Multiple VLANs over 1 port

[mikat]

Hey,

 

I'm redoing my network and I'd like to experiment with VLANs, my main router right now is the TP-Link Archer C7 v2. 

I saw that it supports 802.1Q Tag VLAN (see pic) but I'm not sure how to get 2 VLANs over 1 port, can this be done with TP-Link's software?

(Please note that I haven't saved these settings and the mode is just set to Automatic (no vlans))

 

(I have tried installing openwrt but TP-Link is an ass and stops you from installing it and I have not found a good way to install it without doing all kinds of janky stuff with serial cables and physically opening up the router)

 

[Levisallanon]

Look for something called a "Trunk" in their interface. That's what its called if you have multiple vlans over 1 interface.

[mikat]

1 minute ago, Levisallanon said:

Look for something called a "Trunk" in their interface. That's what its called if you have multiple vlans over 1 interface.

all the vlan configuration there is is basically contained in my screenshot afaik... tp-link has good vlan settings, just not on their routers, only on their switches

 

[Levisallanon]

What is it you are trying to do with these vlans?

[mikat]

18 minutes ago, Levisallanon said:

What is it you are trying to do with these vlans?

My current setup looks like this:

but I'd like to disable all the features of the tp-link router except for wireless and switching since I recently got a low power xeon server that I have installed windows server on with an OPNSense VM.

Problem is: the ISP box to Archer C7 cable is long and cut to size so it can't reach to the location where my server will be located and running a wire to the server for wan and back to the tp-link for lan looks ugly and seems like a waste.

The server part of this whole deal can handle VLANs no problem, Hyper-V supports putting the host OS on a seperate VLAN and the ILO adapter also supports VLANs

 

How I'd like my network to look:

[mynameisjuan]

Honestly not sure why VLANs are even being involved with that connection. Like all you want is the server to reach out to the internet?

[mikat]

6 minutes ago, mynameisjuan said:

Honestly not sure why VLANs are even being involved with that connection. Like all you want is the server to reach out to the internet?

no I want my server to do all the routing and such, that tp link thing is garbage, it keeps having problems...

[mynameisjuan]

6 minutes ago, mikat said:

no I want my server to do all the routing and such, that tp link thing is garbage, it keeps having problems...

Whats garbage about it? Reason I am asking because even if you remove all but switching, it could still be a problem. 

[mikat]

Just now, mynameisjuan said:

Whats garbage about it? Reason I am asking because even if you remove all but switching, it could still be a problem. 

it just stops working randomly, my phone says the dchp is the problem and my desktop also cuts out at the same time, probably gonna get a cheap managed switch to fix this if I can't do multiple vlans on this thing

[mynameisjuan]

3 minutes ago, mikat said:

my phone says the dchp is the problem

What are the logs of what happens? 

[mikat]

1 minute ago, mynameisjuan said:

What are the logs of what happens? 

I don't have logs, I have the android developer wifi verbose logging enabled (it displays this under the wifi name) so it tells me why it's disconnecting, and the error had something with dchp in it

[mynameisjuan]

Just now, mikat said:

and the error had something with dchp in it

Well that error is quite important in figuring out the real problem. You might say its shit but it could be a simple fix. 

[brwainer]

3 hours ago, mikat said:

My current setup looks like this:

but I'd like to disable all the features of the tp-link router except for wireless and switching since I recently got a low power xeon server that I have installed windows server on with an OPNSense VM.

Problem is: the ISP box to Archer C7 cable is long and cut to size so it can't reach to the location where my server will be located and running a wire to the server for wan and back to the tp-link for lan looks ugly and seems like a waste.

The server part of this whole deal can handle VLANs no problem, Hyper-V supports putting the host OS on a seperate VLAN and the ILO adapter also supports VLANs

 

How I'd like my network to look:

In professional networking installs, especially in the hospitality industry (hotels, MDUs) we design networks like what you have illustrated. Instead of the internet being connected to a firewall, then a gateway/router, then finally a switch, we connect every component to a single “Core Switch” and control the traffic flows via VLANs. So we have one VLAN for all the devices that directly connect to the internet (have public IPs), a VLAN for the inside subnet(s) of the firewall, another for the inside subnet(s) of the router/gateway, one for switch management, one for AP management, etc. This setup allows us to remotely reconfigure and bypass something that fails - e.g. if the gateway responsible for user authentication fails, we can have the firewall start serving those VLANs directly in a short amount of time, allowing us to then diagnose and fix the failure without causing days of complete outage.

 

I would never try to implement this using consumer router hardware, because they never really have proper VLAN support no matter what firmware you run on them. Get a switch to use as your Core Switch and use the Archer as just an AP (and dumb switch providing extra LAN ports). Then you’ll have a clear separation of duties and can more easily figure out what is causing your problems.

[mikat]

2 hours ago, brwainer said:

In professional networking installs, especially in the hospitality industry (hotels, MDUs) we design networks like what you have illustrated. Instead of the internet being connected to a firewall, then a gateway/router, then finally a switch, we connect every component to a single “Core Switch” and control the traffic flows via VLANs. So we have one VLAN for all the devices that directly connect to the internet (have public IPs), a VLAN for the inside subnet(s) of the firewall, another for the inside subnet(s) of the router/gateway, one for switch management, one for AP management, etc. This setup allows us to remotely reconfigure and bypass something that fails - e.g. if the gateway responsible for user authentication fails, we can have the firewall start serving those VLANs directly in a short amount of time, allowing us to then diagnose and fix the failure without causing days of complete outage.

 

I would never try to implement this using consumer router hardware, because they never really have proper VLAN support no matter what firmware you run on them. Get a switch to use as your Core Switch and use the Archer as just an AP (and dumb switch providing extra LAN ports). Then you’ll have a clear separation of duties and can more easily figure out what is causing your problems.

yup was planning on doing that but was trying to save a few bucks by not having to buy an extra switch, I'm eyeing a 5 port managed TP-Link SG105E that I can get for a reasonable price used but the guy who was selling it wasn't home when I was in the area... rip, maybe another day

[ltguy]

Not sure how you could effectively use vlans without the ability to set nat rules for each vlan. Use pfsense and these problems go away.

[Marshnt]

On 5/1/2018 at 5:26 AM, mikat said:

Hey,

 

I'm redoing my network and I'd like to experiment with VLANs, my main router right now is the TP-Link Archer C7 v2. 

I saw that it supports 802.1Q Tag VLAN (see pic) but I'm not sure how to get 2 VLANs over 1 port, can this be done with TP-Link's software?

 

(Please note that I haven't saved these settings and the mode is just set to Automatic (no vlans))

 

(I have tried installing openwrt but TP-Link is an ass and stops you from installing it and I have not found a good way to install it without doing all kinds of janky stuff with serial cables and physically opening up the router)

 

As stated above you are looking for trunking or aka a headache on consumer grade equipment.

[mikat]

On 5/3/2018 at 12:19 AM, ltguy said:

Not sure how you could effectively use vlans without the ability to set nat rules for each vlan. Use pfsense and these problems go away.

I'm going to be using OPNsense (fork of pfsense) for the routing but the cables are routed in a way that I can't physically place the opnsense box before the tplink router thing

amazon.de has some cheap 5 port managed switches so I think I'll just buy one of those