Setting up VPN/VLAN and Dual NIC

[duplo]

Looks good and easy, i like the way because its a mix out of vlan and physical seperation.
So you dont need to deal with firewall rules and it should be less problems with bandwidth limitations.

you should only use one 10G connection to the first switch and use it as trunk. dont see any reason using two physical connections to the router??


Because its omada you need at least one firewall rule

omada allows inter vlan traffic by default. you need to block this,
otherwise devices can communicate. also you could get crazy loops which can pull your whole network down, caused by the windows pc which can do both.

and the block cctv network from internet rule

 

[Sonnie]

Looks good and easy, i like the way because its a mix out of vlan and physical seperation.
So you dont need to deal with firewall rules and it should be less problems with bandwidth limitations.

you should only use one 10G connection to the first switch and use it as trunk.


Because its omada you need at least one firewall rule

omada allows inter vlan traffic by default. you need to block this,
otherwise devices can communicate. also you could get crazy loops which can pull your whole network down, caused by the windows pc which can do both.

What would I gain with the Trunk and how would I set it? I don't see any settings for this in the controller (router or switch).

How would I go about blocking inter vlan traffic? That would have to be a firewall rule, would it not?

 

[duplo]

i always use trunk ports when connecting to firewall, never did it like that. you can also add some fallback connections.


Hmm. Aha i see what MTL4 did,
Vlan 10 has no connection to the firewall, so internet and firewall rules are not possible for that specific vlan.

So there is no double connection over the firewall and physical.

so i deleted my old comment.
dhcp and all other functions the firewall do will not work on this vlan. ao everything have to be static.

 

[MTL4]

What would I gain with the Trunk and how would I set it? I don't see any settings for this in the controller (router or switch).

How would I go about blocking inter vlan traffic? That would have to be a firewall rule, would it not?

The trunk is just the connection between your switches/router where all the VLANs are carried. Sometimes they have a trunk you can tag on the VLAN table but just setting the VLANs correctly will have the same effect as selecting it as a trunk port (it just sets the VLAN tags on that port for you). Inter VLAN traffic is set on the VLAN table by tagging the ports correctly for the corresponding VLANs you want to handle or exclude from the port.

 

[MTL4]

you should only use one 10G connection to the first switch and use it as trunk. dont see any reason using two physical connections to the router??

The reason for using a separate connection on VLAN 1 vs VLAN 20 is that it creates a physical separation in the router for each VLAN. The lower bandwidth (10G vs 1G) on VLAN 20 isn’t an issue in this situation. If he never added anything more than the gate controller he could just connect the office switch directly to the router but I have a feeling the project may get additions so the way it’s drawn up it will allow more MyQ devices back at the house as well if the need arises later.

 

[MTL4]

Here’s a great video on understanding how VLANs work and how to set them up.

 

[duplo]

Inter VLAN traffic is set on the VLAN table by tagging the ports correctly for the corresponding VLANs you want to handle or exclude from the port.

Hmm ?? Dont understand.

Normally the device will ask the gateway if he knows where the other device is.
He knows and will forward the traffic.
Inter vlan communication is enabled by default on tplink omada devices
the traffic will go through the firewall/router (layer2 switch)

so in your example vlan 20 can communicate with vlan 1 and vice versa

if there would be firewall connection to vlan 10, communication would be possible.
you see it here after minute 12

you need acl rules to block this.

Here’s a great video on understanding how VLANs work and how to set them up.

i would suggest using a video for omada series.
it works bit different than normal , caused by the controller

 

[Sonnie]

The second 10G connection is to my switch in the AV/Theater room... it should be on VLAN 1 (Home Network).

 

[duplo]

P.S.
if its wired like MTL4 posted,
i would suggest not create any vlan 10 in the firewall/router
it may cause some problems.

in the example vlan10 is only handled by the office/outdoor switch.
for the firewall it does not exist.

 

[MTL4]

Hmm ?? Dont understand.

Normally the device will ask the gateway if he knows where the other device is.
He knows and will forward the traffic.
Inter vlan communication is enabled by default on tplink omada devices
the traffic will go through the firewall/router (layer2 switch)

A managed switch simply looks at the tags on the data as they come and go from the switch and the VLAN port tagging provide the rules it follows in use. The only time the gateway is involved is when it’s handing out an IP for a device or if you’re assigning certain VLANs to certain ports on the router.

This stuff is universal but if you want it on a TPlink setup then here it is (this is why I try to stay away from this stuff on residential installations, you really need to understand what’s going on to make it all work right)

 

[MTL4]

P.S.
if its wired like MTL4 posted,
i would suggest not create any vlan 10 in the firewall/router
it may cause some problems.

in the example vlan10 is only handled by the office/outdoor switch.
for the firewall it does not exist.

Yes exactly and the reason for that is because the IPs are handled by the BI PC’s NIC card and not the router. The router has no idea that other network even exists and for good reason (you don’t want that camera network to ever even get back to the gateway).