I set out a target for myself this year to segregate my network into VLANs. This was partly out of necessity as I have a Philips Hue hub that was going EOL this year (obsolescence is the whole other area of tech that gets me fairly annoyed, particularly when it comes down to manufacturers simply not supporting their products). That said, it was also inspired by my latest IoT device - a Roomba vacuum cleaner! I felt that getting some more IoT devices necessitates a network that is safe to have these devices on. However, I also set out to set up Home Assistant, and need any devices on an IoT-only network to be accessible to that.
I’ll be honest…it has been a total mission to get things working. I have learned that I find networking hard.
I was a bit worried as I have an Edgerouter for my router and DHCP server, a Linksys managed switch and a Unifi access point. Many of the guides online are good at dealing with a single manufacturer…but I have a mish-mash of components!
In the end I found several videos and walkthroughs and eventually muddled my way through. My basic process was the following;
- Create a VLAN in the Edgerouter Dashboard. I did this on the
switch0interface, so the VLANs are labelled
XXis the number assigned to the VLAN. As far as I can tell the number is arbitrary, as long as it’s not 1 or 10.
- Create a DHCP server to match the subnet assigned in the last stage.
- Configure the switch to carry VLAN traffic.
This is where I started getting fairly confused - the terms are not particularly helpful! Trunk/Access ports, Tagged and Untagged traffic etc. As far as I can tell the following is how to configure things;
Any ethernet port that will carry multiple VLANs make a trunk port. For me this includes the ethernet port the switch is connected to the router on, the port that is connected to my hypervisor and the port my access point is connected to.
Any ethernet port that will be dedicated to a particular VLAN make an access port. In my case, my Hue light hub is wired and is configured in an access port on the switch. I then ensured the access ports were configured as untagged for the VLAN they are a part of (unless the device is VLAN aware - my Hue hub, for example, is not!), and excluded from the other VLANs.
I tagged the ports that would be carrying VLAN traffic, but not necessary interacting with it - in this case it was the trunked ports.
I excluded any port from a VLAN that would not be carried on that port.
I think that PVID’s are like the default VLAN - for me this was “1”. I left the PVID as “1” on all ports, except the access ports for specific VLANs, in which cases I turned their PVIDs to the VLAN value.
I’m still learning about VLANs, and I’m almost certain I have something not quite configured correctly. That said, it’s all working at the moment…
- Lastly, I created a new SSID on my Unifi access point. The access point will support up to four different SSIDs, so I guess after that you need extra access points! The SSID will purely be for IoT devices. I set a strong password and gave it the VLAN numerical value for the IoT VLAN.
After all of that I connected a device to the IoT VLAN and was very relieved to see it being given an IP in the new IoT VLAN range! I also connected the wired devices to the access ports dedicated to the IoT VLAN on my switch…and again breathed a sigh of relief that they were given an IP by the Edgerouter in the IoT VLAN address range.
Optionally it might be worth reserving static IPs for devices on the IoT network. Partly this will make it easier to add them to something like Home Assistant later (my next project after the network is organised), but it will also make it easier to implement firewall rules for specific devices or groups of devices.
VLAN Aware setting
It took a while, but I found out that the Edgerouter POE device I have is subtly different from the seemingly more common Edgerouter X line. If ports are configured on the Edgerouter POE as a switch interface, (possible with eth2 - eth4, with eth0 being the WAN interface and enabling eth1 as part of the switch incurring a performance hit due to it being beyond the capabilities of the dedicated hardware and instead done in software) it is unecessary to make them “VLAN aware.” The setting is actually present in the firmware, but does not do anything when enabled.
Once I got VLANs working I realised I still had a long way to go! There’s not much point in having a dedicated IoT network if any device on that subnet can still access devices on the other subnets in the network. This is where firewall rules come in. I wanted my main VLAN to be able to access devices on the IoT VLAN, but definitely not the other way around. Eventually I also want to cut internet access to devices on the IoT VLAN and be able to control them from Home Assistant exclusively.
I initially struggled to understand the different interfaces on a router when configuring firewall rules. The directions for rules threw me a bit until a youtube guide spelled it out. As far as I understand it the following is the case;
- IN - traffic coming OUT the VLAN and IN to the router
- OUT - traffic going OUT the router and IN to the VLAN
- LOCAL - Traffic ON THE VLAN itself (broadcasts and interVLAN communication)
The rules assigned to the IoT VLAN are (the order of the rules matters!);
- Accept Established/ Related, all protocols, Destination other network ranges
- Drop all traffic, all protocols, Destination other network ranges
- Drop all traffic, all protocols, Source IoT VLAN interface (this is optional and will block all outbound requests from the IoT network from reaching the internet)
- Accept TCP and UDP, Destination DHCP server for the IoT VLAN, Port 53 (this is so DNS requests can be made)
- Accept UDP, Destination port 67 (This is so an ip address can be received from the DHCP server)
This allows broadcast data to be sent between different VLANs. This then makes certain devices on the IoT network discoverable to the private LAN, even if firewall rules prevent access from the IoT network to the Private network.
There was no direct GUI option for this in the Edgerouter so I had to use the config tree (although it’s also possible to enable using the Command Line). The breadcrumb trail on my Edgerouter POE was;
Service → mdns → repeater → add interface (switch0 and the IoT VLAN interface)
And that’s about it! There are a few little tweaks around to get things like DNS forwarded on the Edgerouter to VLAN interfaces, but the video linked below goes through that.
I’m glad I spent the time doing all of this as I was almost considering ditching the Edgerouter and Linksys switch in favour of going for an all-Unifi setup. I’m glad I spent the extra time learning. I have to say, when I first got the Edgerouter it took me a while just to get an internet connection going - it’s quite an intimidating device!
I would hugely recommend, however, making a backup of configurations before changing them. This saved me! I disabled and renabled a DHCP server somewhere in the process to renew the DHCP lease and get the static IP address I’d assigned to a device…and the router completely locked up! It wasn’t doing anything. Luckily, I had made a backup the day before of the configuration and dumped it into a Nextcloud folder. I had to reset the router, plug a cable from my laptop into the router and try to restore it. It was a pretty nerve-racking experience! ALWAYS take a backup first!
Resources I found super-useful during this weekend project;
- This blog post was really useful and enabled me to understand a little more what VLANs actually were!
- This YouTube video was, in the end, the most helpful guide. Even though it’s pretty long, it breaks down the steps super helpfully.
Next project - installing Home Assistant and beginning the process of automating my IoT devices!