If you wanna talk home lab, networking, pc builds, or any tech stuff then feel free to come hang out in the Raid Owl Discord server! discord.gg/CUzhMSS7qd
I am a 20yr retired disabled Veteran. My job title was Air Force Network Eng. After retiring worked for Lockheed Martin as an Network Eng. I have never been able to grasp the Vlan concept fully other than written step by step instruction on how to create Vlan until now. It is very important to be able to grasp the basics and you have done a wonderful job of presenting the foundation for the understanding of Vlans, which is professional education level and you where humorus enough for beginners to geeks. I am looking forward to learning more from you and supporting your channel. I need to mention that I am now 61 yr old and I started as a Computer Maintenance Tech in the 80s. Now I just do it for fun at home. You can break it down for those that can't grasp it from the others. Again thank you.
Hi there! Well said. I’m glad you found the video informative and if you have any questions on other videos don’t hesitate to ask. I try to read every single comment 👍🏼
As a retired IT guy, I commend you on your excellent explanation of what a VLAN is. My head still hurts at the thought of my many, many, many past attempts at describing networking processes.
It can be confusing, to borrow... "Some switches allow a port to be a member of multiple VLANs (port-based) and to optionally apply VLAN tags to one or more VLANs on that port. Some switches call these ports "general" ports. Some switches are 802.1q switches where 802.1q access ports can only be members of one VLAN, and no tag is applied on that port. An 802.1q trunk port can be a member of multiple VLANs and applies a VLAN tag to all VLANs except the native VLAN (PVID). Other switches have port-based (no-tagging) VLAN capabilities. "
vLANs are so irritatingly hard to understand because everyone's puzzle pieces are different, also because the terminology used by Cisco and Non-Cisco environments does not help AT ALL lol, I use a TP link that splits the 802.1Q settings across 2 pages and gives the appearance that you can break vLAN rules when functionally it works the same as the QNAP switch used in this example. I must've watched this video 100 times now and I've gradually come around to understanding precisely how the traffic is routed. This video really is the best explanation for it and best example, I just had to take it real slow and pay very close attention to what he was saying lol
Thank you for creating this video, i'm trying to understand VLAN's better. Nice how you visualize the flow of (un)tagged traffic! I feel more confident now to start using VLAN's in my Homelab.
Great setup, I'm running Unifi at the moment and I have several VLANs using a Edge switch for my Client devices, IoT and Virtual media server. I always seem to get to confused regarding the function of a untagged Vs tagged and trunk. I understand the concept of VLANs and the 4096 VLANs available but configuring it for a scenario is always throwing my head into different directions
Gosh, this is such a brilliant explanation. My core skillset is not networking, so thank you for sharing what you know. I've had trouble having 50+ devices on my network. Never thought it'd get that high, but by time you do consoles, PCs, phones, Google Echos, Amazon Alexia, etc. Then, the number of devices quickly get up there. So, this is something that I've got to do -- over time.
Great vid! Had networking classes 25 yrs ago and I don't even remember learning about these. Times have changed and I really needed to ratchet up security due to IOT and guest connections. Heading to the rest of your vids for more hardware specific info. Thanks!!!
Learned a couple of things: 1. I'm fucking weird 2. I only throw imaginary parties 3. I'm the sketchy dude at my own party. 😂 4. This video really explains VLANs and I've been searching for a while. Thank you.
It’s a great idea and for sure at least a guest network. But to split your main network into vlan can be not convenient at the end. When you have home automation you want things to be find and communicate for best experience. So you end up whit a big vlan section that makes it also less secure. So just some lights apart from you phone vlan does not work well. I think just buy good hardware that is maximum safe. Still you can have some iOT devices apart from main vlan.
I'm Brazilian. In Portuguese when you say, "a VLAN" it sounds exactly like "hazelnut" (avelã). I was in a technical presentation once, and the presenter kept saying "hazelnut" all the time. I turned to a coworker next to me and asked him, "why does he keep saying 'hazelnut' all the time?"
Such a good explanation while still having funny jokes and clips thrown in here and there. Definitely my favorite channel when it comes to networking videos.
This guy is advancing rather quickly, finding the most efficient/userfriendly/up to date software. He knows how to do research and learn. He's a great one to watch. Has no problem admitting that he doesn't know something either.
Excellent presentation. The diagrams make it so much easier to follow. I've watched Tom from Lawrence Systems when I did mine. His business is actually just north of me in SE Michigan. Iv'e got one vlan. PFsense running on a small PC. It generates the vlan tag and subnet address for devices that may not be secure. Such as a Ring doorbell and an Echo Show on the tagged subnet. The main network is not accessible from the vlan for iOT devices via a firewall rule. A new Netgate managed switch that connects our wired desktops and Unifi AP. Have a backup Unifi Edge Router X configured for only one subnet at the moment. Haven't quite figured out how to duplicate the PFsense configuration so that nothing changes if it gets swapped out in an emergency. Not sure its worth the trouble since in my use case just the doorbell and Echo would lose their connection until I have another PFsense box built.
Using a combo of pfsense as my firewall and omada switches and access points. I vlan everything I can. Then I run static mappings based on mac address in pfsense. It makes it really easy to know what devices are always on the network and which ones come and go. Edit: by vlan everything I mean that I segment based use case. Not that every device gets its own vlan, that would be ridiculous.
Great explanation, watched 3 other videos on VLAN's and you made it easier to understand. One thing everyone doesn't explain for us newbies is the "why" is this necessary. You explained it helps with cross traffic and such but "why?" does that matter to the average home network? What is device cross traffic?
For most home networks, it doesn't really make sense to setup VLANs. The only use case I can think of IF you're willing to put in the work is to isolate IoT devices or devices you don't want on your main network. A lot of IoT devices, especially cheap ones tend to have poor security and may not receive updates. If they get hacked, it could be used as a vector to potentially attack other devices. With VLANs and the appropriate firewall rules, you can isolate the main network and IoT network traffic. So if your "smart" thermostat gets hacked for instance, it would be very difficult for anyone to get outside of that isolated network.
Great video. Thank you so much for taking the time to curate it in a simple, clear and easy to understand way. You clearly know what you are talking about and I look forward to watching more vids....
Running pfsense and have 6 vlans setup... Trusted vlan, IoT vlan, work vlan, and 3 server only vlans, two of which are dedicated to vm servers. And planning to add one more vlan to properly segment out IoT from trusted wireless. Oh, and firewall rules to manage all of them. I might be a power user.......
Man you make the best videos. So clear. I look forward to you posting them and this is one area that I really want to understand. I am confused though. At 18:31 you have a rule that states that the virtual network cannot get to the Private Network, but above it you have a rule that states that the Virtual network can get to everything. Shouldn't block rule be placed above the allow all rule?
Good catch! Yeah this has been cleaned up since, but you’re right. Rules propagate from top to bottom so that first allow was used to test different gateways I was using at the time and must have snuck it’s way into the video.
With TP link Omada... make sure you get an omada managed switch... a regular smart unmanaged switch may not work for port assignment as smart switches don't show up on the network map
Really appreciate the video. Very informative. The only thing I don't understand is how to make a device, say a laptop die example, to belong to a particular VLAN. It would be great if you could exchange on that. Thanks
I'm running a Aruba S2500 layer 3 managed switch. I got it on Ebay for $100.(I don't know squat about level 3 manages switches yet) I'm going to put my blue iris server and all my cameras on their own vlan. My daily driver computer, my media server and my smart tv will go on their own vlan. Finally my wireless stuff will be on their own vlan. I have much to learn but that's what home labs are for.
Not sure if you will get a chance to answer this, but I’ll throw it out there. I run a VPN through DD-WRT on a Netgear R7000. I am looking to make a VLAN so only my work devices get routed through the VPN, but all other devices are routed straight through to another DHCP. If you could shed some light on VPNs and VLANs, it would be greatly appreciated. Thanks for the insight!
OMG...the party analogy and then the comment about us all being a bunch of introverts made me choke on my coffee and almost spit it out. Was not prepared for that level of humor. 😂🤣😂
Great Video. Far from the first VLAN video I have sought out and watched, but by far the best! I am confused by some of the settings you showed us regarding untagged LAN packets - confused just enough to risk exposing my ignorance and poor reasoning skills with a question. 11 months behind, I know, but there's always a chance... Why do ALL of the smart switch's ports have to be specifically setup to listen for untagged packets? For example the "not intuitive" part at 14:52, where you specifically assign all 5 ports on your small NETGEAR managed router to listen for untagged packets. I understand why ports 3 and 5 need to be setup to listen for untagged packets, since they are also assigned to tagged packets for VLAN 3, and you want them to handle both. However, if the VLAN Membership settings for ports 1,2, and 4 were left blank, would they not simply function as ports on a "dumb" switch would -- receiving and forwarding any untagged data packets? Doesn't all untagged data automatically default to the LAN and pass through all ports not already assigned to a VLAN? I have almost no experience with VLANs or managed switches, so I could very well be missing something. I'm presuming that the ports of a smart switch function the same as those of a "dumb" switch in regards to untagged data; and that it will do so unless configured otherwise, as opposed to having to be configured to do so. Yet, I don't really know. Will a smart switch block all data which is not tagged (or untagged) to match its configuration? If so, is that true of all managed switches or does it depend on the brand and/or model? Also if so, I am deeply sorry for the embarrassingly dumb question. Thanks again for the great video.
VLAN 1 by default is an untagged VLAN meaning that all untagged packets are assumed to be in 1. Feel free to join the Discord if you want to learn more, we have plenty of folks over there willing to help out :)
Router/moden running to 3 switches (Netgear GS108E) with a CAT 6a S/FTP, every switch is responsible for its own VLAN of (Router Port 1) living room, (Router Port 2) home office and sons bed room (Router port 3). seperate VLAN for each Deco M9 mesh wifi (this is 2.5Ghz blind SSID for IoT devices, and a 5Ghz for phones and tablets) game server rig runs with an SSH Tunnel and the NAS can be reached by all but the 2.5Ghz WiFI and is password protected.
Yo. The money shot for me is @ 6:55. I was caught in limbo until now because I was unaware of what I was trying to accomplish. I need mf'n trunk ports, kid.
I ended up putting together a little Nas with a 10 GB switch. I have said everything up flawlessly other than VLANS. I am getting an issue where the Adobe server will not access the web. I was trying to configure VLAN's but I was having issues. Now I'm not sure what to do because the switch manufacturer is saying it is probably my router or DNS settings.
Just to say thank you for your video, my network is quite similar to yours and I have a Cisco RV340 small business router plugged into 4 switch's (one switch on each port) and none of the switches were smart so via tagging in the router I was using one switch per VLAN and just moving cables to different switches within my rack. I've now replaced one of the switches with a 48 port TP-link smart switch and I've been trying for days to get the VLANs working within the switch without success until I came across your video. The step I'd missed out was that my router is connected to port 48 on the switch and I'd not configured that port to allow the VLANs through, so no matter what I tried to get port 19 to be VLAN 100 rather that 1 when my CCTV NVR is plugged into it, just didn't work, it was either getting the default 192.168.0.xxx address or nothing, now its getting a 10 address from VLAN 100 and I'm a happy chap!
Awesome explanation, question: I have an IOT vlan. I can access from Vlan1. Some devices don’t show up when resolving from there IOS app. Like my Onkyo receiver. Do I need to create another Vlan for IOT that has port level access to my Vlan1 on the app/protocol level to make that work? I butcher my Unify to get more grip on my Vlan understanding. 🙏 thnx
Great video but I dont understand why you need to setup rules to isolate device traffic on different VLANS. Isn't that the default behaviour of VLANS, that devices are separated and cannot exchange traffic?
Great video (your whole series is great actually!) - Quick question - I have a Qnap siwtch as well (QSW-2108-2C) - but I noticed there are no PVID settings (like other switches like Netgeart - I have a few GS308Ts as well) - so how are PVIDs handled from Qnap?? Thx again and keep it up 👍
How would this play into something like, hosting a home NAS for storage or a camera system? Is there a way to allow the different VLANs to communicate with the normal LAN like usual? Like to make an exception just for those devices to act like it's one network?
From your setup my takeaways is (At 1:20) for basic setup I don’t need any smart switch if pfsense has a quad nic available to it. It can set one port for guest and one for main and a dumb switch or AP connected to it. Is my understanding flawed? Is it a must to have a smart switch in between?
Correct, you can run different VLANs from different physical ports on your pfSense box. You only need the smart switch if you are trying to push your VLAN traffic through to a lot more devices and want more routing.
@@RaidOwl please elaborate what do you mean by the last comment of “trying to push your vlan traffic through more devices”. Won’t pfsense do the listening and controlling of the traffic?
I meant physically. Like if you have 10 devices downstream you want to assign different VLANs to it could get tricky. That’s why I like my Smart Switch since it has plenty of ports to work with. However, you can send a VLAN packets untagged to a dumb switch and have multiple devices connected to that (pretty much what I’m doing with my access point in the video). It just depends on your setup, really.
Hi Raid Owl. I really appreciate all your videos. GREAT learning experience for me. With my "small business" growing so rapidly, I am needing to have an inventory system that I can scan things in/out of a "warehouse". I would REALLY prefer to keep it on a server within my network. I do NOT want to continue to pay subscriptions on some "cloud". Would you have any recommendations of how to build (mysql, etc), what software to use to run this database on the server (docker, windows, VM, linux, etc)? I'm not a "complete noob", but not far from it. Thanks again for all the great videos! Ps. running dream machine pro, unifi switch, NAS, etc...
I’d say to start by finding a software that will fit your needs and is open source. I don’t have any experience with that type of software but I’m sure there is something out there. If you’re lucky enough there will be a Docker image for it and then it’ll be super easy. But it all depends on the software stack you go with.
If all devices in your network were going to be assigned a static ip, then what would you give them as gateway and dns? The static of the pfsense? (assuming you dont have any other device for dns like a raspberry with pi-hole)
@@RaidOwl ... so the final question would be ..... can the router be the gateway in multiple IPs for devices in different vlans ?? (In your case to be gateway for both 20.1.1.1 and lets say a different vlan with 30.1.1.0 seagment so gateway at 30.1.1.1)
Yes, that physical router will handle the VLAN traffic. For example, I would have DNS 10.0.0.1, 20.1.1.1, 50.0.0.1, etc all be different virtual Gateways for each VLAN, but they would all physically route through my pfSense router.
It depends on your network. You can usually create different SSIDs (Wi-Fi networks) for different VLANs. In more advanced and capable networks, I believe you can perform some extra configurations so that you have a single SSID but your devices can be tunneled to the appropriate VLAN based on your configurations. This does get more complicated to understand and setup as you need some sort of server that performs this - like RADIUS.
I am looking for a solution to setup a IPv6 VLAN within my router which has IPv4 from my ISP. Is it possible to setup a IPv6 Network while my ISP only gives the router and so my devices a IPv4 adres?
SO! If I want a 2nd vlan (or vlan setup) for my house say for my cameras and iot I can't just use my net gear router I bought and am using connected to my ISP modem?
which solution is better; computer connection to router or switch? where will i get lower ping? Will I see all devices connected to the switch after logging into the router?
You won’t see any real difference between a router vs a switch. Yes, assuming your switch is on the same subnet as the router and you’re not using multiple VLANs then all devices will see each other.
I'm Curious to what device on your network actually does the routing to your other VLANs from your computer? I've been struggling to use a Layer 3 Netgear switch for inter-vlan routing.
What is your port speed on the GS305E managed switch, go to your Managed Switch - system, Port and change the port speed to from Auto to the available list, do you have 10M Full/Half and 100M Full/Half, does 1000M Full/Half show up on yours? Thanks You will see that link speed is 1000M but the gigabit ethernet switch is limited on port speed managed device.
how is this for home networking? that switch you mentioned is $500 i came expecting to spend well less that 500 for the entire setup not 500 for one device...
@RaidOwl I'm new to this. I purchased my first pro managed switch. Trying to figure all this out. Set up a mesh with WAP's throughout the house. Ethernet drops everywhere that makes sense feeding back to the managed switch.
Hey, quick question for you. I installed pfsense via virtualbox on my windows 10 laptop and changed my lan and wan IP address but I’m unable to access the web interface using my lan or my wan IP addresses. Really need help with this.
You will need at least 2 ethernet ports 1 for WAN (Wide area network or better known as internet and recieves IP via DHCP) and 1 for LAN which has static IP. In other words, you need to connect WAN port directly to internet, so that your ISP can give you your public IP or to a router which has DHCP enabled or you need to virtualise the ethernet port and setup DHCP for it. To fix this, you need to give your Laptop IP which is in same network as your LAN interface is (for example if LAN is 192.168.1.1 in subnet 255.255.255.0, then give your Laptop IP of 192.168.1.20 with subnet 255.255.255.0), other way to fix it (if you can) is connect 1 ethernet port directly to internet or router with DHCP enabled and from console, select automatic IP assingment and follow instructions to the letter). Without 2 ethernet ports or NIC which supports ethernet virtualisation, you won't be able to host Pfsense as virtual machine (Pfsense lacks WIFI support or it at least isn't that optimal and even 10$ AP gives you better performance, that is why you need to connect a wireless router or AP to it, to get WIFI connections to work.)
Also avoid use of virtual machines unless you have actual dedicated server or PC lying around or your current computer has more than enough storage and RAM etc. to host virtual machines. Laptops and gaming PCs aren't actually good choice, since all the RAM, CPU and storage you assing for virtual Machines are shared. For example if you have 32GB RAM and you assing 16 GB to virtual machine, as long as it is up and running, you have 16GBs - whatever OS and background tasks use on the host machine even when virtual machine is using less than 500MB RAM, so you will quickly run out of RAM if you are hosting it on a PC which you use to play games and surf the web. Ideal thing would be buying cheap PC (like something close to Pentium CPU with 4GB of RAM and 2 1Gb NICs) for testing purposes. Pfsense isn't heavy, but virtualisation and networking stuff isn't exactly cheap nor walk hand in hand, they do lower total upkeep costs, but you do have to invest some cash for hardware itself. For example hosting 2 dedicated servers with Ryzen 5 3600 CPU with 128GB RAM and 2TB storage could cost you about 3 000$, buying server with Threadripper, quad port ethernet, 256 RAM and 8TB storage might cost 3500$, but with it you can host 200+ Virtual Machines and also lowers power consumption which lowers power costs. I know virtualisation is something everyone wants, but you do need some serious hardware for it to make it worth while.
I have the IOT Vlan - and one of my SSID goes to that vlan - I just need to figure out my rules so they can't talk. i locked myself out of my router once or twice in the past.
I still don't understand what tagged and untagged means. I've watched several different videos and no one has explained it in a way that makes sense to me.
Is it dumb to try to set up a vlan, one for the ps5, one for the pc and another for the firestick. Or is there another way All of them are connected with a cable
for people at home just create a guest wifi for ,, u know your guests lol , guest = a vlan or ,just get a gaming router LoL ,,,,,, dont bother with ring/lights or any other wifi device that works on 2.4g wifi ,,, it can be jammed ,,, Ring door bells can be jammed then stoled and the address changed and resold
Still doesn't make sense. Networking is hard. So does the router block traffic between vlans? If so why do you have to tag at all, why not just make firewall rules for each device?
*Aren't you taking your VLAN configuration ad absurdum because you've configured all the switches so that the default VLAN has access to all ports?* *This means that a hacker can connect to any switch port and see all the devices on the network, even if they are supposed to be isolated in their own VLAN.*
If you wanna talk home lab, networking, pc builds, or any tech stuff then feel free to come hang out in the Raid Owl Discord server! discord.gg/CUzhMSS7qd
I am a 20yr retired disabled Veteran. My job title was Air Force Network Eng. After retiring worked for Lockheed Martin as an Network Eng. I have never been able to grasp the Vlan concept fully other than written step by step instruction on how to create Vlan until now. It is very important to be able to grasp the basics and you have done a wonderful job of presenting the foundation for the understanding of Vlans, which is professional education level and you where humorus enough for beginners to geeks. I am looking forward to learning more from you and supporting your channel. I need to mention that I am now 61 yr old and I started as a Computer Maintenance Tech in the 80s. Now I just do it for fun at home. You can break it down for those that can't grasp it from the others. Again thank you.
Hi there! Well said. I’m glad you found the video informative and if you have any questions on other videos don’t hesitate to ask. I try to read every single comment 👍🏼
As a retired IT guy, I commend you on your excellent explanation of what a VLAN is. My head still hurts at the thought of my many, many, many past attempts at describing networking processes.
Thank you, I wanted to explain it in a way that I wish someone had explained it to me a long time ago haha.
It can be confusing, to borrow...
"Some switches allow a port to be a member of multiple VLANs (port-based) and to optionally apply VLAN tags to one or more VLANs on that port. Some switches call these ports "general" ports.
Some switches are 802.1q switches where 802.1q access ports can only be members of one VLAN, and no tag is applied on that port. An 802.1q trunk port can be a member of multiple VLANs and applies a VLAN tag to all VLANs except the native VLAN (PVID). Other switches have port-based (no-tagging) VLAN capabilities. "
Make perfect sense :) 😀@@brodriguez11000
vLANs are so irritatingly hard to understand because everyone's puzzle pieces are different, also because the terminology used by Cisco and Non-Cisco environments does not help AT ALL lol, I use a TP link that splits the 802.1Q settings across 2 pages and gives the appearance that you can break vLAN rules when functionally it works the same as the QNAP switch used in this example. I must've watched this video 100 times now and I've gradually come around to understanding precisely how the traffic is routed. This video really is the best explanation for it and best example, I just had to take it real slow and pay very close attention to what he was saying lol
A simple comment to bump UA-cam algorithm. I have to admit, I have a crush on your way to teach/explain things. Great videos, thanks for sharing
Thank you, I appreciate that!
Thank you for creating this video, i'm trying to understand VLAN's better. Nice how you visualize the flow of (un)tagged traffic! I feel more confident now to start using VLAN's in my Homelab.
Great setup, I'm running Unifi at the moment and I have several VLANs using a Edge switch for my Client devices, IoT and Virtual media server. I always seem to get to confused regarding the function of a untagged Vs tagged and trunk. I understand the concept of VLANs and the 4096 VLANs available but configuring it for a scenario is always throwing my head into different directions
Gosh, this is such a brilliant explanation. My core skillset is not networking, so thank you for sharing what you know. I've had trouble having 50+ devices on my network. Never thought it'd get that high, but by time you do consoles, PCs, phones, Google Echos, Amazon Alexia, etc. Then, the number of devices quickly get up there. So, this is something that I've got to do -- over time.
Im a senior network engineer and this is the firsrt time i hear of Vlans
Need to be demoted
Great vid! Had networking classes 25 yrs ago and I don't even remember learning about these. Times have changed and I really needed to ratchet up security due to IOT and guest connections. Heading to the rest of your vids for more hardware specific info. Thanks!!!
Exactly the video I needed. Most videos assume people setting up network security and clans know the whys. Thanks a ton.
Now that's what I call simplicity at it's finest. I immediately subscribed.
Learned a couple of things:
1. I'm fucking weird
2. I only throw imaginary parties
3. I'm the sketchy dude at my own party. 😂
4. This video really explains VLANs and I've been searching for a while. Thank you.
It’s a great idea and for sure at least a guest network. But to split your main network into vlan can be not convenient at the end. When you have home automation you want things to be find and communicate for best experience. So you end up whit a big vlan section that makes it also less secure. So just some lights apart from you phone vlan does not work well. I think just buy good hardware that is maximum safe. Still you can have some iOT devices apart from main vlan.
I'm Brazilian. In Portuguese when you say, "a VLAN" it sounds exactly like "hazelnut" (avelã).
I was in a technical presentation once, and the presenter kept saying "hazelnut" all the time. I turned to a coworker next to me and asked him, "why does he keep saying 'hazelnut' all the time?"
I just really like hazelnuts
Such a good explanation while still having funny jokes and clips thrown in here and there. Definitely my favorite channel when it comes to networking videos.
Just found the channel recently while looking into a nas setup. Love the content!
This guy is advancing rather quickly, finding the most efficient/userfriendly/up to date software. He knows how to do research and learn. He's a great one to watch. Has no problem admitting that he doesn't know something either.
Excellent presentation. The diagrams make it so much easier to follow. I've watched Tom from Lawrence Systems when I did mine. His business is actually just north of me in SE Michigan. Iv'e got one vlan. PFsense running on a small PC. It generates the vlan tag and subnet address for devices that may not be secure. Such as a Ring doorbell and an Echo Show on the tagged subnet. The main network is not accessible from the vlan for iOT devices via a firewall rule. A new Netgate managed switch that connects our wired desktops and Unifi AP.
Have a backup Unifi Edge Router X configured for only one subnet at the moment. Haven't quite figured out how to duplicate the PFsense configuration so that nothing changes if it gets swapped out in an emergency. Not sure its worth the trouble since in my use case just the doorbell and Echo would lose their connection until I have another PFsense box built.
Using a combo of pfsense as my firewall and omada switches and access points. I vlan everything I can. Then I run static mappings based on mac address in pfsense. It makes it really easy to know what devices are always on the network and which ones come and go.
Edit: by vlan everything I mean that I segment based use case. Not that every device gets its own vlan, that would be ridiculous.
Lol one VLAN for each device...that reminds me of a video I saw where a guy found individually wrapped bananas in a Japanese supermarket.
@@RaidOwl 😆
Great explanation, watched 3 other videos on VLAN's and you made it easier to understand. One thing everyone doesn't explain for us newbies is the "why" is this necessary. You explained it helps with cross traffic and such but "why?" does that matter to the average home network? What is device cross traffic?
For most home networks, it doesn't really make sense to setup VLANs. The only use case I can think of IF you're willing to put in the work is to isolate IoT devices or devices you don't want on your main network. A lot of IoT devices, especially cheap ones tend to have poor security and may not receive updates. If they get hacked, it could be used as a vector to potentially attack other devices. With VLANs and the appropriate firewall rules, you can isolate the main network and IoT network traffic. So if your "smart" thermostat gets hacked for instance, it would be very difficult for anyone to get outside of that isolated network.
Great video. Thank you so much for taking the time to curate it in a simple, clear and easy to understand way. You clearly know what you are talking about and I look forward to watching more vids....
Running pfsense and have 6 vlans setup... Trusted vlan, IoT vlan, work vlan, and 3 server only vlans, two of which are dedicated to vm servers. And planning to add one more vlan to properly segment out IoT from trusted wireless. Oh, and firewall rules to manage all of them.
I might be a power user.......
Man 6 VLANs...I'll get there one day lol
Man you make the best videos. So clear. I look forward to you posting them and this is one area that I really want to understand.
I am confused though. At 18:31 you have a rule that states that the virtual network cannot get to the Private Network, but above it you have a rule that states that the Virtual network can get to everything. Shouldn't block rule be placed above the allow all rule?
Good catch! Yeah this has been cleaned up since, but you’re right. Rules propagate from top to bottom so that first allow was used to test different gateways I was using at the time and must have snuck it’s way into the video.
With TP link Omada... make sure you get an omada managed switch... a regular smart unmanaged switch may not work for port assignment as smart switches don't show up on the network map
Really appreciate the video. Very informative.
The only thing I don't understand is how to make a device, say a laptop die example, to belong to a particular VLAN. It would be great if you could exchange on that.
Thanks
16:55 is the best hahaha. Thanks for the vídeo, is really awesome the way you explain hard things in a easy way.
I'm running a Aruba S2500 layer 3 managed switch. I got it on Ebay for $100.(I don't know squat about level 3 manages switches yet) I'm going to put my blue iris server and all my cameras on their own vlan. My daily driver computer, my media server and my smart tv will go on their own vlan. Finally my wireless stuff will be on their own vlan. I have much to learn but that's what home labs are for.
This video makes me want to get my layer 3 switch back out and tinker with vlans.
Thanks! Been contemplating a VLAN for the home network.
Hi Raid Owl, I'm two minutes deep into this video, and your sense of humour just got you a like & sub :D
Excellent graphical representation.
My imaginary parties are the best.
And I'm sure you leave your imaginary doors unlocked. Why not!
Gaming PC, Fileserver with VM's (Virtual DC and Deployment server) PS4, TV, Laptop, tablet, phone, Hue Bridge. All on the same VLAN of course
thank you for the explanation.. I am putting my nvr and cams on its own vlan. I'm using that same netgear 5 port...
Not sure if you will get a chance to answer this, but I’ll throw it out there. I run a VPN through DD-WRT on a Netgear R7000. I am looking to make a VLAN so only my work devices get routed through the VPN, but all other devices are routed straight through to another DHCP. If you could shed some light on VPNs and VLANs, it would be greatly appreciated. Thanks for the insight!
Fantastic video. Best description of vlans I've come across. Thanks for the effort.
OMG...the party analogy and then the comment about us all being a bunch of introverts made me choke on my coffee and almost spit it out. Was not prepared for that level of humor. 😂🤣😂
Cool. Now I just have to look for a video to find out what tagged and untagged means
Tagged means it’s associated with a vlan and untagged means it’s not.
Great Video. Far from the first VLAN video I have sought out and watched, but by far the best! I am confused by some of the settings you showed us regarding untagged LAN packets - confused just enough to risk exposing my ignorance and poor reasoning skills with a question. 11 months behind, I know, but there's always a chance...
Why do ALL of the smart switch's ports have to be specifically setup to listen for untagged packets? For example the "not intuitive" part at 14:52, where you specifically assign all 5 ports on your small NETGEAR managed router to listen for untagged packets. I understand why ports 3 and 5 need to be setup to listen for untagged packets, since they are also assigned to tagged packets for VLAN 3, and you want them to handle both. However, if the VLAN Membership settings for ports 1,2, and 4 were left blank, would they not simply function as ports on a "dumb" switch would -- receiving and forwarding any untagged data packets? Doesn't all untagged data automatically default to the LAN and pass through all ports not already assigned to a VLAN?
I have almost no experience with VLANs or managed switches, so I could very well be missing something. I'm presuming that the ports of a smart switch function the same as those of a "dumb" switch in regards to untagged data; and that it will do so unless configured otherwise, as opposed to having to be configured to do so. Yet, I don't really know. Will a smart switch block all data which is not tagged (or untagged) to match its configuration? If so, is that true of all managed switches or does it depend on the brand and/or model? Also if so, I am deeply sorry for the embarrassingly dumb question.
Thanks again for the great video.
VLAN 1 by default is an untagged VLAN meaning that all untagged packets are assumed to be in 1. Feel free to join the Discord if you want to learn more, we have plenty of folks over there willing to help out :)
Router/moden running to 3 switches (Netgear GS108E) with a CAT 6a S/FTP, every switch is responsible for its own VLAN of (Router Port 1) living room, (Router Port 2) home office and sons bed room (Router port 3). seperate VLAN for each Deco M9 mesh wifi (this is 2.5Ghz blind SSID for IoT devices, and a 5Ghz for phones and tablets) game server rig runs with an SSH Tunnel and the NAS can be reached by all but the 2.5Ghz WiFI and is password protected.
Wtf? Past few weeks I've been watching some videos of yours. Just now I realize you only have 7k subs? I assumed like a few million.
Man I wish! Haha
Love this haha liked and subbed!!! 🎉
Lol I have a Family Hub Sammy fridge...it's sketchy, I think it ate my olives , it's getting on a VLAN. 😅
Good stuff, great video, I'm happy I found your channel, subscribing today!
Thanks for this video, it was extremely helpful.
I'm looking for the cheapest VLAN capable device possible. Any suggestions?
www.amazon.com/TP-LINK-TL-SG105E-5-Port-Gigabit-Version/dp/B00N0OHEMA
thats a good cheap managed switch to get you started.
Yo. The money shot for me is @ 6:55. I was caught in limbo until now because I was unaware of what I was trying to accomplish. I need mf'n trunk ports, kid.
I ended up putting together a little Nas with a 10 GB switch. I have said everything up flawlessly other than VLANS. I am getting an issue where the Adobe server will not access the web. I was trying to configure VLAN's but I was having issues. Now I'm not sure what to do because the switch manufacturer is saying it is probably my router or DNS settings.
Just to say thank you for your video, my network is quite similar to yours and I have a Cisco RV340 small business router plugged into 4 switch's (one switch on each port) and none of the switches were smart so via tagging in the router I was using one switch per VLAN and just moving cables to different switches within my rack. I've now replaced one of the switches with a 48 port TP-link smart switch and I've been trying for days to get the VLANs working within the switch without success until I came across your video. The step I'd missed out was that my router is connected to port 48 on the switch and I'd not configured that port to allow the VLANs through, so no matter what I tried to get port 19 to be VLAN 100 rather that 1 when my CCTV NVR is plugged into it, just didn't work, it was either getting the default 192.168.0.xxx address or nothing, now its getting a 10 address from VLAN 100 and I'm a happy chap!
Awesome explanation, question: I have an IOT vlan. I can access from Vlan1. Some devices don’t show up when resolving from there IOS app. Like my Onkyo receiver. Do I need to create another Vlan for IOT that has port level access to my Vlan1 on the app/protocol level to make that work? I butcher my Unify to get more grip on my Vlan understanding. 🙏 thnx
8:25..
OpenWrt on some devices refers to port "0" ("zero") as the "virtual CPU port".
There is probably something similar on pfSense.
Yeah that's def what it is...just not super intuitive. It's not a big deal, though, I still love pfSense lol.
Thank you for the segment. Very helpful. 👍
great analogy.. although I wouldn't wanna to stay in the kitchen too often either
Great video but I dont understand why you need to setup rules to isolate device traffic on different VLANS. Isn't that the default behaviour of VLANS, that devices are separated and cannot exchange traffic?
Depends on the brand. Some do, some don’t.
Great video (your whole series is great actually!) - Quick question - I have a Qnap siwtch as well (QSW-2108-2C) - but I noticed there are no PVID settings (like other switches like Netgeart - I have a few GS308Ts as well) - so how are PVIDs handled from Qnap?? Thx again and keep it up 👍
How would this play into something like, hosting a home NAS for storage or a camera system? Is there a way to allow the different VLANs to communicate with the normal LAN like usual? Like to make an exception just for those devices to act like it's one network?
From your setup my takeaways is (At 1:20) for basic setup I don’t need any smart switch if pfsense has a quad nic available to it. It can set one port for guest and one for main and a dumb switch or AP connected to it. Is my understanding flawed? Is it a must to have a smart switch in between?
Correct, you can run different VLANs from different physical ports on your pfSense box. You only need the smart switch if you are trying to push your VLAN traffic through to a lot more devices and want more routing.
@@RaidOwl please elaborate what do you mean by the last comment of “trying to push your vlan traffic through more devices”. Won’t pfsense do the listening and controlling of the traffic?
I meant physically. Like if you have 10 devices downstream you want to assign different VLANs to it could get tricky. That’s why I like my Smart Switch since it has plenty of ports to work with. However, you can send a VLAN packets untagged to a dumb switch and have multiple devices connected to that (pretty much what I’m doing with my access point in the video). It just depends on your setup, really.
Hi Raid Owl. I really appreciate all your videos. GREAT learning experience for me. With my "small business" growing so rapidly, I am needing to have an inventory system that I can scan things in/out of a "warehouse". I would REALLY prefer to keep it on a server within my network. I do NOT want to continue to pay subscriptions on some "cloud". Would you have any recommendations of how to build (mysql, etc), what software to use to run this database on the server (docker, windows, VM, linux, etc)? I'm not a "complete noob", but not far from it. Thanks again for all the great videos! Ps. running dream machine pro, unifi switch, NAS, etc...
I’d say to start by finding a software that will fit your needs and is open source. I don’t have any experience with that type of software but I’m sure there is something out there. If you’re lucky enough there will be a Docker image for it and then it’ll be super easy. But it all depends on the software stack you go with.
If all devices in your network were going to be assigned a static ip, then what would you give them as gateway and dns? The static of the pfsense? (assuming you dont have any other device for dns like a raspberry with pi-hole)
Your dns would be the routing ip of the VLAN. So if I assign a static IP (20.1.1.15) to a device in my guest VLAN then the DNS would be 20.1.1.1.
@@RaidOwl ... so the final question would be ..... can the router be the gateway in multiple IPs for devices in different vlans ?? (In your case to be gateway for both 20.1.1.1 and lets say a different vlan with 30.1.1.0 seagment so gateway at 30.1.1.1)
Yes, that physical router will handle the VLAN traffic. For example, I would have DNS 10.0.0.1, 20.1.1.1, 50.0.0.1, etc all be different virtual Gateways for each VLAN, but they would all physically route through my pfSense router.
Gotta say the WTF hook left me cold. Why do you have to swing for the gutter?
4:37 Immagine this in black and white in 1939 O.o
Very informative. Thank you. 😊
Would each VLAN become a different wi-fi network? Or is it still only one wi-fi and the differentiation occurs in the access point?
It depends on your network. You can usually create different SSIDs (Wi-Fi networks) for different VLANs. In more advanced and capable networks, I believe you can perform some extra configurations so that you have a single SSID but your devices can be tunneled to the appropriate VLAN based on your configurations. This does get more complicated to understand and setup as you need some sort of server that performs this - like RADIUS.
isnt virtual vlan redundant? how does it differ from a regular vlan?
Great video!!! Very informative.
I am looking for a solution to setup a IPv6 VLAN within my router which has IPv4 from my ISP.
Is it possible to setup a IPv6 Network while my ISP only gives the router and so my devices a IPv4 adres?
SO! If I want a 2nd vlan (or vlan setup) for my house say for my cameras and iot I can't just use my net gear router I bought and am using connected to my ISP modem?
Yeah you can assuming it supports vlans
Great video thanks. Any recommendations for a smart switch where the management software or web client works with Linux?
Now use vlans as an analogy for rooms to critique studio apartments.
which solution is better; computer connection to router or switch? where will i get lower ping? Will I see all devices connected to the switch after logging into the router?
You won’t see any real difference between a router vs a switch. Yes, assuming your switch is on the same subnet as the router and you’re not using multiple VLANs then all devices will see each other.
Introverts represent!
I'm Curious to what device on your network actually does the routing to your other VLANs from your computer? I've been struggling to use a Layer 3 Netgear switch for inter-vlan routing.
I use a Netgate SG4100 as my main router firewall then a Unifi Enterprise 24 as my main switch
it really helped, thanks so much.
What is your port speed on the GS305E managed switch, go to your Managed Switch - system, Port and change the port speed to from Auto to the available list, do you have 10M Full/Half and 100M Full/Half, does 1000M Full/Half show up on yours? Thanks You will see that link speed is 1000M but the gigabit ethernet switch is limited on port speed managed device.
Are your notes on the ceiling?
Nah, just a picture of a naked Brad Pitt
If I use a different vlan for my IoT devices, can my phone still access them without any problems?
If you want them to be able to, yeah. You can set that with firewall rules
such a solid video man! Thank you! :)
Great video! Thanks!
how is this for home networking? that switch you mentioned is $500 i came expecting to spend well less that 500 for the entire setup not 500 for one device...
So this only works on wired connections? Are you creating VLAN's through your WAP's connected to your switch
VLANs are done at the router level and through managed switches. Some APs can handle VLANs but you’ll basically be passing them from the source.
@RaidOwl I'm new to this. I purchased my first pro managed switch. Trying to figure all this out. Set up a mesh with WAP's throughout the house. Ethernet drops everywhere that makes sense feeding back to the managed switch.
Awesome video...
3:00 "I know you're a bunch of introverts and you don't actually have parties".
Dude knows his audience. 😬
Whats the cheapest router than can do vlans with two seperate DHCP scopes (obviously)?
Any router that OpenWRT supports.
@@gustavrsh I bought a cheap trendnet or tplink, I forget. I then used my existing ASUS router as an AP. Works good and was 75 bucks or so.
Hey, quick question for you. I installed pfsense via virtualbox on my windows 10 laptop and changed my lan and wan IP address but I’m unable to access the web interface using my lan or my wan IP addresses. Really need help with this.
You will need at least 2 ethernet ports 1 for WAN (Wide area network or better known as internet and recieves IP via DHCP) and 1 for LAN which has static IP.
In other words, you need to connect WAN port directly to internet, so that your ISP can give you your public IP or to a router which has DHCP enabled or you need to virtualise the ethernet port and setup DHCP for it.
To fix this, you need to give your Laptop IP which is in same network as your LAN interface is (for example if LAN is 192.168.1.1 in subnet 255.255.255.0, then give your Laptop IP of 192.168.1.20 with subnet 255.255.255.0), other way to fix it (if you can) is connect 1 ethernet port directly to internet or router with DHCP enabled and from console, select automatic IP assingment and follow instructions to the letter).
Without 2 ethernet ports or NIC which supports ethernet virtualisation, you won't be able to host Pfsense as virtual machine (Pfsense lacks WIFI support or it at least isn't that optimal and even 10$ AP gives you better performance, that is why you need to connect a wireless router or AP to it, to get WIFI connections to work.)
Also avoid use of virtual machines unless you have actual dedicated server or PC lying around or your current computer has more than enough storage and RAM etc. to host virtual machines. Laptops and gaming PCs aren't actually good choice, since all the RAM, CPU and storage you assing for virtual Machines are shared.
For example if you have 32GB RAM and you assing 16 GB to virtual machine, as long as it is up and running, you have 16GBs - whatever OS and background tasks use on the host machine even when virtual machine is using less than 500MB RAM, so you will quickly run out of RAM if you are hosting it on a PC which you use to play games and surf the web.
Ideal thing would be buying cheap PC (like something close to Pentium CPU with 4GB of RAM and 2 1Gb NICs) for testing purposes. Pfsense isn't heavy, but virtualisation and networking stuff isn't exactly cheap nor walk hand in hand, they do lower total upkeep costs, but you do have to invest some cash for hardware itself.
For example hosting 2 dedicated servers with Ryzen 5 3600 CPU with 128GB RAM and 2TB storage could cost you about 3 000$, buying server with Threadripper, quad port ethernet, 256 RAM and 8TB storage might cost 3500$, but with it you can host 200+ Virtual Machines and also lowers power consumption which lowers power costs.
I know virtualisation is something everyone wants, but you do need some serious hardware for it to make it worth while.
I have the IOT Vlan - and one of my SSID goes to that vlan - I just need to figure out my rules so they can't talk. i locked myself out of my router once or twice in the past.
haha yeah I've done that...
Great vid thank you
I have a tp link ax1800 and a netgear gs108pev3. Are these devices vlan capable?
I don't believe so. The best way to check your router configuration GUI for anything VLAN related or check the vendor's product page.
I still don't understand what tagged and untagged means. I've watched several different videos and no one has explained it in a way that makes sense to me.
Is it dumb to try to set up a vlan, one for the ps5, one for the pc and another for the firestick. Or is there another way
All of them are connected with a cable
Isn't that what Guest Wi-Fi network is for?
what about wired vlans? is that a thing?
Yep!
for people at home just create a guest wifi for ,, u know your guests lol , guest = a vlan or ,just get a gaming router LoL ,,,,,, dont bother with ring/lights or any other wifi device that works on 2.4g wifi ,,, it can be jammed ,,, Ring door bells can be jammed then stoled and the address changed and resold
hello bréturó mióta csinálsz ilyen vidiket?
Still doesn't make sense. Networking is hard.
So does the router block traffic between vlans? If so why do you have to tag at all, why not just make firewall rules for each device?
*Aren't you taking your VLAN configuration ad absurdum because you've configured all the switches so that the default VLAN has access to all ports?*
*This means that a hacker can connect to any switch port and see all the devices on the network, even if they are supposed to be isolated in their own VLAN.*
I feel personally attacked calling me a introvert... look pal... I want to have parties... i just.... lol :|
Yeah I like parties…just not the people
Gotta up your game - should at least be a base set shadowless charizard
Eh...My dog 🐕and my cat🐈 are NOT connected to my network.
At least I think they're not!😁
I only have 3 thinks connected to my network
5:40 i feel targeted..but thats why im here to learn more...
I come here because of tagged and untagged, i have confusions between these two
All i could focus on was the ltt shirt
I have so many lol