February 2021

The next step in setting up my network was adding additional “LANS” to my network. So while before I was happy with two networks 192168.1.1/24 and 10.10.10.1/24. I really wanted more isolation from my IoT network, Security Camera Network, my Raspberry PI and Smart-Home network and the computers and devices we use all the time.

Here’s a list of my networks:

• Home Private Network
• Semi-Private Network & Private WiFi
• Raspberry Pi Network & WiFi
• Security Camera Network & WiFi
• IoT & Media Network & WiFi
• Guest Network

To do this I needed a router and firewall (EdgeRouter-X) and I needed a few managed switches because I didn’t want to run new cable.

Starting with the router I set-up the following:

The interesting thing I needed to learn here is the PVID is a “tagged” VLAN. I made this correspond to the network 192.168.4.1/24. This means anything that connects to this port “unmanaged” will get an IP from the 192.168.4.1/24 DHCP server. But if there’s a managed switch connected to this network, it will be able to route traffic for the VLANs 10,20,30, and 40.

The second thing I needed to do was configure my managed switch. DLink DGS-1100-08V2.

The tagged VLAN port here is eth1. This is tagged with VID = 4. This is the same PVID leaving the router. I have 2 untagged ports eth6 and eth7 for this VLAN. This means they will get IP addresses from the 192.168.4.1/24 DHCP server just like it was connected to eth4 from my EdgeRouter-X.

I connected my Access Point and my other managed switch to eth6 and eth7.

I have eth2 mapped to 10, so now anything connected there will get 192.168.10.1/24 addresses. I have eth3 mapped to 20, so now anything connected there will get 192.168.20.1/24 addresses. I have eth4 mapped to 30, so now anything connected there will get 192.168.30.1/24 addresses. I have eth5 mapped to 40, so now anything connected there will get 192.168.40.1/24 addresses.

Notice the PVID up on the top row as well. 4, 10, 20, 30, 40, 4, 4, 1.

The last setting was configuring my access point. This is an EnGenius EAP1300.

I’ve been having network problems of late and also because of security I wanted to better isolate my network from IoT devices from Google, Amazon, Hue, Etc.

I basically had a few ASUS routers (which have been great) and I’ve been using a Double NAT (Network Address Translation) with my more secure stuff behind another router. It’s worked fine for about 15 years but I wanted more security and more isolation.

First I tried to replace my Asus RT-AC86U and its DUAL WAN capabilities with an EdgeRouter-X by Ubiquity. No luck with the DUAL WAN and multiple LANs. As soon as I unplugged one of the WANS things worked and if I only had one LAN with DUAL WANS it would have worked. In hindsight, I could have just used a managed switch on the other side but I also didn’t want to spend another $300+ on access points.

So I decided to keep my Asus network and its AI Mesh routers for IoT and Media Streaming. My new purchases included:

• Ubiquity EdgeRouter X ($65 Micro Center)
• (2) D-Link DGS-1100-08p managed switches ($35 each Micro Center) 
• 1 EnGenius EAP1300 Access Point ($89 Micro Center)

Total cost $224 plus tax.

With these purchases, I get a VLAN capable Router with a firewall. A few managed switches with simple stand-alone management and web interface. A VLAN capable Multi-SSID Access Point also with stand-alone management.