I’m looking to upgrade my router and properly subnet and lock down my network.
I’m getting conflicting information about this; some folks insist that you need a router and some switches to get it to work, others say just a nice router will do it. I’m really hoping the latter group is correct, and that something like a MikroTik hAP AC3 or AX3 will do the trick. I’m willing to submit to the learning curve, bring it! :)
The setup I’m trying to achieve (ideally with room to grow a bit):
- Internet: Right now I’m on CenturyLink gigabit (working with current router with the “VLAN tag 201” setup).
- Subnet/VLAN setup:
- General Stuff that applies to all
- All SSIDs are hidden; guests can ask.
- All non-guest devices must be manually manged (MAC Address, static IP)
- Unless otherwise specified, devices are siloed with only internet access.
- VLAN1 - Core/Main: Couple of primary desktops (e.g. linux box + windows gaming rig)
- wired only; VERY limited intra-VLAN communication (probably only ssh).
- Allow inbound ssh from VLAN2 (e.g. rsync with laptop)
- VLAN2 - Semi-Trusted: Personal phones/laptops that travel with me and connect to outside Wi-Fi (hotels, etc.)
- VLAN3 - Services: Devices that serve inbound requests from VLAN1/2 (Google TV, Printer, etc.)
- VLAN4 - Guest: Guests who want to get on my Wi-Fi (limit to 4 or 8 at a time)
- Dynamically allocated IPs
- VLAN5 - IoT Hellscape: Might subdivide this depending on need, but for now, all devices just talk to their respective cloud APIs.
- General Stuff that applies to all
Is this kind of thing achievable with just a single powerfully-configurable router? Any recommendations (or thoughts on the subnetting setup - is it over-engineered?)
Thanks!
Yeah I don’t think you are going to get a managed switch, AP, and router all in one package that can support all those functions. I could be wrong. But seems less than likely.
Easiest might be just to go unifi for everything and that way it’s all on the same UI. I’m cheap so I have pfsense, cheapest managed switch I could find, and unify AP’s and it still cost me around 300 and that’s with running pfsense on a VM on a server. And it’s a pain in the ass to change configurations because its 3 separate UI’s.
I would prob tone down the segmentation a bit but you do you, it’s your network. I have a mgmt vlan for the router, the vm server, and an old machine I flashed to Linux the pretty much is just used to manage both. That vlan blocks all incoming requests but can make requests to the secondary vlan. The secondary vlan for phones, general use laptops, gaming consoles, etc. The third vlan is for iot which can doesn’t communicate with anything locally. Just points to the WAN interface. There is no need for local management on any of these devices as they all are cloud based (the ones I have). It’s inefficient yes, but it also doesn’t need to talk locally so it doesn’t. As per guests, use your data… oh and my printer lives on its own vlan that accepts requests from the secondary vlan but it’s allowed to make them and it’s hardwired not requiring an additional ssid.
I could be running a shit network though so don’t take my word for it.