So, in my adventure of homelabbing, home network become an integral part of my learning path as the backbone of my whole homelab operation. One of the most interesting challenges in creating a proper home network is segregating it to multiple network. In the past, you could always physically segregate it by adding physical switches and firewall rules in your router. But what about wireless? What if I want it to be under one physical switch?
Enter VLAN
VLAN or Virtual Local Area Network, as its name stands for, is a virtualized LAN where you can forgo the switch in place off a virtually tagged packets, which will tells the router of which packets belongs to which LAN network. You can read more about VLAN in this Wikipedia article. Even better, I’ll just steal the simple diagram from the Wikipedia page to illustrate how VLAN works.
As you can see from the graph, since VLAN is virtual, multiple physical switches can also form a virtual LAN network while still physically connected to another LAN network. My explanation might not be adequate since my understanding of it is still on surface layer, hence why I recommend you to just take a look at the Wikipedia article.
So what’s the plan?
So my plan is simple: to create 2 additional LANs for guest network and CCTV.
- Guest Network: This network will be tagged as VLAN 20 and will use 192.168.20.0/24 as its address. The rules are simple: Allow them to connect to the internet, BUT not interacting with the main untagged network.
- CCTV: CCTV is plain and simple, I will tag them with 30 and will use 192.168.30.0/24, I will also disallow them to communicate to the internet at all cost.
I was planning to add an IoT network as well, but since some devices in my IoT network wasn’t able to operate without internet, I might need to rethink of my approach with them. Heck, I might be going to go full Zigbee instead if that’s the case.
Right now, for routing I have an Edgerouter-X by Ubiquiti, in the future I will also add an Unifi US-16-150W PoE Switch into the mix for switching and powering PoE devices. (October Update: Added the Unifi Switch into the mix)
Onto the staging
After resetting my Edgerouter to its factory default setting and reconfiguring PPPoE, I start with creating the untagged VLAN network first, which would be 39 (why? Because I Miku. He-he.)
I will also create VLAN ID 20 for guest and 30 for CCTV.
I will also create a backup network called BACKUP in case something goes wrong, and I am unable to access the router admin page. This will be on VLAN ID 2 and will use 192.168.2.1/24 as the address.
Then, here comes the fun part: Making DHCP Pools for each network, *yay*. The reason I am doing this is so that I don’t need to painfully set my PC with static IP again once I turn on the VLAN Aware on the edgerouter.
Explanation time!
– The DHCP Name is the name of the DHCP pool. I use the same name as the VLAN, so I wouldn’t forget which is which (since we will have like 3 or maybe 4 of them.)
– Subnet is the subnet of the network, which in this case would be 192.168.39.0/24.
– Range Start and Range Stop is the IP range that will be allocated in this pool. I choose a range of 10 to 254, so I can reserve some IP behind 10 if I need it.
– Router is the router address.
– And DNS is the DNS address. I choose Cloudflare’s 1.1.1.1 for this (but I will probably update it to a local resolver later, maybe.)
Unifi network IP will be empty for now, because I haven’t setup my Unifi network controller yet. Alright, let’s setup another 3 of them! Which probably would be identical, *yay!*
Now, we are ready to make this router VLAN aware (probably, don’t judge me, I’m doing this as I learn…)
To do that, we need to head back to the Edgerouter Dashboard (aka the homepage) and select the local interface (Switch0) and go to configure.
Go to the VLAN tab, check the VLAN Aware checkbox.
This is the extra fun part, where we get to assign the port VLAN IDs and VLAN IDs for every port of the router. Alright. So for Port eth1, eth2, and eth3, I will assign it with pvid 39 because they are currently connected to a “dumb” wireless network. But for eth4, where I will be using my switch, I will be assigning pvid 2 and vid 20, 30, and 39 since this is where I will use my unifi switch.
After ipconfig renew and release, I have access to my router again, hooray.
Wait, where’s the rest, Dzakiy?
In the middle of writing this, I was contemplating about switching to OpenWRT. And so, this “documentation” have concluded. Big thanks to Toasty Answer for helping me throughout this process. See you in the next blog post, which is probably setting up VLAN in OpenWRT haha.