2
1
I'm an experienced computer professional but strictly amateur in networking.
At home, I have a broadband router from which I get a DHCP route to the internet via an ethernet cable.
I want to segregate my LAN network into 2 so there's a home and guest LAN. My router already provides this but guest LAN is wifi only, I want ethernet as as well as wifi for guests.
I plan on buying an Ubiquiti EdgeRouter Lite mostly to provide the VLAN capability. I will have:-
- eth0 as WAN
- eth1 as home LAN, unmanaged switch TP-LINK SG108 (jumbo frame compatible) connected to eth1, wireless ap, raspberry pi, printer etc
- eth2 as guest LAN, wireless ap plugged directly into eth2
I want all DHCP to come from the edge router.
My questions are:-
- I have an unmanaged switch which I intend to plug into eth1 to give me more ports to work with and will add a wifi AP amongst other things. Will this unmanaged switch break the VLAN function? Will my home LAN still be protected from the guest LAN or does the switch strip the VLAN information? Does the switch matter if all devices connected to the switch will be in the same home LAN?
- I have a Raspberry Pi which I will configure to be a VPN server. Can I port forward the EdgeRouter Lite to forward to the VPN server and have the VPN users appear on the VLAN as if they'd plugged themselves into the ethernet port? I assume this is bread and butter for the EdgeRouter Lite?
- Is it hard to get this working on the EdgeRouter Lite for a non-network professional?
Any help appreciated!
It would be faulty if it were to drop the packets. They're still valid Ethernet packets. – Daniel B – 2016-11-11T16:06:20.770
The ethernet standard (IEEE 802.3) doesn't have VLAN tags, and many manufacturers follow that standard. There is a differnet standard (IEEE 802.1) from a different IEEE committee that added VLAN tags. It is a standard that applies to the IEEE LANs, but it is not required. For instance Wi-Fi (IEEE 802.11) doesn't use VLANs the way ethernet may because it has a different solution with SSIDs. Adding VLAN tags to Wi-Fi frames will cause the frames to be dropped. – Ron Maupin – 2016-11-11T16:12:11.537
That is not a good comparison. The VLAN tag is in the payload. It does not change anything the switch has to consider. One could also introduce a similar VLAN tag in 802.11. The 802.1q standard of course applies only to 802.3 Ethernet. The only situation where it is valid for a switch to drop the packet is a full-length tagged packet, because it will have four additional bytes. – Daniel B – 2016-11-11T16:29:04.977
The VLAN tag is inserted in the frame, not the payload. It adds four octets to the frame, and that throws the FCS four bytes later than it should be, so the last four bytes of the payload could be interpreted as the FCS. The 802.1Q standard applies to all IEEE LANs. There are instructions for how to add a VLAN tag to the different frame types. – Ron Maupin – 2016-11-11T16:31:58.837
But it isn’t. The EtherType changes. The tag itself is inside the payload, when you consider the whole thing as an Ethernet frame. – Daniel B – 2016-11-11T16:32:55.480
The VLAN tag is inserted into the frame header following the layer-2 addresses, not in the payload of the frame. For ethernet, it pushes the Ether Type/Size field four bytes later than it normally is. 802.1Q (capital letters, e.g. 802.1Q or 802.1AX are LAN-independent standards) is not an ethernet standard any more than it is a token ring standard, and it can be, and has been, used with token ring. It is not a mandatory standard that manufacturers of ethernet equipment must follow. – Ron Maupin – 2016-11-11T16:40:11.730
Let us continue this discussion in chat.
– Daniel B – 2016-11-11T16:57:19.510Thanks Ron. The unmanaged switch will only be part of eth1 and I don't want eth2 to be able to see eth1 at all. The switch I listed supports 'jumbo frames' which I think means that it will pass through any extra information in the packets? I'm sorry but I'm none the wiser at the moment. I'm guessing if the switch doesn't alter anything in the packets then it will work fine? – mekondelta – 2016-11-11T17:31:49.010
On an unmanaged switch, you cannot prevent traffic from one interface going to another interface. it is all controlled by the MAC address table of the switch. The switch will look up the destination MAC address in it table, and that will tell it which port to send the frame. If the MAC address is not in the MAC address table, it will flood the frame to all switch interfaces. Jumbo frames are a non-standard way to let larger than standard frames through the switch. There are various maximum frame sizes, but the frame size cannot exceed any MTU on a device through which it passes. – Ron Maupin – 2016-11-11T17:36:04.030
It's the EdgeRouter Lite which is doing all the work here i.e. DHCP, firewall, routing etc). The switch is just providing me some extra ports. – mekondelta – 2016-11-11T17:43:28.247
You can use the unmanaged switch with an interface for one untagged (native) VLAN (access port). If you want more ports for a different VLAN, then you need another unmanaged switch to connect to the port for the other network to receive an untagged (native) VLAN. The term VLAN doesn't really make sense in this scenario since that is a term for switches to separate broadcast domains on a switch, and unmanaged switches don't do that. – Ron Maupin – 2016-11-11T18:04:28.317