Separating Lans into 3 VLANS

[Scruffie]

For those in here that know, I was wondering if you could help me calculate some subnets and let me know if what I'm thinking of is possible.

 

So, I would like to have 3 separate networks(vlans). N1, N2, N3

I was thinking vlan N1, and N2 would have a subnet mask of 255.255.255.0 (from my limited understanding, this would ensure they do not see other VLANS?)

and then vlan N3 would have another subnet to allow it to access both N1, and N2

 

I would like N1, and N2 to be visible and interactable from N3 (N1, or N2 could not see N3)

N1 would be separate from both. It would think it's by itself

N2 would be separate from both. It would think it's by itself

 

Is this possible? Would it just be configured via inter-vlan routing? Also what would the subnet be for N3?

 

reason for doing this is to separate N1, and N2 traffic from each other. N3 would be more of a management role, amongst other things. devices on N3 would need to manage devices on either of the other networks

[Electronics Wizardy]

18 minutes ago, Scruffie said:

was thinking vlan N1, and N2 would have a subnet mask of 255.255.255.0 (from my limited understanding, this would ensure they do not see other VLANS?)

 and then vlan N3 would have another subnet to allow it to access both N1, and N2

Subnet mask determines size of subnet, not who it can talk to. What a subnet can talk to depends on how you setup routes.

 

19 minutes ago, Scruffie said:

s this possible? Would it just be configured via inter-vlan routing? Also what would the subnet be for N3?

Yep you can, have run routing.

 

Subnet doesn't matter, id make it a /24 unless you need more than 255 devices.

 

20 minutes ago, Scruffie said:

would like N1, and N2 to be visible and interactable from N3 (N1, or N2 could not see N3)

N1 would be separate from both. It would think it's by itself

 N2 would be separate from both. It would think it's by itself

Well normally the traffic is 2 way when managing, so you can't normally just make it one way. Id just only allow the ports and devices that need to talk, and then allow all to talk on wan.

 

 

[Scruffie]

3 minutes ago, Electronics Wizardy said:

Subnet mask determines size of subnet, not who it can talk to. What a subnet can talk to depends on how you setup routes.

 

Yep you can, have run routing.

 

Subnet doesn't matter, id make it a /24 unless you need more than 255 devices.

 

Well normally the traffic is 2 way when managing, so you can't normally just make it one way. Id just only allow the ports and devices that need to talk, and then allow all to talk on wan.

 

 

Right, so that makes more sense. the subnet mask would only need to increase in size if you needed to support more than 255 devices on a specific vlan? So all three vlans could have a /24?

 

an youre saying for WAN on all three vlans have everything open so theyre able to talk to the web, and all remotely accessible to each other, and then for the lans have all ports closed off on all of them except for ports x, y, and z? and same thing for devices/ips?

 

-> = ping, or interact

-|- = unable to ping, or interact

 

If i'm understanding this then I could specify 

192.168.1.x -> 192.168.2.x, 192.168.3.x (if my ip was 1.x I could ping/interact with anything on 2.x, and 3.x)

and also specify 192.168.2.x, 192.168.3.x -|- 192.168.1.x

 

the .x could be for any number of devices, on any number of ports

[Electronics Wizardy]

3 hours ago, Scruffie said:

Right, so that makes more sense. the subnet mask would only need to increase in size if you needed to support more than 255 devices on a specific vlan? So all three vlans could have a /24? 

Yep, its just the size, you can make it as big or small as you want, but a /24 is my default

 

3 hours ago, Scruffie said:

an youre saying for WAN on all three vlans have everything open so theyre able to talk to the web, and all remotely accessible to each other, and then for the lans have all ports closed off on all of them except for ports x, y, and z? and same thing for devices/ips?

Give them wan access if you want them to have that.

 

Yep, just allow the ports between vlans you want.

 

3 hours ago, Scruffie said:

 

-> = ping, or interact

-|- = unable to ping, or interact

 

If i'm understanding this then I could specify 

192.168.1.x -> 192.168.2.x, 192.168.3.x (if my ip was 1.x I could ping/interact with anything on 2.x, and 3.x)

and also specify 192.168.2.x, 192.168.3.x -|- 192.168.1.x 

You can't really have one way communication normally.

 

you send something and they respond, so if you want access a web server for example in network 1 from network 2, make a rule to allow any device in network 2 to send requests via 80 to the device in network 1, and then make a rule for that server to be able to respont.

 

 

 

What router/switch are you using for routing?

[Scruffie]

3 minutes ago, Electronics Wizardy said:

Yep, its just the size, you can make it as big or small as you want, but a /24 is my default

 

Give them wan access if you want them to have that.

 

Yep, just allow the ports between vlans you want.

 

You can't really have one way communication normally.

 

you send something and they respond, so if you want access a web server for example in network 1 from network 2, make a rule to allow any device in network 2 to send requests via 80 to the device in network 1, and then make a rule for that server to be able to respont.

 

 

 

What router/switch are you using for routing?

I was tossing so many options around. Currently using DDWRT for stuff, but the router does not support vlans. Was thinking of something like an edgerouter x by ubiquiti and using their UNMS controller, or trying to do a mITX pfsense build? What would you recommend?

[Electronics Wizardy]

1 hour ago, Scruffie said:

I was tossing so many options around. Currently using DDWRT for stuff, but the router does not support vlans. Was thinking of something like an edgerouter x by ubiquiti and using their UNMS controller, or trying to do a mITX pfsense build? What would you recommend?

You don't need vlan support support on the router if you have enough jacks. You can use vlans on the router aswell, so if it has 4 ports it will work fine.

 

What bandwidth? Do you want advanced firewall features like ips or a vpn?

 

What are you using this for? Home? Small business?

 

Im kinda a sucker for untangle now personally, pfsense is also great and I use it a bit. I use a sonicwall at work, and its fine.