nicokid wrote

Now I would like to create a new subnet 192.168.5.0/24 on the T1600G-28PS switch.

 

No. You create this new network on the router (including a second DHCP server or IP pool, firewall rules, routing policies), not on the switch.

If this is not possible, you would need two routers if you want to implement two separate networks.

How should the 3 switches be set? How to setup other peripherals?

You design the second network like you would design another separate network, with its own router, its own switches and its own peripheral devices.

Then you decide which devices can implement two networks in only one device (i.e. whether they support VLANs):

• Is your router VLAN-aware? If so, you create two virtual network interfaces (VIFs) which need to be mapped to one physical NIC. Each VIF will tag frames with a VLAN ID (say, VIF 1 uses VLAN ID 1 for the 192.168.1.0 network and VIF 5 uses VLAN ID 5 for the 192.168.5.0 network). You connect this physical NIC to the first switch using one cable only. The router is where your VLANs start.
   
• Your switches are VLAN-aware. The switch port connected to the router needs to be assigned membership of both VLANs, 1 and 5. The VLAN can either be propagated further (to the second and third switch or to a server) or it can be terminated in the switch (to connect a peripheral device which should be in one network only). Read on to understand this better.
   
• Now for the peripherals: are they VLAN-aware? Let's assume a NAS or a server is VLAN-aware and it should reside in both networks. You connect the server to a switch port which also is member of both VLANs 1 and 5. The server needs to map two VIFs to one physical NIC and needs to tag frames with the appropriate VLAN ID (same as what the router does). In this case your VLANs are terminated in the server, they are mapped to two separate IPs (e.g. 192.168.1.120 and 192.168.5.120).
   
• Let's assume the peripheral is a wireless AP. Does it support VLAN-mapped Multi-SSIDs? If so, you create two SSIDs, one mapped to VLAN 1, the other mapped to VLAN 5. The switch port to which the AP is connected needs to be a member of VLANs 1 and 5, pretty much as in the previous example. Again, the VLANs are terminated in the AP, resp. in the AP's SSIDs. Both SSIDs are mapped to two separate wireless networks (e.g. SSIDs myWiFi1 and myWiFi5).
   
• If the peripheral is not VLAN-aware (e.g. a PC) or if it should reside in only one network, you connect the peripheral to a switch port which is member of just one VLAN, either 1 or 5. The PVID of this port determines how the switch will tag frames on ingress, so they are assigned to either VLAN 1 or VLAN 5 even if the connected device does not use VLANs. On egress the switch removes the VLAN tag. In this case the VLAN (either 1 or 5) is terminated in the switch for this particular device. The device is part of only one network and has an appropriate IP (e.g. either 192.168.1.10 or 192.168.5.10 depending on the VLAN membership of the switch port).

That's all. It's really easy to set up a VLAN if you see both networks as two separate networks (what they are indeed, even if using VLANs).

nicokid wrote

I meant to say that the new subnet is physically attached to the T1600G-28PS switch. The gateway (router) is physically connected on the first of the 3 switches. I don't understand where the gateway should be in your opinion. Do I have to physically put another gateway (router)? I'm more confused than before...

The switch operates on Layer 2, so it doesn't care about networks or gateway settings.

No, you don't need to add another gateway since your Linux router is VLAN-aware.

I try to explain myself better:

1) My router is the default gateway. There are 4 networks that pass through here.

2) My router can manage vlan (linux server).

3) In my router on the same port with IP address 192.168.1.254, I have created a virtual LAN with the VLAN 5 tag and IP address 192.168.5.254.
However the port with IP 192.168.1.254 is not tagged, i.e. there is no VLAN 1.

3) The new subnet (192.168.5.0/24) must be separated from the rest and connected only via router.

4) My AP has a single SSID. Downstream of the AP the whole network is 192.168.5.0/24.

1/2/3a: So you have a physical interface (e.g. eth0) and a virtual interface for VLAN 5 (e.g. eth0.5), right? Substitute eth0 by the interface you actually use, here it's meant as a placeholder only.

When accessing the physical interface eth0, you will see all traffic of all VLANs passing through this physical interface. Traffic in the 192.168.5.0 (eth0.5) network also flows through eth0. Think of eth0 as a common interface for the whole traffic flowing through this port.

Therefore, create another virtual interface for the main network 192.168.1.0 (e.g. eth0.1). Assign this VIF the IP 192.168.1.254. Then, the router's eth0 interface is not used anymore (except as the physical base for VIFs 1 and 5). eth0 should not have an IP address.

The Linux kernel will then direct incoming traffic with VLAN tag 1 to eth0.1 and incoming traffic with VLAN tag 5 to eth0.5. Likewise, output to any of the interfaces eth0.1 or eth0.5 will get tagged by the Linux kernel. Thus, you access only eth0.1 or eth0.5, but you will not use eth0 anymore.
 

Keep in mind that once you create a VIF for VLAN 1, you need to use tagged traffic to communicate with the router under its IP 192.168.1.254. To do so, connect the router with a switch port (say, port 1) and assign the switch port tagged membership of VLANs 1 and 5. Assign switch port 2 untagged membership of VLAN 1, PVID=1. Connect your laptop/PC to port 2 of the switch to communicate with the router after you did create the tagged VIF 1 on the router.

3b (second 3 above, should have been 4): To separate the new subnet, create VLAN 5 in the switch.

4: Connect the AP to a switch port (say, port 8 or whatever) and assign this switch port untagged membership of VLAN 5, PVID=5.

Now your AP is part of VLAN 5.

This is the topology and port settings (R1 = router port 1, A, B, C = your three switches, AP = your wireless access point):