router->switch and VLAN routing

Josephny · March 24, 2025, 10:55pm

Could someone please explain how the routing between vlans would work with in the following configuration:

RB5009 with VLAN10 and VLAN20

CSS326 wired into RB5009’s ether2.

CSS port 1 is trunk port to RB5009 (that is, port 1 carries VLAN10 and VLAN20)
CSS Ports 2-8 are access ports for VLAN10
CSS ports 9-16 are access ports for VLAN20

Let’s say I have a smart TV (Roku) on CSS port 2. The TV will be on VLAN10 and have full access to the Internet.

But, I have my smartphone in my hand, which is wifi connected to an AP on CSS port 9 (VLAN20), and I like to use the Roku app to control the TV.

Do I need to set up a firewall rule on the RB5009 to allow frames from VLAN20 to access devices on VLAN10?

The RB5009 doesn’t know which CSS port the AP is on (and therefore doesn’t know how or from where my smartphone is comes to be on VLAN20).

If this is the case, aren’t I creating a lot of traffic between the CSS and the RB5009 and a lot of routing work for the RB5009?

I know this is a basic question.

Now, if there is an entirely better way (either in hardware such as using a CRS) or ROS (filtering or routing) or VLANing, or some other way, I’d love to hear about it.

I know just enough to take a peek at the RB5009’s block diagram and I can see that all ports connect to the switch chip. And, I know just (barely) enough to know that inter-vlan routing is a level 3 function. So, do the frames still have to routed by the CPU?

Would it be just fine if I used SFP to connect the RB5009 and CSS326?

Thanks.

Buckeye · March 25, 2025, 5:57am

Since you evidently have Unifi APs, and those are vlan-aware, you could configure an SSID on vlan 10 and another on vlan 20, and connect the to 10 when you want your phone to be a Roku remote control.

I don’t think your main problem would be traffic; mdns would be the bigger issue.

You would need to configure CSS port 9 to be a trunk port as well. And depending on how you have the Unifi setup, you would probably want a CSS port 9 to be a “hybrid”. You can configure the Unifi APs to use tagged vlans for management, but that’s not the way the factory default setting is, which is management over untagged.

But as I have recommended before. Learn the fundamentals well, since they apply to any vendor. Then learn the details about how your chosen vendor is configured.

Josephny · March 25, 2025, 9:59am

Thank you for your help and sorry for the confusion. This thread is not about a Ubiquiti/Unifi site – no UI stuff here.

The APs are this site are a hAPax3 and an ASUS (which I could very easily change to another ax3).

I realize I have only a rudimentary understanding of VLANs. But we novices need help too (

I plan is indeed to use different SSIDs to control which VLAN users and devices are on.

But, if the (wireless or wired) smartTVs are on VLAN10, and wifi users are on VLAN20, then am I right that for those users to use an app on their smartphones then (1) inter-vlan routing is necessary, and (2) this inter-vlan routing must take place on the RB5009?

Same question for printers.

Or is there a better way?

mkx · March 25, 2025, 6:12pm

Routers are eager to pass packets between different interfaces. So if your main router has VLAN interfaces for both VLAN 10 and VLAN 20, it’ll gladly route packets between both subnets. It’s additional work if one wants (selectively) block such traffic and the easiest way (of the flexible ways) is by introducing appropriate firewall rules.

The problem with the uses you mentioned in quoted text above is that often clients discover services by using broadcast packets … but broadcast packets are not routed between subnets. So e.g. printing would likely work if printing is set up on PCs manually (entering printer’s IP address, manually selecting/installing correct printer driver, etc.), but discovery of a printer will fail.

Such issues are often solved by configuring mDNS helper (relay) on router (or any device which has direct access to both subnets), which relays a subset of broadcast packets between both subhets and hence enables discovery across the subnet boundary (that’s router).

Josephny · March 26, 2025, 12:43pm

But, if the (wireless or wired) smartTVs are on VLAN10, and wifi users are on VLAN20, then am I right that for those users to use an app on their smartphones then (1) inter-vlan routing is necessary, and (2) this inter-vlan routing must take place on the RB5009?

Same question for printers.

Routers are eager to pass packets between different interfaces. So if your main router has VLAN interfaces for both VLAN 10 and VLAN 20, it’ll gladly route packets between both subnets. It’s additional work if one wants (selectively) block such traffic and the easiest way (of the flexible ways) is by introducing appropriate firewall rules.

The problem with the uses you mentioned in quoted text above is that often clients discover services by using broadcast packets … but broadcast packets are not routed between subnets. So e.g. printing would likely work if printing is set up on PCs manually (entering printer’s IP address, manually selecting/installing correct printer driver, etc.), but discovery of a printer will fail.

Such issues are often solved by configuring mDNS helper (relay) on router (or any device which has direct access to both subnets), which relays a subset of broadcast packets between both subhets and hence enables discovery across the subnet boundary (that’s router).

That’s a great explanation and addresses my question.

I think the take away is to go ahead and configure the environment so frames pass from CSS to RB5009 for inter-vlan routing, and control that inter-vlan traffic with firewall rules on the RB5009.

mDNS will be tackled later (perhaps after the complaints come in).