Is it a fair summary to say that all devices with a direct wired connection to a managed switch should be connected via ports set to 'Untagged' except for other managed switches and the router, which should be Tagged? If I've got that right, presumably ports that connect to other managed switches and the router would also be trunk ports? I'm a bit overwhelmed with the number of different types of VLANs (subnet based, MAC based, protocol based etc.) but am I right in thinking that the first critical step is to figure out which ports on the switch(es) need to be set to tagged or untagged? And that the type of VLAN is the next step? Happy Chiristmas by the way :)
I prefer to keep things simple so I don't bother with features like mac based, protocol based, etc. These are a dynamic ways to put certain types of traffic into different VLANs and I think they just overcomplicate things As for port configurations... Most end devices like PCs and laptops should be connected to a port which is untagged. They don't need access to more than one VLAN so the switch port will be configured to put that traffic into a VLAN of choice Devices like other switches, hypervisors and firewalls will need access to multiple VLANs and so their port will need to be a tagged port I am curious about the router though because if it doesn't support some form of firewalling there isn't much gain in using VLANs, assuming it will be the default gateway for the VLANs Without rules to restrict traffic between VLANs, any computer can talk to any other, which is the same as everything being in the same VLAN Some routers do have firewall capabilities, but a dedicated firewall is better suite to the task
@@TechTutorialsDavidMcKone Thanks David. I'm running a Fujitsu S920 low power pc with pfsense installed on it as my router. It has a four port Intel NIC installed in its single PCIe slot. Currently I'm just using two ports - WAN and LAN, but was thinking about doing a LAGG on the remaining ports to my switch and using this as the parent interface for the VLANs. The tricky thing is experimenting and learning from mistakes without getting an earful from my wife and kids when the internet goes down!
This was VERY helpful. I configured a VLAN on my router and all was working fine from any LAN port on the router. But I could not access the new VLAN through the switch (tp-link TL-SG108E 1.0). I kept searching through the menus of the switch config software looking for a way to "list VLANs for a port". But I had it backward. This video inspired me to dig in again. The menus are still hard to follow, but the way it is done on this switch, as you said, is to "create" VLANs on the switch and then assign ports to that VLAN. All ports were already assigned to VLAN1 the default, I "created" my new VLAN 50, and also assigned all 8 ports to that VLAN as well. Now the switch forwards (tagged) traffic on any port, for either the default network or the added VLAN. Thanks for pointing me in the right direction. TP-Link docs were not good at explaining this.
Thanks very much for sharing this as it could certainly help other folks with a problem for that type of switch or similar I must admit, vendors don't make it easy to configure switches
nice intro overview.. Im stuck doing exactly what you said at the end on my netgear switch, assigning it to staticIP and to a VLANX other than VLAN1 without locking myself out. Great content very helpful. keep up the good work. Trying to config my pve 4x2.5G nics pfsence on proxmox to my netgear MS510TXPP all this VLAN segmentation is hard to wrap head around whilst not locking yourself out after moving from DHCP Assigned ip to static. Fun and games, thanks for this part 2 hands on demo im looking forward to watching. best way to learn is hands on imho.
VLANs are a very useful security feature for networks, including the home, especially as we add more smart home devices If you are interested in buying any of the managed network switches shown, check out the links below I am an Amazon Associate and will earn commission from qualifying Amazon purchases. However, this is at no extra cost to you :) Netgear GS110TPv3 US amzn.to/3vO0fRX UK amzn.to/3nTRX8A MicroTik CSS326-24G-2S+RM US amzn.to/3nUZ9kT UK amzn.to/3esEi59
It depends on what's supported Most Wi-Fi routers and access points sold to retail or provided by ISPs don't support VLANs There are access points sold by Ubiquiti and TP-Link for instance that do, but they are higher priced They do VLAN tagging so you can associate an SSID with a VLAN tag but the switch port they're plugged into has to support VLAN tagging as well, so it needs to be a managed switch If you have a spare router or access point you could connect it to a switch port and assign that to a VLAN It's not as good, but at least it puts those Wi-Fi devices into a specific VLAN
I separate devices out depending on their need so it depends on what you do with yours If a device only needs access to the Internet for instance it goes into a guest vlan which only has access to the Internet via a firewall A PC though typically needs access to internal things like a printer, nas and so on so I'd have a vlan that allows that internal access plus access to the Internet
Because vendors are selling us devices which connect to the Internet and security isn't being given the high priority it should be This poses a risk because if one of your devices gets hacked through a vendor's cloud portal for instance, then that person could reach your device over the Internet and might be able to use it to try and hack other devices in your home network Even with a firewall between you and the Internet, the problem is that the device will have started a connection to a server on the Internet from behind your firewall and thereafter can be instructed by that server on the Internet As an aside, this how botnets work and why scammers want you to install software on your computer. They can't initiate a connection to your computer from the Internet and need your computer to connect out to a computer on the Internet which can then control it Now by using a managed switch and configuring it to place devices into different VLANs you can reduce the impact if something like this ever happened E.g. if your NAS is in a trusted VLAN, but a smart home device gets hacked. With that smart device in another VLAN, a firewall will be set up to block access between your VLANs and so the hacked device can't be used to hack into your NAS Similarly it would stop someone using a smart home device to try and hack into the computer you use to connect to your bank account and so on Now I use smart home devices as an example but anything that connects to a cloud portal could be seen as a risk Customers of a well known NAS vendor for instance were victims of a ransomware attack because the NAS connected to the Internet portal and a hacker took advantage of software vulnerabilities including a built-in account with admin rights Vendors provide these cloud portals for remote access to your home network but the risk as demonstrated here isn't worth it And some will have this as the default settings and most folks will be unaware of the risk Some smart home devices I've been using are connecting to cloud portals just to register and get them up and running because it has to be done in an App But segregation at least helps to reduce the impact if something ever goes wrong
@@TechTutorialsDavidMcKone Wow! I'm glad I've never bought a "smart" device. No Siri, no "hey Google", no fancy light bulbs. Now, when they learn how to hack my 20 year old vacuum cleaner, I might have to give some attention to security 🙄.
Thanks for the feedback, I really do appreciate it Good to hear you found that part useful as I wanted to let folks know more about VLANs before configuring them
Thanks for the feedback. It's appreciated Personally I don't like videos without some detailed explanation as to why things are being done the way they are They will be longer as a result, but they help me to learn about how things work
A very thorough and simple to understand explanation of VLANS. The Fog has lifted.
Thanks for the feedback, glad the video helped
Is it a fair summary to say that all devices with a direct wired connection to a managed switch should be connected via ports set to 'Untagged' except for other managed switches and the router, which should be Tagged?
If I've got that right, presumably ports that connect to other managed switches and the router would also be trunk ports?
I'm a bit overwhelmed with the number of different types of VLANs (subnet based, MAC based, protocol based etc.) but am I right in thinking that the first critical step is to figure out which ports on the switch(es) need to be set to tagged or untagged? And that the type of VLAN is the next step?
Happy Chiristmas by the way :)
I prefer to keep things simple so I don't bother with features like mac based, protocol based, etc.
These are a dynamic ways to put certain types of traffic into different VLANs and I think they just overcomplicate things
As for port configurations...
Most end devices like PCs and laptops should be connected to a port which is untagged. They don't need access to more than one VLAN so the switch port will be configured to put that traffic into a VLAN of choice
Devices like other switches, hypervisors and firewalls will need access to multiple VLANs and so their port will need to be a tagged port
I am curious about the router though because if it doesn't support some form of firewalling there isn't much gain in using VLANs, assuming it will be the default gateway for the VLANs
Without rules to restrict traffic between VLANs, any computer can talk to any other, which is the same as everything being in the same VLAN
Some routers do have firewall capabilities, but a dedicated firewall is better suite to the task
@@TechTutorialsDavidMcKone Thanks David. I'm running a Fujitsu S920 low power pc with pfsense installed on it as my router. It has a four port Intel NIC installed in its single PCIe slot. Currently I'm just using two ports - WAN and LAN, but was thinking about doing a LAGG on the remaining ports to my switch and using this as the parent interface for the VLANs. The tricky thing is experimenting and learning from mistakes without getting an earful from my wife and kids when the internet goes down!
As I'm sure you know perfectly well, but for others reading this, pfsense is the router, the firewall and the DHCP server for each VLAN.
@@julian.morgan Understood; IT is so much easier without users
This was VERY helpful. I configured a VLAN on my router and all was working fine from any LAN port on the router. But I could not access the new VLAN through the switch (tp-link TL-SG108E 1.0). I kept searching through the menus of the switch config software looking for a way to "list VLANs for a port". But I had it backward. This video inspired me to dig in again. The menus are still hard to follow, but the way it is done on this switch, as you said, is to "create" VLANs on the switch and then assign ports to that VLAN. All ports were already assigned to VLAN1 the default, I "created" my new VLAN 50, and also assigned all 8 ports to that VLAN as well. Now the switch forwards (tagged) traffic on any port, for either the default network or the added VLAN. Thanks for pointing me in the right direction. TP-Link docs were not good at explaining this.
Thanks very much for sharing this as it could certainly help other folks with a problem for that type of switch or similar
I must admit, vendors don't make it easy to configure switches
great video, gained a sub! The speed that you explained Vlan in was perfect for me to understand.
Good to know the video was useful and thanks for the sub
I really appreciate your videos. Your explanations are always so good. I'm learning a lot from you. Thank you!
Thank you for the feedback. I really appreciate it
Great insights David. I'm honored to be learning from you.
I really appreciate your feedback. And I'm glad to hear you found the video useful
nice intro overview.. Im stuck doing exactly what you said at the end on my netgear switch, assigning it to staticIP and to a VLANX other than VLAN1 without locking myself out. Great content very helpful. keep up the good work.
Trying to config my pve 4x2.5G nics pfsence on proxmox to my netgear MS510TXPP all this VLAN segmentation is hard to wrap head around whilst not locking yourself out after moving from DHCP Assigned ip to static. Fun and games, thanks for this part 2 hands on demo im looking forward to watching. best way to learn is hands on imho.
Thanks for the feedback, much appreciated
And yes, experience is the best way to learn
Sir you are such a good teacher. Thank you for the videos
Thanks for the feedback and glad to hear the video was helpful
VLANs are a very useful security feature for networks, including the home, especially as we add more smart home devices
If you are interested in buying any of the managed network switches shown, check out the links below
I am an Amazon Associate and will earn commission from qualifying Amazon purchases. However, this is at no extra cost to you :)
Netgear GS110TPv3
US amzn.to/3vO0fRX
UK amzn.to/3nTRX8A
MicroTik CSS326-24G-2S+RM
US amzn.to/3nUZ9kT
UK amzn.to/3esEi59
How does one setup a VLAN for wireless devices? Thank you!
It depends on what's supported
Most Wi-Fi routers and access points sold to retail or provided by ISPs don't support VLANs
There are access points sold by Ubiquiti and TP-Link for instance that do, but they are higher priced
They do VLAN tagging so you can associate an SSID with a VLAN tag but the switch port they're plugged into has to support VLAN tagging as well, so it needs to be a managed switch
If you have a spare router or access point you could connect it to a switch port and assign that to a VLAN
It's not as good, but at least it puts those Wi-Fi devices into a specific VLAN
Thank you for responding, it is much appreciated!
Great info and well presented! Thanks
Thanks for the feedback and glad to hear you found this video useful
On a 8 port switch. Is a good idea to make a vlan for a ps5, pc and firestick or have one vlan for all them 3
I separate devices out depending on their need so it depends on what you do with yours
If a device only needs access to the Internet for instance it goes into a guest vlan which only has access to the Internet via a firewall
A PC though typically needs access to internal things like a printer, nas and so on so I'd have a vlan that allows that internal access plus access to the Internet
@@TechTutorialsDavidMcKone thank you for taking the time to answer.. Gave me a better prespertive
Thanks for the info
Good to know the video was helfpul
Thank you
Glad to hear the video helped
Why would using an unmanaged switch cause a security issue? I'm the only one using my components, not my next door neighbor. What am I missing?
Because vendors are selling us devices which connect to the Internet and security isn't being given the high priority it should be
This poses a risk because if one of your devices gets hacked through a vendor's cloud portal for instance, then that person could reach your device over the Internet and might be able to use it to try and hack other devices in your home network
Even with a firewall between you and the Internet, the problem is that the device will have started a connection to a server on the Internet from behind your firewall and thereafter can be instructed by that server on the Internet
As an aside, this how botnets work and why scammers want you to install software on your computer. They can't initiate a connection to your computer from the Internet and need your computer to connect out to a computer on the Internet which can then control it
Now by using a managed switch and configuring it to place devices into different VLANs you can reduce the impact if something like this ever happened
E.g. if your NAS is in a trusted VLAN, but a smart home device gets hacked. With that smart device in another VLAN, a firewall will be set up to block access between your VLANs and so the hacked device can't be used to hack into your NAS
Similarly it would stop someone using a smart home device to try and hack into the computer you use to connect to your bank account and so on
Now I use smart home devices as an example but anything that connects to a cloud portal could be seen as a risk
Customers of a well known NAS vendor for instance were victims of a ransomware attack because the NAS connected to the Internet portal and a hacker took advantage of software vulnerabilities including a built-in account with admin rights
Vendors provide these cloud portals for remote access to your home network but the risk as demonstrated here isn't worth it
And some will have this as the default settings and most folks will be unaware of the risk
Some smart home devices I've been using are connecting to cloud portals just to register and get them up and running because it has to be done in an App
But segregation at least helps to reduce the impact if something ever goes wrong
@@TechTutorialsDavidMcKone Wow! I'm glad I've never bought a "smart" device. No Siri, no "hey Google", no fancy light bulbs. Now, when they learn how to hack my 20 year old vacuum cleaner, I might have to give some attention to security 🙄.
Finally a video that explains VLAN concepts clearly! On to Pt2!
Thanks for the feedback, I really do appreciate it
Good to hear you found that part useful as I wanted to let folks know more about VLANs before configuring them
you have talked a lot instead you could have done some configurations
Thanks for the feedback. It's appreciated
Personally I don't like videos without some detailed explanation as to why things are being done the way they are
They will be longer as a result, but they help me to learn about how things work