I want to have my guests split from my home computers. Guests are wifi only. Home is a mix of wifi and LAN. Is there anything else I should consider? I have Rokus and other streaming devices, both LAN and wired. Should these be on a different vlan so traffic doesn’t degrade the other vlans or for security reasons? Should Nest thermostats be on Home or Guest?
I’m thinking I need 2 vlans, home and guest. Define both on Set the SG-1100. Each vlan sees other devices on that vlan and internet but not the other vlan. Configure the UniFi US-8-150 switch so the computers on the LAN have the Home vlan. The ports the nanoHD APs need both vLans.
Hi – The last few months I tried setting up things similar to what you want to do, but definitely kind of ran into a roadblock with the AppleTV, chromecast and other such devices that use mDNS for device discovery. I was trying to stick these types of devices on their own VLAN and control them from another VLAN. I think I finally figured it out, but there was a lot more to it than what Tom originally posted in his video. If you run into any problems I can try to investigate what I finally came up with. It seems to work now, but it took a lot of reading to accomplish it.
Since you have Unifi APs, having a separate vlan for guests isn’t a requirement, as long as you can live with the guest wifi only having access to the internet, and not to anything local, including other devices using the same SSID.
Doing it with vlans is more flexible, but as @kevdog said, vlans (or multiple lans in general) add complexity, especially if you want to allow access to devices on another broadcast domain (lan/vlan). And there isn’t a single solution that will work with different types of devices, i.e. getting chromecast to work doesn’t mean sonos would work, or AppleTV.
So if you decide to use vlans, be prepared to spend a lot of time finding something that works, by searching, reading and trial and error testing.
But now may be a time that you have more time to work on things around the house, and having something to keep you occupied can be a good thing if you can’t leave the house.
For a good review of networking topics, including the best vlan explaination I am aware of, I recommend Ed Harmoush’s Practical Networking web site. Here’s the CCNA-index, but don’t be put off, everything on the list (with the exception of EIGRP, and some of the Cisco specific configurations) will apply to most vendors. I recommend following in order, the topics are short and well explained.
One thing Ed doesn’t cover as well as I wish he did is routing tables, and how the router uses them. He covers the network/host and mask in subnetting, but doesn’t cover how the router or host uses its routing table. It is probably so basic for him that he doesn’t cover it other than in passing (or if he does, I didn’t see where).
Thanks guys, this is great info. Given that we’re housebound and not having guests I’ll probably setup the APs with the out of the box config just to get good wifi in the house. LS has a video on how to segment the vlans that looks simple but I’ll hold off on that too for now.
BuckeyeNet - thanks for the networking site, I’ll definitly go through that so I can learn a thing or three
Doing VLAN is not that hard as you think, I just did my home network using 2005 old IBM Server as pfsense, Cisco switch, TP Link EAP 225’s and some TP Link Smart Switch.
I did Home, IOT, Guest as different vlan and put Amazon stick and other iot on there. I dont use cast much so dint do mDNS hence I dont know difficulty level of it.
I did have my share of issues but small. One issue was amazon stick would get iot vlan ipaddress but would not get to internet, then found that port 80 which I blocked so that no device could get to pfsense management web page was creating issue. Once I removed that block it worked, any way I use https at X443 port so I just blocked that and port 22.
But it will be fun try. more over in lock down this is good time to work on your Network :).
I’d say once you have your network configured you won’t want to mess around with it mostly for fear of breaking something so it’s probably better to over-engineer then you’ll have more flexibility.
I’ve set the subnet to same vLan that is 192.168.10.0 to vLan10 to make my life easier.
I’ve got
Lan on subnet 1 which I don’t really use for anything.
Management vLan
ISPvLAN
VPNvLAN
CAMvLAN
IoTvLAN
GuestvLan
Each vLan also has a corresponding SSID , some are disabled as wifi is not required. But should I need it I just enable a setting.
The best thing is that I set up the Rules based on the vLAN and I know how a device on the vLAN should behave. For example, my CAMvLAN is locked down no traffic out of WAN or to other vlans but I can see the camera footage from anywhere. It also means anyone who tries to access my network by using the cable outside will be restricted to the CAMvLAN only. My IoTvLAN just has TVs and DVDs going out to the WAN but can’t see anything else.
The GuestvLAN is both on wired and Wifi, it uses vouchers so I don’t have the same password in constant use, that looks like free wifi if my neighbours can crack it, like you get in hotels.
It took me ages to work out the rules, I used alias for subnets and ports, then made tweaks as required. However, blocking everything and going from there I guessed would be the most secure approach.
