My TP-link AX11000 router isn't as VLAN configurable as I had hoped. New router input? *Not PFSense right now.

[user8963]

@pete_c

found this video after i set it up, its mostly the same as i did, but i do not use any NAT modifications...

on android wireguard app you can choose the apps which are allowed to use the tunnel. because its wireguard there is no server/client thing .. make it a bit harder to understand what is going on.

i created a rule that only one device in a vlan is reachable through the tunnel on one particular app. i think more security isnt possible. it does not drain much energy when runninh in background. when i use the app i selected, the handshake is done and it is transfering data. if i close the app nothing is transfered. this is much less stressful as with openvpn where you have to be connected to the server and data is transfered the whole time.. ypu can get over it by using third party apps but still not as good/easy as wireguard.

 

[NightLife]

Here's a rudimentary Q I've been meaning to ask -


So I gather everything up, configure the VLAN's connect the camera(s) to the switch, uplinked into the pfsense router, then out to WAN via the AX11000. I never did ask, IF that AX11000 does not support VLANs, but is only being used as an AP in bridge mode will it ultimately all fail because the AP doesn't support VLANs or is that inconsequential because the AP is mere handing off data which the pfsense router and/or my Netgear switch have/has tagged and routed through the AP?


Tell me a new wireless router/AP isn't required at this point...FML ha

 

[user8963]

then out to WAN via the AX11000.

eh, what?

You didnt tell what your wan side is.
Do you use a cable modem? .... ?

Modem has to be connected direct to the pfsense box, otherwise you will have trouble.

 

[NightLife]

You can say that again ha


Sorry, to be clearer - from the AX wireless AP, just out to my other devices on the network. *still aren't 100% sure if a bridged AP (AX11000) requires VLAN enabled. The AX does not.

Yup, it will be modem, Netgate PFSense router. The cameras will come in the Netgear switch, and uplink to the Netgate.

I'm not certain yet whether I should just put my Synology NAS on the same VLAN as I put the cameras or not. I don't use the NAS for much. Mostly storing media right now, so I'd have no issue putting it's LAN out of reach of the internet. Since the cameras will stream to the Synology Surveillance Station right now it might be nice if they're in the same VLAN since I get the impression that it might be more streamlined versus jumping across VLANs.

 

[user8963]

Because your wifi router cannot use different ssids for different vlans, you can only create one. you have to connect the ap direct to the switch and just give it an untagged vlan.. then just put it into IP-mode / bridge mode whatever they call it. you need to do that otherwise the NAT on the tplink will stay on which could give you some troubles.

you dont need any vlan on tplink ! dont connect it to the wan port.

you can configure it however you want. some put all devices like printers/nas in another vlan and give devices/vlans access to only the devices. you can also use inverted rules, so only you can call the devices but they cannot call you for opening a connection.

the normal way would be use one lan port on the pfsense as an uplink to the switch... i.e. the switchport is tagged all.
mostly you dont need tagged vlans on any other switchport.

because you are using a layer2 switch everything goes through the router when you have communication between 2 vlans. but it doesnt matter in small networks with a few devices.

 

[pete_c]

Best to keep it simple VLAN wise. I currently utilize an Arris SB6190 (docis 3.0) and was testing an Arris SB8200 (docis 3.1) modems.

With the PFSense box having multiple NICs you can physically isolate networks. Multiple VLANs on one switch still hit the back plane of the switch relating to utilization.

You can go up a notch with a L2/L3 switch and multiple VLANs.

Doing mostly WLAN testing with Ruckus WAP using multiple SSIDs. Here main production network is /25 sized. DHCP scope is 5.

I am in favor of using the onionskin approach internally for a large corporate enterprise network. For the home it is not that much of an issue unless you put dependencies on the cloud for CCTV. Most folks do that anyhow using the multitude of cloud connected apps for iOs, Android and Windows. Here utilize VPN when accessing the home for my stuff. I still continue to utilize Alexa devices and have been installing Tasmota firmware on all of my testing WiFi automation devices. Really not that much different than keeping your cloud connected smart phone on and with you 24/7 and connected to your CCTV stuff.

You just want to be vigilant but not lose sleep over it.