Extarys wrote

At first I thought I could use the built-in DHCP server to assign IPs to my devices and just use the router for NATing, but someone on Reddit told me that it doesn't work like that.

 

Why should it not work?

 

- I'd like to create a VLAN with a public access point from the EAP245, isolated from the rest of the network;

- Another that can only access my Home-Assistant server for IoT devices (No internet for IoT but the HA server needs internet).

- Make things secure: I'd like the VoIP to be isolated, everything IoT to have no internet, guest wifi to only have WAN access, etc

- Eventually I'll get a "cheap" ~450 CAD Qotom router, but right now the router I have range between 20% and 100% CPU usage. Is there any way I can lighten it's workload?

 

1. To create a true isolated guest network you should use two separate networks on your router assigned to two firewall zones. If the router is VLAN-aware, you need only one cable connection to the switch. If it's not VLAN-aware, but lets you assign the built-in port to different networks (local / guest), you can use two cable connections to the switch. Note that EAPs have a built-in function for creating guest networks which just enable wireless client isolation and ACLs denying access to private IPs. This does not require two subnets, but can share the same broadcast domain (I call this »poor man's guest net«). True isolation requires two separate broadcast domains with two SSIDs assigned to separate VLANs.

 

2. Same as 1. For true isolation of an IoT network, create a third network on the router. I use a separate IoT net to isolate Kasa smart devices to a purely local network w/o Internet access. You need to trick the Kasa devices so that they connect to your router's NTP time server when they try to reach the NTP server defined in the Kasa firmware (IIRC, it's 0.cn.pool.ntp.org) in order to still use scheduled actions in an isolated network. Also, some »smart« functions requiring cloud access won't work.

 

3. T1600G-28TS has a Voice VLAN setting (see QoS menu). I don't use VoIP phones, so I have no experience with a Voice VLAN, but you might find details in the User's Guide.

 

4. I recommend OpenWRT routers and/or EdgeRouter-X. The latter runs EdgeOS (based on Debian Linux) and has a very good NAT throughput of ~900 Mbps if hardware off-loading is enabled (it's disabled in factory defaults). What's more, it's possible to install OpenWRT on ER-X. Both, OpenWRT and EdgeOS let you easily create different networks as well as different DHCP server pools and are VLAN-aware, so they can be connected to the T1600G using one cable over a trunk (that's tagged) port.

 

In general, VLANs are just a way to carry traffic for different networks (the VLANs) over one physical router/cable/switch/AP. Isolation between networks is just a logical consequence of using same physical transport for different networks.

 

Just imagine you would have two (or more) networks with two routers, two switches and two sets of APs and then create two network topologies for those two networks. Next, assign both networks two VLAN IDs and reduce the devices to only one router, one switch and one set of APs which all need to be VLAN-aware. This is - in my opinion - the most easy way to set up VLANs.

 

 

 

Extarys wrote

My phone receive an IP address (10.1.114.2) but the device does not have internet access. It seems to be isolated from the rest of the LAN too, which is good.

 

You need to set the DNS server(s), too, in order to be able to use DNS names. Just try to ping the router, if this works, then test next steps until you come to test Internet access, not the other way around.

 

Next is DHCP relay, why do you enable this? Just bind the DHCP to your guest VLAN, that's all what's needed IMO.

 

My T1600G-28TS is hardware V1 whose firmware (unfortunately) does not have a DHCP server, so I can't test it.

 

How can I use the router for NATing while using the switch as DHCP server in this case then?

 

 

NAT has nothing to do with DHCP, both are completely different services.

 

Your router should be able to do NAT (for address translation of LAN IPs to a public IP) without having to assign those LAN IPs via DHCP first if there is already another DHCP server in the subnet which does this, else staticcally assgined IPs wouldn't work at all.

 

I know that there seems to be some confusion on part of other people re NAT and DHCP (see here for example), so probably this confusion comes from home routers which mix both terms somehow.

Why is your router connected to an untagged port? How should it handle the 10.1.114.0 subnet then?

 

 

»Normal« setup of a Guest Network

 

That's how I set up a guest network usually (switch omitted b/c of clarity):

 

 

Here the EAPs assign Ethernet frames coming in from two different SSIDs to 2 isolated VLANs 1 and 2. The router then needs to separate traffic in both VLANs into two LANs 1 and 2 again. The switch (not shown) just forwards traffic from both VLANs from EAP to the router and back again from the router to the EAP.

 

As I wrote: your router needs to handle the 10.1.114.0 subnet (VLAN 114) too if you want two isolated separate subnets.

 

 

Alternative setup of a Guest Network

 

Now, if you have only one network defined on your router (192.168.0.0) and want to use VLANs only to isolate local, guest and IoT devices sharing the same subnet, you would have to:

• only use on subnet (192.168.0.0), but four VLANs (say 1, 2, 113, 114),
• assign the router's untagged port a primary VLAN ID of 1 (PVID) and membership of VLANs 1, 2, 113 and 114,
• assign the port(s) of VLAN 2 (LAN) a primary VLAN ID of 2 (PVID) and membership of VLANs 1 and 2,
• assign the port(s) of VLAN 113 (IoT) a primary VLAN ID of 113 (PVID) and membership of VLANs 1 and 113,
• assign the port(s) of VLAN 114 (guests) a primary VLAN ID of 114 (PVID) and membership of VLANs 1 and 114,
• create firewall rules on the router that deny traffic from the IoT VLAN to the Internet (WAN).

 

Thus, in this solution VLANs are terminated in the switch, not in the router (VLANs only exist internally and they always need to lead into a network at the end):

 

 

• This way, Ethernet frames in the LAN VLAN reach the router through VLAN 2, but traffic from the router travels back through VLAN 1.
• Frames from the IoT VLAN reach the router through VLAN 113, but traffic from the router travels back through VLAN 1.
• Frames from the guest VLAN reach the router through VLAN 114, but traffic from the router travels back through VLAN 1.

 

In addition, if you use wireless client isolation in the EAP (setting »Guest Network« option), this setting also enables ACLs to deny traffic to private IPs. You have to add an ACL to exclude certain IPs from being blocked if you want to reach IoT devices from the LAN network. In addition, you need to ensure that the router doesn't route IoT traffic to the Internet (WAN), while traffic from the local and guest networks needs to be able to reach the Internet.

 

That's what I called the »poor man's guest network« solution in my first reply to your post – it uses the same broadcast domain for all devices, since there is only one network.

 

In my opinion this makes setup much more complicated than using three cleanly isolated networks on the router assigned to three VLANs (avoids the default VLAN then completely).

 

And BTW, this is the reason why in my opinion the newly introduced »Guest Network« setting in Omada controller for a simple thing as wireless client isolation complicates things further instead of making life more easy.

 

 

Do yourself a favour and set up different networks on a Linux router such as OpenWRT. It's very easy to do so and it provides a clean isolation between the different subnets. Also, access control using the zone-based firewall in OpenWRT is very easy.