VLANs and unmanaged switches

Hi,

I’m planning a home/small-office network in a house with 3 floors.
I have a RB4011 as my main router on the middle floor.
For the other 2 floors I have 2 hAP ac2s. Those will primarily be used as APs, since I don’t plan to connect a lot of (if any) wired devices to them.

The RB4011, on the other hand, will have wired devices connected to it (including the 2 hAPs of course).
There are some devices (e.g. rpi running hassio, nas…) connected directly to the RB.
I also have 1 cable going to the living room, and 1 cable going to the office. Both are on the middle floor.
On the end of both of those cables I need more ports.

I plan to use VLANs.
At least 2 for each floor. One for IoT devices (with internet access), one for NoT devices (without internet access).
So that is at least 6 VLANs.

The devices in the living room (TV, android box, console, AV…) are all IoT devices and will be on the same VLAN.
Similarly, all devices in the office (PC, printer…) are also all IoT devices, and will be on the same VLAN (actually, the same VLAN as the living room devices).

Can I just use unmanaged switches in the living room and office, or do I need to get managed ones?
I assume they don’t need to do any VLAN filtering, since all devices connected to them are on the same VLAN.

I was thinking of putting one of these in the office: https://www.tp-link.com/uk/business-networking/unmanaged-switch/ls105g
And one of these in the living room: https://www.tp-link.com/us/home-networking/8-port-switch/tl-sg108/

Will that work? Or are there any significant advantages in using managed switches?
I guess the alternative would be to use a couple of hEX of hAPs instead.
But those cost a lot more than a dumb 20$ switch.

If it’s fine to use unmanaged switches, but the TPLink ones I linked are poor, please suggest a better alternative.

Basically if you simply need ports for dumb physical devices in the same location, an unmanaged switch is fine.
One simply untags the vlan on the way out the port heading to the switch for that vlan. Works great.
When and if you need multiple vlans at that location then swap out for a managed switch.

The hapacs make great AP/switches as well so thing of them as being managed switches as well.

Thanks.

Yeah, I know hAPs can work as switches.
If I needed a managed one, I would definitely go with hAPs, so I have RouterOS on all routers/switches.

This is purely from the cost perspective.
Why spend 7x more on haps if I don’t need them for this setup, and a dumb 20$ switch will do just fine.

Could you please explain this. I didn’t quite get it.
“One simply untags the vlan on the way out the port heading to the switch for that vlan. Works great.”

Do you mean that the dumb switch drops the tags?
Or do I have to set the port that is going to that switch as untagged, on the RB?
If it’s the latter, then I don’t have those VLANs at all?

Yes the dumb switch does nothing LOL
And yes you do… all your subnets on MT should be on vlans, just untagg them to dumb switches.
If you only have one subnet then yes you dont need vlans…

I am not aware of which dumb switches that are specifically designed to do that… Some may but if you need to manage vlans get managed switches.

In your case you are fine with unmanaged switches. You are simply applying the vlans internally on the main router and then untagging them on the appopriate port.
You could just assign a different subnet to each port on the main router, IF there never is more than one subnet per port going out that port.

However doing vlans now allows for very smooth transition to the day where you need to pass two or more subnets down a port to a smart switch or access point etc…
Also, vlans by themselves isolate at layer2 and thus security is readily visible by any config reader.

So you may have a situation where instead of no bridge and lets say 10 etherports on the router and thus a subnet assigned directly to each etheport.
You could have one bridge and 10 vlans assigned to the bridge and each vlan is untagged at the appropriate port.
WIth this setup you can quickly go to multiple subnet out any port etc…

It really depends on what you are comfortable with and expectations for the future.

Without understanding how your wiring is being done, it is hard to say whether dumb switches will work.

If you have a dedicated port (either an access port for a vlan or an ether port that is not a bridge member, and is acting as a layer 3 interface) and a dedicated wire going to each switch (in other words the two switches not connected to each other, only to the MikroTik router port), then it should work fine.

If you wanted a single connection to the first switch and then a daisy chained connection to the second switch from the first switch, and expect the second switch to be on a separate subnet / vlan than the first, that will not work.

Show us a diagram of what you want to do. Even a photo of a hand drawn sketch is much better than words for transferring an idea of what you want to do.

You talk about 6 vlans, and 2 switches. How will the other 4 vlans connect?

If you haven’t used vlans before, I recommend Ed Harmoush’s Practical Networking site https://www.practicalnetworking.net. Ed has some of the best explained info about vlans Virtual Local Area Networks (VLANs) See the challenge quiz if you think you understand vlans. Ed also has a video covering the same info VLANs – the simplest explanation Here’s an index to the vlan pages on PracticalNetworking And here’s a good starting point for Networking topics in general (don’t be put off by the CCNA, this is pretty generic info that you need to know, and explained in an easy to understand way. CCNA Index You can ignore the ACL stuff which is Cisco specific.

I’m not daisy chaining anything with those switches, nor will I in the future. The switches are in different locations, and both of them are pretty much the end of the line. There is nowhere else that I would need to extend them. Each dumb switch has it’s dedicated cable going to the RB. Actually in both of those places I have 2 cables going to the RB (in case I need it for IPTV or something similar in the future, which the ISP delivers with a different VLAN id)

Here is a sketch of all the wired devices: https://drive.google.com/file/d/1HM8sGMzK5mh-qOsWJD3TIGTt_Hp2AjbQ/view?usp=sharing

I didn’t draw the wireless devices, because there are simply too many to fit in a diagram. I’ll try to list them here:

• bottom floor: radiator valves (zigbee), light switches (wifi)…
• middle floor: window shade motors (wifi), proximity sensors (zigbee), flood sensors (zigbee), shelly relays (wifi), room thermostats (wifi)…
• upper floor: radiator valves (zigbee), shelly relays (wifi)…

The main reason I want VLANs is to separate IoT and NoT devices. I want to cut off internet access from whatever I can.
The reason I want 6 of them is mainly to split them out in different subnets, to have a cleaner organization of ip addresses.
So the plan was to have 1 IoT and 1 NoT VLAN per floor.

Similarly for WiFi networks, I basically want 4 of them:

• 1 for all IoT devices (I would bridge the 3 VLANs)
• 1 for all NoT device (I would bridge the 3 VLANs)
• 1 for “owner” WiFi devices (my own phones, laptops etc)
• 1 for “guest” WiFi devices

I know it’s not super necessary. It’s more of an ocd thing than a necessity. So e.g. I’d like all my light switches to be in the same range e.g. 100-150
On the bottom floor they would be e.g. 192.168.1.100-150, on the middle one 192.168.2.100-150, top one 192.168.3.100-150.
So I want to leave more than enough room in each range if I add more devices later.
I can’t do that with a single subnet, since I’ll run out of ip addresses.
Another potential reason why this could be useful are automation scripts and scenes. e.g. if I want to script a command that will shut down all the switches on the bottom floor, I can just target it by the ip range, instead of listing them one by one. Then when I add another device, I would need to update the script again.

Thanks for the links you posted. I’ll definitely check them out. I haven’t done a VLAN setup before. Never had a project of this scale. I’m a developer, not a network guy. I can get around, but I’m far from an expert.

Btw. if I’m totally off the mark here, and rambling nonsense, please let me know. This is what I want from the dev / home automation perspective. Maybe I’m just trying to bend the network part to fit this, in a wrong way. Or if you have a better suggestion how to organize the VLANs, feel free to pitch in. e.g. maybe it would make sense to create a separate VLAN for phones and laptops… So far mostly I’ve been following this guy https://www.youtube.com/@TheHookUp, since I’m using a lot of similar equipment as he is

Your diagram is a good start, populate it with the vlans you want to use and then attempt the config…
Then post your config for review. ( the config of every MT device that is )

I am not sure which equipment your are talking about being the same as Rob in TheHookUp, since he uses primarily UniFi networking equipment. Maybe you are talking about the IoT and Camera devices?

vlans are just like LANS, the only thing different is they share physical wires, switches, and ports. It is very similar to having multiple VMs on a single server. They are kept separate unless there is something that “connects” the virtual machines. Each (v)lan is a separate broadcast domain; the only way to get things between vlans is a router (or a native vlan mismatch). A broadcast domain is the set of devices that can hear each other’s broadcast traffic. Therefore you should have only a single subnet per (v)lan, otherwise dhcp will not work correctly for more than one subnet, since it is based on broadcast (the Discover, Offer, Request, Acknowledge handshake of DHCP).

For the wifi, you will need a vlan-aware access point (AP) that can map each SSID to a different vlan. The connection to the AP will need to be a “trunk” link (possibly a hybrid link using MikroTik’s terminology, cisco would call a hybrid link a trunk with a “native” vlan. That’s what Ed will call it in his video. Anav will tell you to avoid hybrid links, but they work fine with MikroTik routers; he is a purist when it comes to vlans, and there are advantages of using only tagged vlans on a trunk link, specifically it is then not possible to have a vlan-mismatch (if you take Ed’s vlan challenge quiz you will see how confusing things can get with untagged vlans when connecting switches).

If Ed’s vlan intro doesn’t make sense, then I would start with his Networking Fundamentals. As in most technical areas, things build on more fundamental things, and if you don’t understand how networking works (ethernet layer 2 and ip layer 3) you need to start there, before progressing to vlans. Otherwise it will just be black magic and when something doesn’t work, you won’t have the necessary knowledge to even know where to start troubleshooting. But if you have as much network stuff as you claim, then you have probably picked up quite a bit of practical knowledge, but if you haven’t had any formal training, I still think it would be worth going through the Fundamentals course, because you will then have a much better understanding of why things are done the way they are.

hi @zolakt

Can I just use unmanaged switches in the living room and office, or do I need to get managed ones?
I assume they don’t need to do any VLAN filtering, > since all devices connected to them are on the same VLAN.

i think you’ll be good with your soho setup (if you didn’t plan to do any further complex setup).

and that basic gigabit TP-Link should be running smooth. just remember 1 vlan for 1 unmanageable switch. since the switch will just act like an extension to your router vlan access port (this basic switch can’t do vlan tagging, though you can still give any vlans traffic through it).

have a try, and see how they perform. good luck

Yeah, I know Rob uses UniFi, but the way he sets up VLANs is pretty much what I’d like to achieve.
But, yeah, I was talking mostly about the IoT and home automation stuff. HA, relays, cameras, sensors etc. we have a lot of overlap.
That is the main focus of the whole project, so it’s easier to follow someone who basically does the same thing.
And from the videos I’ve watched, he does seem to know what he is talking about, especially on the home automation front.

Thanks for the clarification. I’ll check out the links you posted as well, before I attempt to do the whole config.

I wasn’t planning on using multiple subnets per VLAN. It’s one subnet per VLAN.
That is why I wanted 6 VLANs, so I can have 6 subnets.

As for vlan-aware APs, all the network equipment will be MikroTik (apart from the dumb switches I asked about), so it should be fine.
Apart from the RB and hAPs I already have, if I will need more APs, I’ll get a few cAPs.
Alternatively, I will replace one of the dumb switches with another hAP, if I need better wifi coverage in that area.

I don’t have a lot of practical networking knowledge. The MikroTik equipment that I have is brand new, totally unconfigured yet.
I don’t want any black magic , so I’ll definitely check out all the links you guys have posted.

Right now, I’m still in the planning stage. I want to get all the hardware in, before I attempt to do any config.
In the meanwhile I’ll try to brush up on my networking skills, to know exactly what I want to achieve in the end.

Good idea to think before configing LOL.
A good network diagram is worth gold and thus before configuring anything come back with such a diagram for review…
Ensure you detail ports and vlans on it…

Will do. Thanks

@anav (or anyone else), I’m finally starting with this configuration next week.

I’ve check out all the resources you guys have posted. Learned a lot, but I’m still far from a networking expert.

I’ve decided to ditch the “per floor” approach, since I don’t see much gain in it.
Instead I’ve tried to group devices by what they need to communicate with.

This is the plan I have so far. Please have a look at the questions, and if it makes sense overall.
I’m open for any other suggestions as well.

Some commonly used terms, in the text bellow:

• HASSIO - RPI4 running Home Assistent OS. It will also run the Rhasspy server.
• Rhasspy - local voice assistent for RPI
• “communicate with HASSIO” - means that HASSIO can read the state of the device, and send commands to it. The device itself does not have access to HASSIO

Infrastructure (VLAN 1):
I don’t know a better name of it, but basicaly these are devices that need access to everything, and have internet access.

These include:

• the 3 MikroTik routers
• HASSIO

Question 1: These should be their own VLAN, probably the default one VLAN 1, I presume?

Question 2: I still have dilemma if I should break off HASSIO into it’s own VLAN. From the firewall perspective, I’m not sure what I would gain. It has similar specifications to the routers. Needs to be able to access everything and have internet access.

Question 3: I plan to run the Rhasspy server on the same device as HASSIO, which is not ideal from the firewall perspective. The RPI will run the Rhasspy server, while I will build my own smart speakers with RPI Zeros as Rhasspy sattelites. I presume they will require to run in the same VLAN as the server. This is not ideal firewall-wise, since I don’t want all smart speakers running on this infrastructure VLAN. Does anyone have an suggestion how to configure this, maybe by some port blocking or something, other than getting a new device just to run the Rhasspy server separate from HASSIO, on the NoT VLAN. I presume that Rhasspy only needs to communicate with HASSIO, not other devices directly (e.g. a TV). It listens for commands, sends them to HASSIO, then HASSIO triggers whatever automation it needs to (on another device e.g. a TV).

NoT (VLAN 10):
These are simple devices, that only need to “communicate with HASSIO”. They don’t need to communicate with one another, or with any devices on different VLANs.
These devices are fully local, and do NOT require internet access.

These include:

• Shelly relays
• Tuya lights/light switches/curtain motors/thermostats/sensors… (if I can get them to run without Internet)

IoT (VLAN 11):
Similar to IoT, but for devices that do require internet access.
These are simple devices, that only need to “communicate with HASSIO”. They don’t need to communicate with one another, or with any devices on different VLANs.
The intention is to have a little devices here as possible, and put only devices that really can’t work without internet access.

These include:

• Vaillant boiler controller
• Tuya lights/light switches/curtain motors/thermostats/sensors… (if I can’t get them to run without Internet)

Multimedia (VLAN 20):
These are devices that need to “communicate with HASSIO” and with other devices from the same VLAN. All of them need access to NAS.
“Consumer” devices (pcs, laptops, phones) need to able to communicate with them (e.g. cast to them), but the multimedia devices shouldn’t have access to “consumer” devices.
Most of them do need internet access, although I have a dilemma here which I’ll get to in the questions.

These include:

• TV
• Nvidia Shield
• Gaming console
• AVR
• NAS
• Security cameras
• Doorbell cameras (with intercom)

Question 4: I don’t like the idea of my cameras (security or doorbell) having internet access. I plan to get all cameras with local control. I do want HASSIO to be able to stream from them to a phone or a TV remotely, but I don’t want cameras having direct internet access. Would it make more sense to split this VLAN into 2 VLANS: one with, and one without internet access.

Question 5: If I do split it into 2 VLANs, where would the NAS go? Is it normal for a NAS to have no internet access? On the other hand, if I put it on the “internet VLAN”, then the cameras would need store their feeds to a different VLAN.

Question 6: If I go with a separate device for the Rhasspy server, would it make more sense to put in here or in the NoT VLAN?

Consumer (VLAN 30):
These are the devices that need to “communicate with HASSIO”, with other devices on the same VLAN, and with all devices on the “Multimedia VLAN”.
All of them need internet access.

These include:

• PCs
• Laptops
• Phones
• Printers/Scanners

Question 7: Not a must have, but it would be nice, if I could cherry-pick device that have access to HASSIO UI (e.g. only my wired PC)

Question 8: Printers/Scanners don’t really feel like they belong here communication wise (they could be Multimedia), but for convenience I think it makes more sense to keep them here. I will be printing/scanning exclusively from Consumer devices (possibly HASSIO). I definitely don’t need to print something from a device on some other VLAN (e.g. a TV).

Guest (VLAN 40):
These are exclusively WiFi devices (mostly phones), for guests.
They need internet access, but they should not have access to any other device on the network.

For what it’s worth, I would likely use managed switches. I have several of the RB260 line (now called CSS106-5G-1S). They run SwitchOS which I find far easer for switch functionality than RouterOS. Nice to be able to see what’s going on or if needed turn off a port - which you can’t do with a dumb switch. I have three CSS326-24G-2S+RM switches at my house along with severs RB260s (OK, I’m weird), and I prefer to do any thing possible with a wired connection rather than WiFi.

Did I miss the diagram? I don’t see one.

What will you be using for switches?

What is the physical topology (how things are physically connected) and logical topology (each vlan separate and how they connect)?

There are many inexpensive vlan-aware switches. 8 port “smart” switches are ok for a home environment, although they usually don’t have very ways to secure their management interface (a password is it).

But if you are in the USA, you can get these for under 30 dollars for an 8 port Gb switch that is vlan aware.

See post 8. A link to an image on Google Drive.

The RB260 (aka CSS106-5G-1S) mentioned by @k6ccc is very flexible. It is my “wireshark” tap of choice, because it is possible to configure so you can monitor both WAN and LAN side traffic, and can see how the traffic is being modified by NAT translation, and what traffic is being blocked by a firewall. It’s a higher in price, guessing > $45 shipped. And has fewer ports, but does have one SFP cage if that is important for your use case.

I don’t need managed switches. I bought the dumb ones.
If I’ll need managed later, I’ll exchange them with hAPs.
Right now, I don’t see a reason to use them, since each of those switches will be in a single VLAN (1 for Multimedia, 1 for Consumer).

As for the physical diagram, I posted it in one of the previous posts.
https://drive.google.com/file/d/1HM8sGMzK5mh-qOsWJD3TIGTt_Hp2AjbQ/view?usp=sharing
See this post for more details: http://forum.mikrotik.com/t/vlans-and-unmanaged-switches/164661/15

My question now is does this VLAN setup make sense, or does someone have a better suggestion?
The managed vs unmanaged switch debate has been solved for now. I went with the unmanaged ones.