Router on a stick

Networking & Firewalls
1

Hardware:

  • UCG Fibre gateway

    to:

  • Flex Mini switch

    to:

  • Cable company modem

Switched from phone company fibre Internet to cable company cable Internet, for monthly savings (from $65 CAN to $40 CAN)

Problem:

Lab is downstairs, but cable modem is upstairs. The cable modem is also about two ft from where I’ve got a computer and three ft from where where I going to put a PoE camera. I’ll satisfy the PoE power either with an injector or by changing to the Flex switch which can output PoE. (Edit: better choice would be Ultra switch with 60 watt PoE++ adapter)

I’m familiar with the router on a stick concept but never actually done it.

I want the WAN plus Camera VLAN and Computer VLAN all on the Ethernet cable from the gateway to the switch. At the switch, the WAN and the two VLANs will each go on a separate port, and the WAN will connect to the cable modem.

How do I go about getting the two VLANs onto the same cable as the WAN connection?

2

I don’t think there is a way to do that with UniFI as to my knowledge there is not a way to split off a VLAN into a WAN interface.

1 Like
3

The general workaround with Unifi is to set one of the LAN ports on the gateway to be untagged (native) for the VLAN you are putting the ISP into, and connect a cable from that port to gateway WAN (the same device to itself). Another LAN port on the gateway is left at default settings to carry all VLANs.

4

You can do this, but you’ll need a switch on both ends of your single cable. Fairly trivial and something I do (using a virtualized router with VPN for one of my WAN interfaces on a UCG Fiber).

Here’s the basic idea, substitute you own VID’s as you see fit:

  • Get two switches, one for the area upstairs and one for downstairs
  • Create a VLAN for the cable modem to WAN router connection
    • VLAN 990
    • Setup as a Third-Party Gateway under Networks in the Unifi controller
      • This ensures that no DHCP scope nor subnet is defined
      • Most importantly, this VLAN will not be routed!
        • This is a good thing!
  • Create your VLAN for IP cameras
    • VLAN 10
      • Setup as normal in the Unifi controller, along with DHCP scope and subnet
      • This will be routed, so secure with firewall rules to lock down access to your trusted LAN(s)
  • On the upstairs switch:
    • Define an access port for VLAN 990, this will be where you plug your cable modem into
      • Make sure to set the native VLAN to 990 and NOT allow any other tags!
    • Setup an access port for for your camera(s) in VLAN 10
      • Also don’t allow tagging, native VLAN 10
    • Pick a port and trunk all VLAN’s - this will be for your cable run to downstairs
      • Prune if you want to include only certain other VID’s, but need to at least have 10 and 990 (plus the native)
  • On your switch downstairs
    • Setup 2 trunks (at minimum)
      • One for the downstairs switch to router
      • One to connect the upstairs switch to the downstairs switch
    • Pick a port and configure it as access for VLAN 990
      • Same config as your upstairs switch port for VLAN 990
      • Connect this to your router’s WAN interface
    • Set a port as trunk from the downstairs switch to a router LAN interface
      • Both ends of this need to be trunked and tagging frames from all VLAN’s
        • Prune this list as you like, but minimum need 10, 990, whatever your other VID’s are
      • Plug into the designated LAN interface on the router
    • Pick a port, set it as a trunk to your upstairs switch
      • Allow all tags you want trunked, at least 10 and 990 (plus whatever your native is)
      • Plug this into the cable running to upstairs

This seems pretty complicated, but all you’re really doing is using VLAN 990 as a glorified cable extender, using L2. Since you’re not asking the router to do any routing for 990, it won’t interfere with getting the frames and packets from the cable modem to the WAN port by trying to do any L3 stuff. The trunk port from upstairs and downstairs will forward tagged frames from VLAN 10 into the rest of your switch fabric. Just turn on RSTP for loop prevention and you’re good to go. Another point is to make sure you standardize on a native VLAN for your trunks (usually VID 1) and not use it for client traffic.

1 Like
5

Good writeup, but just want to clarify that in the case of the UCG’s the builtin ports can be done for this as well, don’t need a separate switch at the router end. But you do have to define a port as being native vlan 900 and connect that to the WAN port on the UCG. It looks silly to anyone who doesn’t know about this option.

1 Like