I’m looking to upgrade my router and properly subnet and lock down my network.
I’m getting conflicting information about this; some folks insist that you need a router and some switches to get it to work, others say just a nice router will do it. I’m really hoping the latter group is correct, and that something like a MikroTik hAP AC3 or AX3 will do the trick. I’m willing to submit to the learning curve, bring it! :)
The setup I’m trying to achieve (ideally with room to grow a bit):
- Internet: Right now I’m on CenturyLink gigabit (working with current router with the “VLAN tag 201” setup).
- Subnet/VLAN setup:
- General Stuff that applies to all
- All SSIDs are hidden; guests can ask.
- All non-guest devices must be manually manged (MAC Address, static IP)
- Unless otherwise specified, devices are siloed with only internet access.
- VLAN1 - Core/Main: Couple of primary desktops (e.g. linux box + windows gaming rig)
- wired only; VERY limited intra-VLAN communication (probably only ssh).
- Allow inbound ssh from VLAN2 (e.g. rsync with laptop)
- VLAN2 - Semi-Trusted: Personal phones/laptops that travel with me and connect to outside Wi-Fi (hotels, etc.)
- VLAN3 - Services: Devices that serve inbound requests from VLAN1/2 (Google TV, Printer, etc.)
- VLAN4 - Guest: Guests who want to get on my Wi-Fi (limit to 4 or 8 at a time)
- Dynamically allocated IPs
- VLAN5 - IoT Hellscape: Might subdivide this depending on need, but for now, all devices just talk to their respective cloud APIs.
- General Stuff that applies to all
Is this kind of thing achievable with just a single powerfully-configurable router? Any recommendations (or thoughts on the subnetting setup - is it over-engineered?)
Thanks!