VLAN tag. I (think) know how to set up Pfsense to handle the VLAN traffic but I am unable to get the traffic from the AP through my Netgear GS724T Switch. I am not sure of I should be tagging or untagging the incoming traffic and where I should one sending that traffic. One thing to note is that port 1-4 are one LAG. Any help would be great. I am stuck.

Hello there Im curently on the way to upgrade my home network.General Plan is to go 10Gb and replace current Isp router. also i want to use different Van´s in my Home and start self hosting an website. Plan is to do it in 3 steps. 1. install 10gb cards in gaming rig and unraid server. 2. get the contract going with my new ISP. 3. Buy the hardware for the big upgrade. I will attach an network schematic of current and new setup. Now im not sure about how some things will work out, what hardware and software to use and if everything is possible the way i imagine it. 1.When i get my new Isp´s router, i wont need the old network anymore. But if it is possible, it would be great to be able to Loadbalance it and use both for maximum Bandwith. Also i would like that devices from the old Network(my house mates pc´s) still be able to access Samba Shares and WebGui´s from the unraid Dockers. Can Pfsense handle Loadbalancing in the way i imagine it ? And if not, would it be possible to do it with an extra device ? (https://www.amazon.de/TP-Link-TL-R470T-Broadband-LAN-Port-Speicher/dp/B004UC9V8Q?th=1) Or will this device just drop all the packages cause it doesnt know´s the van´s ? 2. Is it possible to direct attach 2 networkcards directly for now if i only need the 10gb connection on these machines? Would this be an Routerless Subnet ? and if yes, do you know if unraid supports it ? Also i was thinking about if i can add the network card to my current balance tlb5 bond but only for conecting to my gaming rig. 3. I want to have 4 Van´s. 1 for trusted Wireless. 1 for IoT and Guest Wireless. 1 for trusted machines(like unraid, gaming rig etc.). 1 only for the Nginx cause i want to isolate it so if someone would be able to get access to my webserver it wouldn´t affect the whole network. Do i need an extra Van for the Webserver ? I will have Port 443 and 80 open for the website. Also port 22/tcp and 3389/tcp are open but only from 192.168.0.0/24. When i redirect incoming port 443 and 80 to my webserver, ist it possible to reach the other ports or simulate an local Ip adress if someone would be to attack my site ? Also on my Unraid machine there are some Ports open and Security is a high concern for me. Main Goal is to protect access to unraid array data and gaming machine/Phones (sensible personal Data). I also think about assigning the Ubuntu Vm in which the Webserver is running an 1Gb network card and plug it directly into the pf sense box, giving it an own van and isolating it that way, but i dont have much pcie to spare 4. The primary Usecase for Van´s is to seperate devices, but is it still possible to let choosen devices comunicate it predefinde ways ? im thinking about having my unraid array in an different van then my gaming rig an laptop but want to be able to access samba shares and connect via ssh to my unraid or vm´s that are running on it. My general thaught process goes in the direction of not blocking all connection completly, more like have a whitelist of services etc. would this make my network vulnerabel again ? Also if i have my printer, ioT etc in an different van, how can i access them ? 5. Is there Hardware i should avoid or something u can recommend for my purpose ? 6. What are the most important/first steps when scuring a home network ? 7. How "dangerous" ist it in general when u are starting to learn networking and hosting etc. and open up Ports ? (by that i mean im not expirienced in that field but want to know what could happen when i start hosting my website) 8. What do you think in general of the layout ? im looking forward to your Opinion !

Hello all. Longtime viewer, first time poster. I’ve recently taken over IT for a private medical practice with a fairly high (75) amount of staff. In the past few months I’ve replaced an older generation Dell Sonicwall with a gen 7 model (TZ 270) and replaced their ancient Rukus APs with 3 UniFi AP-AC-Pros which I manage through the UniFi controller software on the PC that hosts our server VMs. I’ve set it all up through the 2 existing ZyXEL GS1910-48 switches running firmware 2.0 (the most recent version I can find in their website, though they’ve reached EoL) I’ve built the main and guest networks on both the Sonicwall and the UniFi panel and everything works fine. My problem lies in VLANs. I’d like to add a 3rd network for a specific group of staff primarily using wireless devices that is completely isolated from our production network. I’ve created the VLAN under X0 in the Sonicwall and created the DHCP lease scope, then allowed the VLAN tag through the port of the AP I’m using for testing on the switch, then finally created the Network in UniFi using the VLAN only checkbox and assigning its tag. Once completed, I have a broadcasting network that can’t connect to internet or even give an IP address. Is there a step I’m missing somewhere? Feels like I’m close but a step or two off. I’d appreciate any ideas you have, as I’m at a loss.

Network upgrade (pfsense router + switches) to support VLANs and need confirmation before hardware purchases. For more details on what I am trying to do see below. Would it be possible for me to use my existing Asus RT-AC66U router as an AP for multiple VLANs? If question 1 is no, then would I be able to use this Ubiquiti AP to have a wifi SSID for each VLAN? I want to have 10GbE connnection between my main PC (add-in NIC) and my server (built in NIC) and have those be the only connections to the network as well for both. I plan to get this Netgear switch which is a 10 port (8x1Gb and 2x10Gb) managed switch. I want to have both machines on the 10Gb ports with a 1Gb uplink to the pfsense router. Would a VLAN that is setup in pfsense cause the 10Gb traffic between the PC and server to leave the switch instead of going directly to the other machine?

Hi, I have configured a Watch-guard T-10D following the steps in this guide : http://www.watchguard.com/help/docs/wsm/xtm_11/en-us/content/en-us/networksetup/dsl_vdsl_vlan_c.html It works but drops a lot, I then called up my ISP to configure the Watch-guard with them and still i am having the same issues. I have had a Line Test run and it came back as fully passed. I had a broadband test run and again passed. Confused where to go from here HELP PLEASE

After a long period of searching I was unable to discover the default login for the arris VAP 3400. I was hoping someone would be able to enlighten me as to the username and password for it. it was from bell aliant. Arris VAP 3400: http://www.arris.com/products/vap3400-wireless-video-access-point/

Hi guys, I really need your help/advice. Some background on my current issue: I am currently living in an old school building that got converted to some form of dorm like living spaces. Cheap rent/little renting security type of deal (“antikraak” for the dutchies). When the school moved out they ripped all network equipment off the walls and currently the network is comprised of consumer crap. It is managed by “the IT guy” and is honestly a nightmare to anyone that has ever looked into network architecture. We share a single subnet with around 20 people and the amount of switches is crazy. In the spoiler there is a over simplified diagram of the current network. (Night theme users beware) What is the problem? The network is one big network. Although I don’t really like it, it was never a big problem. Most of my ports and service are locked up tight so I am not to worried about the security factor.(Most of these people think wifi is the internet etc) The problem is my chromecast. I seriously love the chromecast but every user can cast to it. What is even worse is that EVERY time I cast anything at all every android device gets a push notification to control the cast, a feature that needs to be turned off on every single device independently. This is turning into a real nightmare. People seem to enjoy pausing, stopping and fastforwarding my cast. I have been trying to run down the culprit and informing people how to turn off the notification but it doesnt seem to help. What needs to happen? I want to put a big giant wall between my network and the shared infrastructure. As long as they can not look into my network easily it’s fine. When I moved in I tried to set my DLink up as a router with it’s own subnet dealing with its own DHCP etc. Unfortunately someone on the other end of the building was getting his IPs from me for some reason and couldn’t connect to the internet anymore. I have been looking into vLAN but I have hit a limit to my knowledge. Going without DHCP is not really an option, I switch devices and OSes on an almost daily basis. Plus the chromecast doesnt do Static IP as far as I know. Do any of you have any experience with stuff like this and could you point me in the right direction? If you need some more information don't be afraid to ask!

i have 2 computers connected to a switch and the switch connected to a router. pc 1 is in vlan 100 and pc2 is in vlan 101.i want to ping from pc1 to pc2 so i made subinterface as shown below but im still unable to ping. the router im using is a generic router known as Router-PT empty. the subnet mask i have used is equal to that of pc1 and 2.what could i be dong wrong. Router>en Router#config t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#int gig 0/1.100 %Invalid interface type and number Router(config)#int gig 0/0.100 Router(config-subif)#encapsulation dot1q 100 Router(config-subif)#ip add 192.168.100.1 255.255.255.192 Router(config-subif)#int gig 0/0.101 Router(config-subif)#encapsulation dot1q 101 Router(config-subif)#ip add 192.168.101.1 255.255.255.192 Router(config-subif)#exit Router(config)#int fa0/0 %Invalid interface type and number Router(config)#int gig0/0 Router(config-if)#no shutdown Router(config-if)# %LINK-5-CHANGED: Interface GigabitEthernet0/0, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to up %LINK-5-CHANGED: Interface GigabitEthernet0/0.100, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0.100, changed state to up %LINK-5-CHANGED: Interface GigabitEthernet0/0.101, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0.101, changed state to up

I currently have a fibre connection to my house, My ONT (Optical Network Terminal) requires my router to support VLan tagging however my does not. Is there a device that can go between the router and the ONT that will just handle the VLan tagging? Thanks

Hi, I'm about to redo my entire network and I was looking at hardware that supported Vlans. I'm looking at Ubiquiti Routers which have a firewall and vlan support (Edge router or Security Gateway). I need a 16port gigabit switch that supports vlans with Ubiquity routers that isn't from Ubiquiti (They are too expensive). What is required for the VLANs to work across the router and switch and if you have a product recommendation it would be much appreciated. Would this (http://www.tp-link.com.au/products/details/cat-41_TL-SG1016DE.html) work with the Edgerouter and or USG by Ubiquiti? Thanks.

So here's my setup I have a dedicated machine running a game server, I don't want it exposed to the rest of the local network. I was thinking of solving this by using a VLAN. I also want to be able to vpn in but I don't want to expose rdp to the internet so some sorta vpn sounds like the play to make. So here's my question, I'm buying a router for this exact purpose and I'm hoping for suggestions on what router to use that can do a vpn to a vlan. I've also heard some open source firmware can do something like this but I wouldn't know which to use.

I am upgrading my network to look like something in the image ive attached. However, will i be able to use the existing AP's ive circled to provide wifi access to users on the guest VLAN network as well as for users on the LAN? - assuming that the AP's are capable of VLAN's. thanks

so i have this micronet switch : Micronet SP6108WS TLDR: when i set egress to be tagged on my up-link native vlan traffic doesn't pass if set egress to untagged on the switch`s uplink tagged traffic doesn't pass... i have setup up a vlan(vlanID:50) for my guest network... the thing is switch is either just passing my vlan 50 and no native vlan (ie untagged) traffic or the other way around... here is switch vlan settings:(port 8 is uplink to pfsense and port 1 goes to my AP, ive set port5 to be on vlan50 to test if it works) if i set PVID table like this: only vlan 50 traffic will pass (ie port 5 will get a dhcp address and internet + my guest network wifi which also on vlan50) but other ports will lose access (for example port 2 is gonna lose its access to network and can only ping the switch itself if i manually set the ip on client basically it cant talk to the pfsense anymore) if PVID is set like this: native vlan (untagged traffic ) works but vlan50 would lose access... there is also this thing in the manual: from what i understand this switch behavior would be "normal" if the above table looked like this: do note when i connect my ap directly to pfsense`s lan both guest and home wifi get ip and internet access....(so the issue is not my access point`s config) i tried many different config combination on the switch with no result i just wanna be sure its the switch`s problem not my config... some additional info: my lan : 192.168.0.0 vlan 50 : 192.168.50.0 switch ip : 192.168.0.4 AP:xiaomi r3 running openWRT thanks in advance..

Hello. I have a ZyXEL NXC2500 Wireless lan controller connected to 2 different computers in a local connection. I have 2 different VLANs setup. https://imgur.com/a/0Ec8bKu (see image) and what im trying to do is connect the wireless lan controller to my network so i can acess internet from the 2 computers that are connected. Do someone have an idea how I can do this? Thanks!

So i have a linksys managed switch LGS5528. the main vlan ID 1 is untagged on all the 28 ports and uplink in port 27 the second vlan ID 10 is tagged on a few of the ports and uplink in port 28 so main thing is How do i do port forwarding where if 192.168.1.xxx enters port 28 and exits to manually enter the ipconfig 10.10.10.xxx to gain access?

Update to question: Hello, In order to replace my existing router, I want to use 4-ports mini PC. I don't use specialized OS like pfsence because I will run some virtual machine on the same hardware. I decided to go with Debian 10 and installed Shorewall to manage network configuration. In order to get network connection and config from ISP optical modem via DHSP, I need to configure VLAN100 on my WAN interface. So far, I added vlan100 interface using ip utility. But i cannot figure out how to configure what via shorewall in order to make things work. If someone know where to find a guide (i did not found) or have an idea to configure vlan100?

I am looking to separate my Iot devices from my main network. I am doing this at a private residence with no business needs. I am also trying to keep every as inexpensive as possible. I came across the linked video and was wondering if this was actually a wise way to separate IoT devices? Current set-up: I am on a Fiber network with only one LAN connection. My current router is a Linksys WRT3200ACM so the firmware is almost useless. Initial Solution I tried using DD-WRT but my wireless switch for the garage door opener would not connect. It has no problem connecting with the standard Linksys firmware. All my other IoT devices linked without issue to DD-WRT. Trying DD-WRT so I could set up multiple wireless vlan's and separate these devices but since I can't use the firmware I am SOL. My potential solution after watching this video Add a second, cheap router, to my network as described in the video and move all devices to their own non-broadcast SSID. I would do this by connecting the cheap routers WAN port to a free port my my WRT3200ACM Issues I'm concerned about Is this truly a secure way to setup IoT? Will I have issues accessing my printer if it's on the IoT network or should I leave it on my main network? Will my IoT devices truly be isolated from my major devices such as my home workstation? I feel I'm low risk of being hacked but hate having these cheep Chinese devices on the same network as my workstation with lots of person data. YouTube "Using A Second Router For IoT Devices"

I am rather new to all of this so I am hoping someone out there can give me a hand. I have purchased an SMCGS-50P managed switch. I have a flat that I want to isolate from the rest of my house network and so using pfsense I created a vlan for the flat in PFSense. I went to my switch and selected the ports that are in the flat and put them on their own vlan ID matching the ID number I assigned in PFSense. I enabled DHCP in PFSense for that vlan and gave it a range. I created a firewall rule in PFSense to allow any traffic to the internet but blocked it from my lan. My issue is I can't get a DHCP or internet in the flat. I know 100% what ports the flat's ethernet jacks are connected to but no matter what settings I try my laptop that is connected physically in the flat can't get a DHCP lease or access to the internet.

the tl;dr - how do you, or your company protect active directory? Curious about solutions out there. Would you put AD in a management vlan only to open every port that every service listens on anyway, or throw it into the user space? You can't attack a service that isn't running, and workstations/servers/users need damn near every service that does run... RPC, LDAP, Kerberoes, SMB, DNS, and some other junk I'm probably forgetting. You quickly learn to use groups/aliases for all these damn ports - but to what avail? If you expose it what's the point of segmenting it? One thing I've recently seen a company do is their management network runs in a separate forest, and their user space runs on a different forest - with no trust relationships. On one hand this certainly minimizes the impact of a breach, but it sounds like a freaking nightmare.