Vlans over VPN
Hardware:
TL-SG2428P
4x EAP615
Hello,
I bought a tl-sg2428p and four eap-615wall for my new small office / home place.
I would configure vlans in this way:
vlan0: main network to manage all devices in LAN
vlan1: reolink kit nvr + 4 poe cameras
vlan2: employees network
vlan3: guest network
Then I will configure 4 ssid for wifi.
I always used my isp router and a qnap nas to configure vpn, but now I have some employers that need remote access to the nas, so I guess ISP router and NAS will not be enough to manage this scenario.
How can I create a remote access to main network for me and a "restricted access" for employees vlan (vlan2 up there) in my office?
What kind of router/firewall should I add?
Thank you very much for support.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
You can try using the controller to manage these devices and then create a cloud account to access and manage them remotely by logging into the cloud website.
https://www.tp-link.com/business-networking/omada-sdn-controller/
You can set up four VLAN interfaces, then select one of the VLAN interfaces you want to restrict and set up portal or ACL rules based on it, see UG for suggestions.
As for the router, you can consider the ER605, which I am currently using and I think it is very good.
https://www.tp-link.com/business-networking/omada-sdn-router/er605/#specifications
- Copy Link
- Report Inappropriate Content
Thank you for reply.
Yes, I can create a cloud access, but can I access to my Nas and my files in this way?
I know I can manage the network and devices from cloud, but I think I can't acess to my NAS.
The question is:
If we are out of office and both (me and employee) need to connect remotely to the NAS, how can I have an access to vlan0 and the employee to the vlan2?
Thank you for linking router.
- Copy Link
- Report Inappropriate Content
@umbertodm I think cruical question here would be if you want to manage vpn users centralized over omada or not, in case that you do not want to manage it with omada, then run your vpn server on a device which has access to required vlan's. You also did not mention which vpn you want to run and what your requirements would be, in general if you are not restricted to not using wireguard, then you should try it, in general it is a good idea if clients within your network communicate encrypted where one does not want to lose gigabit speed or throttle the cpu, wireguard in this case is very flexible and powerfull solution.
- Copy Link
- Report Inappropriate Content
Sorry, you're right.
It's not necessary that the vpn is in managble by omada.
I have a symmetric 1 gbps line and maybe a wireguard server on a raspberry pi4 could be better for me.
So, do you recommend to start two vpn servers, one for owner (maybe on the main router) and one for employees (a raspberry pi4 with access only on vlan2) ?
Thank you very much for your help
- Copy Link
- Report Inappropriate Content
umbertodm wrote
Sorry, you're right.
It's not necessary that the vpn is in managble by omada.
I have a symmetric 1 gbps line and maybe a wireguard server on a raspberry pi4 could be better for me.
So, do you recommend to start two vpn servers, one for owner (maybe on the main router) and one for employees (a raspberry pi4 with access only on vlan2) ?
Thank you very much for your help
@umbertodm depending on your hardware, if ipsec or even openvpn can reach 1gbps with your hardware, then you probably could go for any solution. Considering you need vpn which is designed to work on high speed networks, wireguard beats all other vpn solutions but it has restrictions too which are worth to mention like that udp protocol is used or that it has no obfuscation (your ISP knows it is wireguard protocol).
About rpi4, well, yes it would probably reach good speeds, but probably not higher than 500 (as that is what they deliver with iperf in local encrypted network for me), not sure if it could get more, but in general it is bad idea to use raspberry pi's in commercial environment. However, if you can live with 500Mbit then rpi's could be used as well as they are quite easly replaceable in case they break or if you need a backup server, but keep in mind that for quite the same price you can get better devices which can reach 1Gbit.
If you already have some rpi4 around, then use it as playground to find out if that is enough for you. In most companies resources and access to them is restricted and splitted in networks which sometimes creates a nightmare for administration, thats why I do believe that like you say one for administration access and another for normal employees.
Question still remains if you already know how you will manage your vpn. Nice thing about wireguard is that each peer actually acts as a server too as long as one needs it. It means that your employee's wireguard server can have a peer to which it connects and uses it only for internet, that is as example if you have several locations and you want them all to use just one location as their gateway. There is kinda endless variations how one could build up a network, for one you will want a peer which acts as gateway maybe on other side you might want another server which requires every peer to connect over wireguard.
Your employees can have their own address range in wireguard which they then can use locally, I had many such requests where I was asked if there is a way to be connected to companies vpn with ability to use a printer which is in home network (mostly such requests come from remote workers). In case of wireguard you as a company can easily allow a user to use own ip ranges for own purpose, just make sure such configs do not allow access to sensible ressources as it would mean that a hacked toaster in employees home could gain access to your network or simply a windows user who opens some prom to just get shared disks to which a user has write access to be encrypted, on that point backup's importance raises with the value of data loss.
Anyway, above can be applied from small to big companies. Depending on how big the damage in financial meaning would be if your vpn stops working lets you find out if you can use rpi's and simple solutions or that you would require some consulting which always costs once, but good consulting can save you a lot of costs and headache. You probably should also get in touch with tp-link support in companies name to see what they suggest, it might be good solution, might be bad, but it is easy to ask.
- Copy Link
- Report Inappropriate Content
umbertodm wrote
Sorry, you're right.
It's not necessary that the vpn is in managble by omada.
I have a symmetric 1 gbps line and maybe a wireguard server on a raspberry pi4 could be better for me.
So, do you recommend to start two vpn servers, one for owner (maybe on the main router) and one for employees (a raspberry pi4 with access only on vlan2) ?
Thank you very much for your help
@umbertodm depending on your hardware, if ipsec or even openvpn can reach 1gbps with your hardware, then you probably could go for any solution. Considering you need vpn which is designed to work on high speed networks, wireguard beats all other vpn solutions but it has restrictions too which are worth to mention like that udp protocol is used or that it has no obfuscation (your ISP knows it is wireguard protocol).
About rpi4, well, yes it would probably reach good speeds, but probably not higher than 500 (as that is what they deliver with iperf in local encrypted network for me), not sure if it could get more, but in general it is bad idea to use raspberry pi's in commercial environment. However, if you can live with 500Mbit then rpi's could be used as well as they are quite easly replaceable in case they break or if you need a backup server, but keep in mind that for quite the same price you can get better devices which can reach 1Gbit.
If you already have some rpi4 around, then use it as playground to find out if that is enough for you. In most companies resources and access to them is restricted and splitted in networks which sometimes creates a nightmare for administration, thats why I do believe that like you say one for administration access and another for normal employees.
Question still remains if you already know how you will manage your vpn. Nice thing about wireguard is that each peer actually acts as a server too as long as one needs it. It means that your employee's wireguard server can have a peer to which it connects and uses it only for internet, that is as example if you have several locations and you want them all to use just one location as their gateway. There is kinda endless variations how one could build up a network, for one you will want a peer which acts as gateway maybe on other side you might want another server which requires every peer to connect over wireguard.
Your employees can have their own address range in wireguard which they then can use locally, I had many such requests where I was asked if there is a way to be connected to companies vpn with ability to use a printer which is in home network (mostly such requests come from remote workers). In case of wireguard you as a company can easily allow a user to use own ip ranges for own purpose, just make sure such configs do not allow access to sensible ressources as it would mean that a hacked toaster in employees home could gain access to your network or simply a windows user who opens some prom to just get shared disks to which a user has write access to be encrypted, on that point backup's importance raises with the value of data loss.
Anyway, above can be applied from small to big companies. Depending on how big the damage in financial meaning would be if your vpn stops working lets you find out if you can use rpi's and simple solutions or that you would require some consulting which always costs once, but good consulting can save you a lot of costs and headache. You probably should also get in touch with tp-link support in companies name to see what they suggest, it might be good solution, might be bad, but it is easy to ask.
- Copy Link
- Report Inappropriate Content
Thank you! I know that I have to consider a lot of things, but I'm building a network for a small office (max two employees) and 1/2TB on a small NAS. We have always two daily backup copy of the nas for our travel, so a vpn or isp crash is not too relevant. Very interesting the discorurse concerned wireguard. Often we're out of office, so I'd like to have a fast vpn throughput when we work from outside. What hardware do you recommend for 1gbps vpn instead of a rpi4?
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 1222
Replies: 7
Voters 0
No one has voted for it yet.