VLANs on Edgerouter
Вставка
- Опубліковано 17 бер 2019
- In this video, I go over how to configure VLANs with an Edgerouter. This is a VERY lengthy video so I've included timestamps to the various sections below. I start by going over some theory and basics if you aren't so familiar with the concept of VLANs. Then I actually dive into the configurations. If you already know what VLANs are all about then just skip to the configuration section.
I'm pairing the Edgerouter with a Cisco 3750E so if you came here to see configurations for a Ubiquiti Switch you will be disappointed. However, the concepts are still the same.
There are a ton of different ways to implement VLANs and make them work for you. It's impossible to cover every scenario you might deploy these for so I try to cover the fundamentals first and foremost. If you understand the basics then you can figure out how you can best implement them to meet your needs.
1:03 : VLAN Basics and topology
11:09 : Configuration (Cisco Switch)
16:55 : Configuration (Edgerouter) and Verification
28:05 : Recap / Summary
This video is incredibly comprehensive, and quite useful, 3 years later. Thanks Toasty.
I concur
This is an EXCELLENT introduction VLANs all by itself, to say nothing about the configuration advice for the EdgeRouter-X. Must-see TV.
I broke my access t the EdgeRouter prior to watching your video. Thanks for showing the switch config as well. Works on my Cisco 3560X
Coming from the future , thank you for making everything easy and clear, i really enjoyed it
Best thing since sliced bread. Your channel has helped me so much and I spent 40 years in IT on the software/coding side and never learned networking. Now it is my hobby to learn as much as I can in my home lab. Toasty is my go to source!
@Koa Stefan I find it funny, we used to call you a script kiddie because you use other peoples software without truly understanding the consequences. Who knows how much exposure you just opened yourself up to by running that program on your pc...do you? Even going to their website can open you up. Hopefully it was in done in a sandbox.
Thank you very much, really helpful video. I was able to get my VLANs running up in no time!
Thanks dude, this was super helpful. I managed to configure a VLAN just how I wanted.
My switch is a TP-Link but I was able to set things up on the ER-X with the help of this video and another one specific to the switch (and TP Link EAP). Now works like a charm and I also used your other video to setup my firewall rules. Thanks so much, your videos helped me a lot!
Thanks for the guide. Easy to follow, even for me with an HP switch.
this was very helpful thank you very much. Watching it after the other one on creating vlans (except I don't have a cisco switch) was just what I needed. After setting the vlans up, I was really confused that I could ping across vlans. I thought I was done, and you weren't supposed to be able to do that, and I just hadn't done something right! Then I watched this video, implemented the rules that are right for my vlans, and I think I'm good now. 🤞
Learnt networking during the LAN days.. with increase use of IoT devices, I realise my home network has a risk. Opening up a whole new level of networking I didn't knew exist. Thanks for the help and lesson.
Thanks a lot....very instructional video...This is exactly that I needed....
Thank you for making this video. This is one of the best video on this topic :)
Best Regards,
Didier
Very nice video, thanks for sharing this information ! 👍🏽
great work. i am actually working on the same setup with Cisco switch. I saw a video that was saying putting the vlan on eth1 and i was having major network issues. i think your video will solve my problem. i will do an update tomorrow after testing
So, did it work ?
Yes it did. Great work.
are you using thw switch for your home network? whats the difference between it and any (new) netgear managed switch?
This is great help, thank you!
The most common problem encountered in VLAN setup on the EdgeRouter is getting locked out from the device when the switch0 interface IP is set as VLAN1, which you also mentioned in the video. It would be helpful to provide a workaround for users who find themselves locked out. Nonetheless, your playlist is excellent, covering everything necessary to set up an ER-X and secure your home SOHO network.
Really like it. Thanks for sharing!
Please note if you are having DHCP issues on your VLANs, but if you set your machines IP statically and you can reach the router try rebooting the router or the DHCP service to give out IPs to your hosts. I spent an hour trying to figure out why my clients weren't getting IPs on the VLANs they were assigned when all I had to do is reboot the router.
Great demo
Thanks for this and very nice. I want to go one step further. As you know, we are more likely to restart the router after an update, or to change / upgrade our router. To that end, I want to configure SVI's on cisco switch as the gateway instead of on the router. This way traffic on the network can still be routed via switched layer 3 configuration. The only thing that will be down will be access to internet. Thanks.
Wow i was hoping to set up 2 VLANS on my home network for a tenant to access a separate network but now I’m way confused 😳
Same here great tutorial nicely explained and laid out, Thank you for this. I was wondering if I could contact you I have a few questions. And I do own a cisco switch however it's an older one which only gets 10/100 so I had to buy 2 new ones.
Thank you! Yes, you can contact me with questions. www.toastyanswers.com has a contact form which sends me an e-mail.
mmmmh, so good and tasty :PPPP Thx, exactly what I needed:D
Nice video, helped me a lot since I have the same setup, so basically at 15:18, the trunk port to the Edge Router has the native vlan by default set to 1, so I don't need to add on that port the command Switchport trunk native vlan 1, right?
No, as long as it is a cisco device. VLAN 1 is the native VLAN by default when we're talking Cisco.
Great video. Learned a lot and got my vlans up and running. However, I have two switches on the same vlan...a cisco connected to one laptop, and a netgear connected to a second laptop. I can ping the cisco switch from the second laptop (the one connected to the netgear switch), but cannot ping the netgear switch from the first laptop (the one connected to the cisco switch). However, I can ping the laptop connected to the netgear switch from the laptop connected to the cisco switch. Any idea why I can ping a device connected to switch and not the switch itself? It makes it cumbersome to manage the netgear switch...I would have to utilize the second laptop every time I want to do so. Thanks
Thanks for this great video. Just ordered a EdgeRouterX and EdgeRouter 10x for my home network just because of your video's. Ubiquiti should pay you for these posts.
One questions about VLAN's, I understand the concept of VLAN's and that they can be assigned to the ports on the router. But how can make sure that a device (e.g. a Windows 10 machine) is assigned to a specific VLAN? I want to make sure that all of my office devices are assigned to one VLAN while my IOT devices (cabled and wireless) get assigned to another. Can I perform such assignment based on (e.g.) MAC address?
First time setting up VLANS. So do I have to setup a WAP into each tagged port grouping on the switch in order to enable WIFI for each VLAN? Not sure how that works. EDIT: I'm guessing I will need to upgrade my WAP and repeater with hardware that its VLAN and multi-SSID capable.
thanks a lot, I ALWAYS forget to change the settings in switch0
I managed to setup VLAN's just as you show @31.09 (Router - SW1 - SW2). Everything worked as a charm. Thank you for a very good tutorial and a fantastic channel! I do have a question though: what about the switches: how do they obtain an IP address and in which sub net? I didn't setup (forgot) PVID/native VLAN 1 on the trunk ports on SW1/SW2. Is that how they get their IP address? In that case, how do I get them in, let's say .10 sub net?
Good question. I didn't really go over this in the video since the switches don't necessarily "need" an IP address in order to function. However, this is needed for management purposes.
Getting an IP on the switch depends on which network you want it to be a part of. You can place the switch in any subnet you wish, but you have to configure the "Interface VLAN" (Basically, the same as the virtual interface on the router) for the VLAN you want it to be a part of.
For example. If you want the switch to have an IP in the .10 network as seen in the video (VLAN 10) then you would use "Interface VLAN 10" to configure your IP information. This is assuming you are using a Cisco switch and the exact way this is configured will vary from switch to switch.
If your management interface is a part of VLAN 1, then you will have to allow that VLAN on the uplink in order for the communication to take place.
Very helpful. If I wanted to simplify cabling. Could I run everything into the edgerouter via 1 cable through eth0 and have the WAN fed in as a tagged VLAN?
Technically, yes. Although, it is still best practice to at least split the WAN and LAN connections.
Great work thanks, But how to use Hairpin NAT between VLANs ?
Hi I have a edge router X I am trying to use the basic wizard set up one LAN Internet connection on Vlan . How do I get the Internet just one one of my port with the Vlan?
I have see others also add a Listening Interface in the DNS Forwarding section of the Service tab on the Router for all the VLANs created. Is this also necessary? I don't think it was mentioned in this tutorial. Newbie here, just seeking clarification. Thanks in advance.
I've seen that configuration before, and I've used the forwarding commands myself. They are not necessary, unless you are using your Router as a DNS forwarder.... let me explain.
By default, when you setup the ER-X using the basic setup wizard, the router configures DHCP to use the IP of the router as the DNS server. This means the router has to be configured to forward DNS requests, and that is what the DNS forwarding commands you've seen do. They enable forwarding on the "new" interfaces you are creating for the VLANs.
If you are not using the router as a forwarder (a lot of people don't) then you can ignore these commands completely. You don't need to enable that service if your router isn't also acting as your DNS server.
If you're unsure of this, check your DHCP configuration (DHCP -> LAN -> View Details). If DNS 1 or 2's address is the same as your router's, then you probably want to use the forwarding commands. If they are set to ANYTHING else, you can ignore them.
Mr Toasty, I got way in over my head. I followed your VLAN video mostly to the T, my ERx has 2 VLANS configured on eth 1 and 2 I tried plugging in a tp link ac1900 wifi router to eth3 that had no PVID or vlan configured to it (unchecked) it was set to access point mode with DHCP disabled before hand.
My mobile devices connected but prompted me for no internet access/ no ip obtained. Saved me a headache and took out of eth3 and ported it to an open port on an unmanaged switch, that was connected to a managed switch that had no PVID or vlan assigned to port 8. That did the trick and got my devices connected.
Other issue was, I got my NVR connected to ETH2 on the ERx, all cams pull up fine and stream well. But my Remote viewing app only works on wifi, it won't work on a cellular data connection (used to work before I switched equipment) is that a firewall setting issue?
TIA
It's a little weird that using an unmanaged switch between your wifi and Edgerouter made the devices function. You should have a PVID assigned to eth3 which corresponds to which VLAN you want the WIFI assigned to, or at least an IP configured on the port if it isn't going to be a part of the switch operation. Leaving the port blank and unchecked from VLAN participation should designate it as a "routed" port requiring it's own IP and network. Again, if it works it works, but I'm unsure how.
The NVR definitely needs port-forwarding and firewall rules to be accessed beyond your local network. Under the Firewall/NAT tab, you shouls see the port-forwarding section. Check with your NVR documentation to see which ports need to be open in order for it to function, and create the rules to forward those ports to your NVR. Also, make sure the "Automatically create firewall rule" is checked when you do this, or else you will have to manually specifiy an exception along with your port-forward rules.
Your old router may have had something like UPnP which did this for you, but the edgerouter doesn't support dynamic port-forwarding. You have to do it all manually.
@@ToastyAnswers I'll definitely configure firewall rules for the NVR And VLANS. For eth3, I wasn't sure if I should assign a PVID or VID, Since the TP link router doesn't support any kind of VLAN routing.
Also, is there an alternative to port forwarding, the IP cam talk community says, port forwarding is a no no, when it comes to ip cam security. Thanks again for your input.
I would assign a PVID to the port and make sure it is checked for VLAN use under the main "switch" interface. Also, make sure you have a DHCP scope setup for whichever VLAN you are assigning it to. The PVID essentially tells the Edgerouter to put anything off that port in the VLAN specified as the PVID. The TP Link doesn't need to support anything VLAN related. As far as it is concerned, it's just on a regular network and only the router knows that eth3 is a part of a specific VLAN. All traffic for the VLAN you set as the PVID will be sent and accepted without a VLAN tag.
The VID option, on the other hand, will tell your router to accept and forward traffic for other VLANs and include a tag (or expect a tag included) with the traffic. This is the option that won't work with the TP Link, since it doesn't understand VLAN tags. Just leave this section blank for the TP Link port. Keep in mind you can only have one PVID per port.
There really isn't an alternative, unless the software you are using has some sort of cloud access which doesn't require forwarding ports. However, you should already be able to access them remotely if this is the case (as long as you didn't block internet access for that VLAN). Without knowing which NVR you are using, I can't say exactly what the proper set up would be, but typically you would have to forward at least a couple ports for access on the public internet. I agree with the community though, IP camera systems are normally a closed network with very limited access from the outside. I understand that certain ones have the ability for you to monitor the system while you are away, but these usually have some additional security built in that doesn't require opening your NVR to the public.
I have a Cisco 2960-x 24 port switch that I would like to setup in my lab.Could you post the tagging and commands for the 2960 switch?
The commands for Cisco equipment are a bit different , but these are the basics to get you going. I've made some videos in the past that cover Cisco VLAN setup and I plan on making some more in the future.
Switch(config-int)# switchport mode access (hard sets port for single VLAN use)
Switch(config-int)# switchport access vlan XX (designates which VLAN the port is a part of; PVID)
Switch(config-int)# switchport mode trunk (sets port for tagging multiple vlans)
Switch(config-int)# switchport trunk native vlan XX (sets PVID; designates un-tagged vlan)
Switch(config-int)# switchport trunk allow vlan XX,XX,XX (OPTIONAL; designates which vlans are allowed to traverse the link)
Good video. I know it's a couple years old. On suggestion though is you are doing vlan routing here. To really make it complete you should show that you can ping from one computer of one vlan to another computer on another vlan. You may also want to mention that you can prevent these two from talking back and forth as well.
Hope this helps.
It's been awhile, but you are correct. I should have mentioned this if it wasn't in the video. It must have slipped my mind.
@@ToastyAnswers One other thing I think I heard was you mentioned you were going to do some configs in the CLI of the EdgerouterX. I don't recall seeing that? Did I miss hear? Enjoyed the video very much.
Also, when you went back and added switch0.1, 192.168.2.1... If I understand correctly, you added that so you wouldn't get kicked out while doing the video, but it's not really necessary? Would you leave switch0.1 up after everything is set up for use as the management VLAN, or just use the switch0.10?
In this situation I would just get rid of that interface. The main reason I made it was to have a port in VLAN 1 if for some reason I messed up the configurations on the other VLANs. It wasn't really necessary, but I like having that fallback. You could keep it around as the management network (a lot of people like a separate network for device management) but I personally just use my home network as management.
So in order to for a trunk port to work properly, it has to have an untagged/native vlan, right? If so, when we create a subnet for the native vlan, do we have to enable DHCP as well?
By default, on a Cisco device, the "native" VLAN is set to 1. You will always have a "native" or "untagged" VLAN for a port, but you don't' have to make it a functioning network if you don't want to.
Hi, I like this alot. But I may have missed something. I thought I saw you created a video where you allowed Home to access Guest and IOT, but not the other way around, but can't find it?
Of course, this is the Edgerouter Firewall video you are looking for. I may have just replied to a comment of yours on there as well.
Does the Edgerouter support ACLs? If not how would you prevent inter-vlan router on the Edgerouter without ACLs?
The Edgerouter has a built-in firewall which can be used in the same manner as an ACL. To prevent inter-vlan routing you would apply firewall rules to the interfaces (I have a follow-up video where I go over how to do this).
I have eth2.100 eth2.999 eth2.200 -
When I am on VLAN100 I can ping the gateway IP in VLAN 999 and 200 which exist on the edge router.
Do you know how I can limit that in the firewall rules?
I have limited what can talk to 999 through firewall rules, which work, but every device on every VLAN can ping the IP addresses on the local interfaces on edgerouter, which I don't want.
I have tried to apply a firewall rule for eth2.999 local with a default policy of deny and that does not seem to stop traffic to the local interface if it comes from the same trunked port?
Hi Toasty,
I have an ER-X 2.0.8, Port 0~4 is in the switch0
port 0: pppoe
port 1: for IPTV
(no pppoe
)
port 2: Connect to the second Swtich
for PC and IPTV.
How can I set up Vlan and PVID/VID?
You have to make switch0 vlan-aware. If you go to configure switch0, there should be a check-box for this. Then, you can type in the PVID/VID assignments per-port.
So I think I got the ERX figured out, but I'm having trouble with configuring the 24-port switch (TP-SG1024DE). It has VLAN 802.1q capability, but maybe I just don't fully understand how it works. Basically, I would like to assign port 2-12 VLAN 10, port 13-14 VLAN 20, port 15-20 VLAN 30, and port 21-24 unused or native VLAN. I've tried to find examples on how to set it up, but I'm not sure what should be tagged/untagged and PVID assignments.
The way I was trying to do it is, port 1 tagged on all VLANS and the remaining ports untagged, with PVID assignments being 2-12: 10, 13-14: 20, and 15-20: 30. Ports 1, 21-24: 1. I really don't know what I'm doing. LOL
I haven't actually worked with the Unifi switches yet, but I know you have to create separate networks and then assign the networks to a "profile" which you assign to each port. This is what designates which VLAN each port is on. So, you'd make your three (or four) networks and profiles and then assign the profiles to the port groups you mentioned. The only exception would be port 1 which would be assigned to the profile "all" which would make it a tagged port.
For the unused ports I would either assign them a VLAN that goes nowhere (not included on port 1's "all" list) or just leave them off.
I need to get my hands on a Unifi switch so I can make some videos on it. The concepts are the same, but the Unifi devices go about configuring it a bit differently.
@@ToastyAnswers I think this is what's been holding me up. I haven't found much instruction how to use the Edgerouter with a managed Unifi switch. I'm setting up about 15 clients on 4 different VLANs. The PVID, PID, Native VLAN logic is completely lost on me. I've only managed to segregate some through trial and error but I don't know if it's set up properly. Even Unifi chat support said they couldn't help. "We'll email you back soon." I would really appreciate a further explanation on PVID, PID, NATIVE, tagged and untagged.
Hi Toasty, I have been using the ER-X for quite some time(of course following your guide) and very happy with it. My ISP has now offered me TV service and it will give me 3 TV Android boxes that I would like to separate from my regular network.
At the moment I have three devices connected directly to the ER-X so I of course need a switch but I'm confused which setup is correct from these two:
Setup #1:
- eth0: ISP router configured in Bridge mode
- eth1: Device #1 (VLAN #1)
- eth2: Device #2 (VLAN #1)
- eth3: Device #3 (VLAN #1)
- eth4(trunk/tag): 5-port switch to which my three TV boxes are connected (VLAN #2)
Setup #2:
- eth0: ISP router configured in Bridge mode
- eth1(trunk/tag): 8-port switch to which all my devices are connected (I understand this is what you showed in the video)
Either configuration would work. The main consideration is if you want any further room for expansion or need other ports on your planned 5-port switch to be on a different VLAN than the TV boxes.
Setup #1:
- eth4: You could get away with setting this port to VLAN #2 (PVID) instead of a trunk/tagged port. This would mean that all devices plugged into your switch would be on VLAN #2, but it also means you can get away with an unmanaged switch and not have to configure it.
Setup #2:
If you want/need to expand your wired network beyond these three TV boxes then this is probably the route to go. You can configure the Edgerouter with a trunk/tagged port and do all your vlan configuration on the switch. This means you will need a "managed" switch to take care of the VLANs. It's a little bit more configuration, but gives you more room to grow in the future.
Hope this helps.
@@ToastyAnswersThanks a lot! In the end I decided to follow your advice, to use a switch configured as trunk/tag but I'm afraid I still need help to configure a WIFI Access Point - is it possible to contact you by e-mail please?
Greate tutorial , question : l have broadband DSL connection on my house , l want to get edgerouter and if l create VLAN , does this VLANs be accessible from outside ?
No, the VLANs are internal to your network and the default firewall rules apply. It is up to you to "port forward" to your VLANs if you want inside devices to be accessible from the internet.
my iperf3 runs suggest that the device can push or pull 930Mbps of plain traffic, however, I wonder about bidirectional traffic since the test was only testing one direction at a time.
I've actually done the bi-directional tests for a video that is coming soon.
Spoiler alert! It doesn't do too hot... you won't be getting 1GB/s bi-directional throughput on one of these.
Can I setup VLANs using only the Edge Router and a TP Link EAP 225 with no switch in between? I would like to have multiple SSIDs each assigned to a different VLAN - One for IoT, one for Guest, and one for everything else. As of right now I don't have many wired devices, but the ones I do have are wired directly to the ER-X and would be on the "everything else" VLAN.
If it's possible, how (in what order) would I need to configure the ER-X so that I don't lose access? If I had my AP connected to eth1, and configured VLANs 10, 20, and 30, then made the ER-X VLAN aware and set eth1 up as you did and eth2 also with a pvid of 1, would I still be able to connect my laptop directly to eth2 (with a manually confirgured IP if need be) and have access to the ER-X even if my VLANs and DHCP pools are messed up and not allowing/assigning wireless traffic?
Thanks for making this video btw! VLANs were impossible for me to wrap my head around before this.
Shouldn't be an issue since the TP-Link supports VLAN tagging. I would create your additional SSIDs assigned to different VLANs on the WAP, but leave your existing network alone. Then, configure your VLANs on the Edgerouter and assign one of them (or an extra one) an IP in the same existing subnet and make that VLAN the PVID of the AP's port. This way, if your additional VLANs are jacked up, you should still have access just like you used to.
Creating an additional VLAN just to make sure you don't get locked out isn't really necessary. I know I do this in the video, but I could just as easily locked myself out of that one as well. Before you do anything, be sure to make a backup so in the event things go sideways, you can quickly restore the ERX. If you configure another port for access, just throw an existing PVID on it and make note of the corresponding network in case you have to statically configure your IP address.
@@ToastyAnswers Thank you, I think I understand what you're saying for the most part, but can you please confirm if these steps are correct?
1. Create 3 more SSIDs on the EAP - Wireless-Home (Tagged with VLAN 10), Wireless-IoT (Tagged with VLAN 20), and Wirelss-Guest (Tagged with VLAN 30).
2. Create the 3 VLANs on the ER-X (192.168.10.1/24, 192.168.20.1/24, and 192.168.30.1/24).
3. Set up the DCHP pools for each.
4. Create an additional VLAN in the existing subnet (192.168.1.101/24 - VLAN ID 101) in case things go sideways - This part I am unsure of, my existsing network on switch0 is 192.168.1.1/24 so I'm not sure if thats what you meant.
5. Configure switch0 to be VLAN aware and set the vid of eth1 (AP Port) to 10, 20, 30 and the pvid to 101.
6. (Optional) Set the pvid of eth2 (unused) to 10 and remember it's network is set up as 192.168.10.1 in case I need to assign a static IP.
Thanks again, I think I'm finally ready to tackle this!
*Edit* eth1 not eth0 for AP port
I am a neophyte on home network issues. I managed to configure my Edgerouter X and it is working great. I would like to be able to setup VLANs to enable separation of IOT and Home, but I have questions. I am using the ethernet ports and an unmanaged TP-Link switch to connect all my computers and audio equipment to the internet. Can I still set up VLANs in this situation? All my IOT connect via Wifi which uses a source point connected to the router.
Yes, you can still setup VLANs in this situation. The only caveat is that you cannot have multiple VLANs on your unmanaged switch. The VLAN you assign to the port servicing your unmanaged switch will be the VLAN all the devices connected to it will be on. You cannot split up multiple devices on the same switch without it supporting VLAN tagging.
Also, since you mention your IoT devices being mostly wireless, your wireless APs will need to support VLANs as well for them to be on their own network.
@@ToastyAnswers Thank you for that additional information. My AP is a TP-Link Omada EAP245. I believe it supports VLANs but I will need to explore further to confirm. I will layout my network on paper and have you comment on my proposed configuration before I try implementing it. Thanks again for your comment and help.
Hey toasty, i would like to set up one ethernet port as a vlan, and just use the rest as normal. The vlan port will have an unmanaged switch which will connect 3 iot devices. I want to then isolate that vlan from the rest of the network using firewall rules, for example by blocking the inbound traffic from the vlan subnet i assign and only allow outbound. Am i able to just use the GUI to accomplish this method? or is this a little tougher than i thought it was?
You can accomplish this in the GUI no problem. It is pretty much the same configuration as shown in this video, but you only need to apply a PVID to the single port and create the virtual-interface for the IoT VLAN. The rest of the switch will function like normal on the "Native" VLAN and use Switch0's default interface.
Check out the video I made after this one on how to setup firewall rules between the VLANs. The firewall rules are how you will isolate the new VLAN from the rest of the network.
@@ToastyAnswers Thank you so much!! I love your tuts for this router man, this is going to save me so much research. Its a really robust little box for the price, only problem is that i wish i had found it sooner instead of the standard consumer router. I ordered this thing, knowing i might not be able to set it up properly but i took the gamble. Thanks for sharing your knowledge of networks with the world.. and taking the time to reply. Top notch content.
How would you implement a management vlan for the edgerouter. I have defined it within it. And I have my access points on that vlan my case vlan 100. How would you add the edgerouter to that vlan?
To really add the Edgerouter to the management VLAN, you would need to set the listen-address to the IP address which resides on the management VLAN. This way, the GUI is not accessible from any other network.
Secondly, you would need to lock down both the management network as well as the management network interface using firewall rules.
Awesome! Thank you very much for taking your time to explain this so clearly! However I'm noticing some strange behaviour of my Edgerouter. When I make it VLAN aware, it seems to lose all connectivity (as you explained in your video), but I don't get an IP address of neither of the VLANs. So via my direct backup line on port eth2 I could disable VLAN awareness. After a restart it suddenly started working... I have setup 3 SSID's on my Linksys AP which is connected to my managed Zyxel switch which is connected to the Edgerouter where the VLANs are configured. Each SSID corresponds to a VLAN. When I now connect to a SSID, I get the corresponding IP address. So to me it seems that the VLAN setup is working correctly although the VLAN awareness is turned off on switch0. Even after a restart off the Edgerouter it keeps working... How is this possible? I'm reluctant in turning the VLAN awareness back on, as I fear that it might break things up again.
This is pretty vexing to me. What model Edgerouter are you running?
@@ToastyAnswers I have EdgeRouter X with firmware v2.0.9-hotfix.4. I'll try to enable VLAN awareness later today to see if it reacts the same way.
Thanks for the video. You are furthering my urge to use VLANS. May I have some advice?
I don't know what happened by my pasted text did not come through. Ugh! Is there anyway that I can get the text to you without having to retype my last post?
Go ahead and send it to toastyanswers@gmail.com
Is it necessary to make a "Home" vlan? Can't you just use the switch.0 as your home network? Would that be fine as well?
It is not necessary to make a VLAN for "Home". You can just use switch.0 as your main network. This is actually what I do.
Do I attach my EAP225 to the EdgeRouter or the switch?
You can do either if you have the Edgerouter ports setup as switch ports (it is like this by default on the X and X SFP). It's really just preference.
Hey Toasty if I’m only using the ER X and want to configure vlans 10(home), 20(guest), 30(IOT) how do I set up the ports with PVID and VID? Say eth2 has my smart tv PVID would be vlan10 and vid would be vlan30? And eth3 is my UAP AC It would be PVID vlan 10 and VID 20?
For the ports themselves, (assuming you are connecting your smart TV directly to the Edgerouter) you will want to set the PVID to whichever VLAN you want the device to be a part of.
For Example, eth2 would have a PVID of 30 and a blank value for VID. This way, the port is on the IoT VLAN and is not set to tag for any other network (the TV cannot create or accept any tags so anything in the VID field will not work anyways).
For eth3 (UAP-AC) you would want a PVID of 10 and a VID of 20. The UAP is able to create and accept tags so the VID is needed for the guest VLAN to function.
@@ToastyAnswers thank you very much.
Seems like every guide for setting up VLANs pertains to the Edgerouter being paired with a switch. I only need a few VLANs, and want them to be contained within the Edgerouter itself. Example:
Port 0: management interface. Other VLANs cannot access any device connected to this port.
Port 1: WAN/internet
Port 2: VLAN 2 dedicated to attached wifi router which has NAT configured on its own internal interfaces. Unable to access other VLANs.
Ports 3 and 4: VLAN 3 dedicated to servers. Should be accessible to VLAN 4 and from the WAN via port forwarding.
Port 5: VLAN 4 dedicated to users. This should have access to WAN/internet, VLAN3, and possibly VLAN2 if that's doable.
Is this something that's reasonably possible? Or am I mistaken?
This is totally doable, but it mostly falls in the realm of Firewall rules and security. I'd check out my video on Edgerouter Firewall configuration for VLANs to see how you would apply these rules.
VLANs are a way to segregate different networks and create a boundary where you can apply the necessary rules to separate them. As is, the VLANs aren't going to provide any type of security, but simply a hard boundary where you can apply filtering.
Also, the best approach to this is going to depend on the model of Edgerouter you are talking about. I see you mention six total ports, so you're either talking about the ER-X SFP (using the SFP port) or something like an ER-6. Both operate a bit differently (mainly the ER-X having a switch chip which the ER-6 doesn't). On the ER-X you would want to use VLANs, (like in the video) but on an ER-6 you would simply assign different networks to each port. Each approach has pros and cons.
The reason there is always a switch involved is that VLANs and switching go hand-in-hand (VLANs are a layer-2 technology). You really don't use VLANs with routers, you simply use different network interfaces. The real meat of VLAN configuration is on a switch separate from the router. In this case, you are telling the router how to recognize the VLAN tags coming from the switch and since the ER-X uses a switch chip... you are technically configuring a switch.
Hi! How do I get Chromecast working? I had some googling and have read about mdns, but can't get it to work. Whare I'm I doing it wrong?
If I remember correctly, Chromecast communicates using Multi-cast. If your chromecast is on a different network than the devices trying to use it, you will need to forward multicast between the two networks. This is not something I've done on an Edgerouter yet so I don't have the complete details.
Thanks. The only part that's not clear to me is how the switch knew which VLANs each VM should be on, and how you connected them to the switch. Is it a virtual switch?
So, I didn't explain this part as it was just meant to represent the concept of different VLANs. The actual setup varies depending on what is being used for device hosting, but the concepts remain the same.
In this video, my VMs were running on an UnRAID server. The UnRAID server does have a "virtual switch" built in. The server itself had multiple "bridge" interfaces which corresponded to a specific VLAN tag.
For example, the VM on VLAN 55 in the video was configured with a network interface named "bridge0.55" in UnRAID. This means traffic from this specific VM is going to be "tagged" with VLAN 55.
The UnRAID server is uplinked to the switch you can see me configure in the video. There is a single cable running between the server and switch, so each VLAN is separated by VLAN tag only. Since the port connected to the server was configured as a trunk (and allowed those specific VLANs) the switch could see the VLAN tag 55 and know to forward it out the appropriate ports (eventually ending up at the Edgerouter where the VLAN 55 "Gateway" resides.
Hopefully this made some sense... I'm a bit sleep deprived.
I've tried to creat VLANs using this method and cant get it to work. i tag the vlans on eth4 which connects to a managed switch where I have also created vlan30 and tagged the port which connects to the ERX. untagged the port which I want the work PC to connect to. removed the port from the native vlan and I get nothing but apipa. if I add vlan1 to the VPID then I bricks the connection to the switch and nothing can talk back to the ERX... not sure what I'm doing wrong. ERX is vlan aware. Switch0 consists of eth1-4. eth0 is my wan connection. tried using a tplink and a zyxel switch and both are not having it :( any suggestions?
Without seeing the full configuration, the best I can offer is to just make sure all the VLAN numbers are matching.
If you create an interface Switch0.40, then make sure the VLAN tag is for VLAN 40. Also, make sure the subnet of the virtual interface matches the DHCP scope. For example, if Switch0.40 is assigned 192.168.40.1... then make sure the DHCP pool is for 192.168.40.0/24.
There are many other variables and places this could go wrong, but those are where I see it go sideways the most.
Can I still do this setup without using.a switch? All I am trying to configure is my NVR and one AP. I am using the EgdeRouter5 POE
Yes, you can set this up without a switch. The downstream VLAN tagging will just not be present without a managed switch.
Doesn't the MTU has to be changed since you adding bytes to the packets? Or does ubiquiti do calculate it in by itself?
Very good question. I had to do a bit of research to make sure Ubiquiti behaves in the same way as other equipment. Personally, I have never had to change the MTU because of VLANs and I have never had an issue with this.
The reasoning is that (at least on other equipment... couldn't find anything specific to Ubiquiti on this) the MTU size refers to the L3 payload and does not take into account the L2 headers/trailers. The VLAN tag sits in the Ethernet header and is not taken into account when calculating the MTU.
Also, the VLAN tags are only locally significant and are not being passed over the WAN (unless you have an ISP that requires a VLAN tag). So the traffic should not be fragmented by the router anyways.
The MTU will come into play if you are dealing with Q-in-Q (encapsulating a VLAN within a VLAN) or a VPN of some sort. However, there is no need to worry about the MTU when enabling VLANs in this way.
@@ToastyAnswers Thank's a lot for this detailed answer! :)
My mom says that guests are like God, so I am going to let them access my network. 😎
As if!
I would like to see a video or a blog post on that "VLAN 188 / Internet_SPAN" thing you got going on.
Haha, I had to look through the video to see what you were talking about.
I could probably do a video or something on that. That is for my Security Onion setup which is mirroring all traffic between my modem and router. I don't have it set up this way anymore, but my connection actually passed through my switch twice in order for me to monitor the "external" traffic. Below is what the general flow looked like.
Modem > Switch (VLAN 188 mirrored to Security Onion > Router > Switch (VLAN XX to whatever devices).
@@ToastyAnswers Roger that. Just FYI- there wasn't an option for "sarcasm font..."
But I'd wondered about that setup and how it would play out a few times. Brave, if nothing else.
When creating DHCP, on the first one you did 10.0, then on the rest you put .55.0/24 and .100.0/24. I have an ER X coming in, and I'm literally taking notes off this video, so all this stuff is new to me. Sorry if it's a dumb question.
Yep, I created a pool corresponding to each network we created an interface for.
Let me know if you'd like any assistance. If I have time (very busy) I'll try to help out.
Have you had any chance to do this using a Mikrotik Switch?
I haven't worked with the Mikrotik switches before, but I've been looking into getting one to mess around with.
would the 3750e still be safe to use in a home network environment?
I would say so, but it depends on what you are looking for. I still use the 3750E in one location... but there are a few things that have to be accepted.
1. The PoE version is not current (If you are using PoE, you will only be able to power legacy devices since it does not support the latest standard)
2. You are limited to 1Gbps ports unless you have 10Gbps GBICs (which are harder to come by now days since this switch doesn't use standard SFP or SFP+ for the 10Gbps capability)
3. You are ok with a switch sucking more power than "newer" alternatives (Nowadays there are quite a few switches that can match performance for a lower power consumption)
As long as you are fine with these potential drawbacks, then I'd say it's perfectly fine to use in a home network.
@@ToastyAnswers thanks. i went for the usw 16 poe because the legacy poe is a dealbreaker
Hi Toasty, I'm looking to get rid of my Xfinity cable modem because I cannot customize my network because of it. I have a ubiquiti Edge router X because I wanted to separate my regular network (Which has DHCP) and my test network (Which has DHCP), the two DHCP servers keep assigning both prod network and my test network PC's at random, meaning my computers keep switching environments.Do I want to make sure I purchase a cable modem that can read Vlan tags when I replace my Xfinity cable modem/router?
I have a tp-link wireless router as well (Not hooked up as of now) But can I just get a standard cable modem, setup ports (Vlan) on my ubiquiti, one for prod, one for my test env and then have one port (Vlan'ed) for my wireless tp-link.
In the end i guess I wanted to describe what I'm trying to do:
1. Have a DHCP server in both Prod env and Test env -- communication is separate so DHCP request / Ack's don't cross barriers( I don't believe subnets will do the trick but Vlans will)
2.get rid of my xfinity cable modem and just purchase a motorlola mb7220 cable modem
3. My biggest question. I'm getting rid of xfinity modem to save money, does my new modem need Vlan capabilities?
To reply to my posting, cause im a newb like that. One more thing
I don't "Need" a switch right for my small network? I can allow the Edge Router to do the switching? I mean i have four ports? It can do the Vlan'ing , the switching, and send any outbound traffic to my gateway / cable modem?
Hello Ryan, I'll try to answer this as best as possible and try to break some things down by section.
As long as your new modem is supported by your ISP, it will work just fine. It doesn't need to have anything special, (like VLAN support) but your ISP has to give it the stamp of approval and you'll probably have to "activate" it over the phone. VLAN tags shouldn't be on the link with the modem anyways, (unless your ISP connection requires a VLAN tag) but in any case, your modem will simply forward the traffic to/from the ISP. It doesn't really care what kind of traffic is going through it.
It sounds like you have network overlap somewhere if you are getting random DHCP assignments. Both DHCP servers are on the same LAN segment, which is a problem. It's complete luck which addresses your hosts grab since it's whichever server happens to respond first. Since I'm not completely sure how you've got all of this setup, I'd say scrub your configurations to see where and why both networks are on the same LAN.
You can certainly connect your TP-link router and have wireless which is segregated. The only "gotcha" about this, is that everything connecting to the TP-Link will be on the same network (VLAN). Since the TP-Link (most likely) doesn't understand VLAN tags, you have to assign the entire device to a VLAN at the router... you won't be able to split it up further.
You don't necessarily need a switch, but that all depends on how many devices you want to have directly connected. The standard Edgerouter-X has five ports (Eth0-4). I only count two devices from your post (Modem, and TP-Link) which means you should have three ports open for other devices. If you need more than three, you might want to invest in a switch.
I'll just directly reply to your questions as a TL;DR.
1: VLANs are what you want, but the subnets will ALSO be different.
2: This will work just fine as long as it's compatible with your ISP.
3: No, your new modem doesn't need VLAN capability.
@@ToastyAnswers Hi Toasty,
Yes toasty they were all on the same network, I had in my test env a windows server dhcp server for my test sccm clients. The only way to prevent my prod env comps from sometimes connecting to my windows server dhcp was to explicitly deny their MAC address on windows server dhcp. Any way I see you have many more videos on the edge router so perhaps I will come across one that shows what i want to do.
Apologizes that my questions / examples of my network are confusing , im not a network guru so I am probably not stating clearly what i need and/or what i currently have
You did say "VLANs are what you want, but the subnets will ALSO be different" So if I want Vlans, I have to have those Vlans on separate subnets?
Do you have any videos showing setting up subnets on the edge router? Perhaps subnets and Vlans (Especially if this is what i need)? Perhaps without an external switch of any kind.... My environment is small, roku, two desktop computers (one main / prod computer; other computer is running hyper-v with my whole test environment on it) and a laptop.
What I think I want / need:
-One port subnetted / vlan for hard wired desktop (My regular computer / prod env)
-one port Subnetted / Vlan'ed to my test computer with hyper-v , no dhcp would be needed by edge router cause windows server's on hyper-v would provide this.
-One port one port Subnetted / Vlan'ed to put my tp-link on, to broadcast wifi - tp-link would do its own dhcp ( If possible)
I appreciate your response and hope I am more clear on my environment. If I'm still not clear, this is a learning thing for me lol and I can only get better at my communication regarding my network wants, needs, and current setup
Thank you ,
FYI I was trying to setup gns3 so i could try all of my options on "paper" so to speak before actually physically doing anything / breaking my current setup. I found that they don't use Ubiquiti in their models and/or dont have any currently that have been developed. They do have Cisco , but that gets into legal stuff when your not a cisco owner and have access to their IOS. I think I said all that correct. Hope you see what I was trying to do with GNS3 as well
Ah, I see, so the DHCP issue is kind of "unintentional" in a way. I was reading that a different way. I think I understand what you are trying to do with this. I do have a few other videos on Edgerouter, but I think this one is the closest to what you are trying to accomplish. The rest of my videos are either tests or basic setup.
Don't worry, it wasn't really confusing. I think I just read a couple parts wrong and assumed a few things.
"VLANs are what you want, but the subnets will ALSO be different". So, this statement is a little complicated and is both a yes and a no. Assuming you can (or want) your test environment separated from your production environment, but still able to access it or the internet, you will need to have them in separate subnets. VLANs themselves, technically, don't have to be on different subnets, but you can't have two "Routed" (layer 3) ports in the same subnet on your Edgerouter. If they're going to be on the same subnet and be able to between production/test you can't really put them in different VLANs since that would isolate them to different layer 2 networks. Since the router can't route between like-subnets, you won't have communication between them.
Now, there are some "creative" ways to allow both "production" and "test" to be on the same subnet, but be "kind of" separated and stop DHCP from leaking out. You've found one of the workarounds by blocking the MACs of PCs you don't want getting addresses. However, VLANs are easier and the proper way to do the separation. Also, just going by your requirements, I think it is what you are looking for. I probably just went long-winded for no reason and might have confused you a bit more... sorry.
I believe I set up subnets in this video as well as DHCP. When I make the VLAN interfaces (switch0.10, etc.) I assign an IP which is the "gateway" address for a new subnet. All I do after that is set up a DHCP with the corresponding subnet information. Each interface I create in this video for each VLAN is a separate subnet. There is also a video I do on OpenVPN where I create subnets in the CLI, (I'll mention this video again below) but it's in a different manner which isn't exactly what you'd be looking for.
Your environment seems straightforward and much the same as my own. Here is just some input on your want/needs and a couple recommendations. Also, I apologize if things aren't clear. I'm not so much explaining how to do these as I am outlining how it could be done.
- "Port subnetted/vlan for hard wired desktop."
You can pretty much follow this video for this. You'd create the VLAN interface and assign it an IP. Then, assign a port a PVID which corresponds to the VLAN interface you just created.
- "Port subnetted/vlan to test computer."
The exact same steps can be taken for this port. Just assign a different VLAN number and a different subnet. Now, if you want your server to provide DHCP for everything you will need to configure a DHCP relay on the Edgerouter so devices in the production network know where to get their IPs. This would be on the virtual-interface (VLAN interface) and point to the IP address of your DHCP server.
- "Port subnetted/VLAN for TP-link."
Again, same process. You need a different VLAN ID and yet another subnet for the wifi traffic (unless you want wifi to share the same network as "production". If so, you could just assign the PVID for "production"' VLAN to the wifi port. Up to you.). If you're going to use the TP-Link in standard "Router" mode you don't really need to do anything super special, but nothing on the other networks are going to be able to access anything Wifi directly. I don't know if that matters or not, but if it does I would try to put the router in "Access-point" mode or similar, and configure a DHCP relay for this port as well. Personally, I try to keep DHCP centralized and have oversight over everything, but I understand that sometimes wifi is just wifi and isn't really used for anything other than convenience.
I think you've done a good job of communicating what you need. I probably haven't done a good job of communicating the solution. If you are trying to learn this stuff I like to throw a lot at you so you understand there are a hundred different ways to accomplish a single task. The problem is that it usually just causes confusion because there are a lot of pros/cons of each approach.
I definitely see what you were trying to do in GNS3 and it is entirely possible to lab this up, but it won't be EXACTLY how you'd do it on your equipment. If you check out my OpenVPN on Edgerouter video series, you can see me using a VyOS image in Eve-ng (GNS3-like program) to emulate an Edgerouter. The Edgemax software is a slightly modified version of VyOS so the commands are nearly identical (with slight variation sometimes), however, you won't have a GUI and you won't be able to create virtual (VLAN) SWITCH interface. You can still do essentially the same thing, but you'd have to go about it differently than I show in this video.
If you were to use a Cisco Switch image, you could nail the CONCEPT exactly as it would be in your environment, but the configuration would be ENTIRELY different... so, wouldn't be much use...
Just let me know if you have any more questions or if my answers were about as clear as ink.
@@vande012 Also, I meant to throw in the possibility of making your "test" (hyper-v PC) port an actual "tagged" port which could be useful. This way, you can use Hyper-v's virtual network adapter to directly assign VLANs to VMs and have them be a part of any VLAN directly. This way, you could have VMs directly on the "Production" LAN or any other LAN you feel like creating. Just a thought.
6:58 which sw is it you are drawing on?
Windows Ink. It’s just the built in drawing app that comes with windows 10. I use a Boogie Board Sync as a drawing tablet. Works pretty well over Bluetooth.
@@ToastyAnswers thy works pretty good, I might have a look into that one
how to create vlan with ipv6 (example with the following structure)
eth0 with wan
vlan switch0.100
Let's say I have the following vlans 10, 20 and 30. I want vlan 10 to be able to communicate with devices on both 20 and 30 but I do not want devices on vlan 20 and 30 to communicate with devices on 10. 20 and 30 shouldn't be able to communicate with each other at all. 10 and 20 should have outside internet access and 30 not. Is this possible with the ER-X?
Yes, this is entirely possible on the Edgerouter and I have a very similar setup at home. I actually did a video on VLAN Firewall rules which accomplish this here ua-cam.com/video/fQJe4RCWoaQ/v-deo.html
The only difference is you would have an additional rule blocking all access to the internet for VLAN 30.
@@ToastyAnswers That looks like its pretty much exactly what I need. Only problem I still have is that my DHCP servers for my vlans don't seem to work. Assigning a manual ip works just fine. DHCP servers are enabled haha
edit: It appears I'm blind and made a typo in the subnet of the DHCP servers
I thought vlan1 is the native/default vlan on Edgerouter, why can't we assign vlan1 to 192.168.1.1/24 to make a the management vlan?
In my experience, VLAN1 isn't really a "native" vlan on the Edgerouter. I'd have to do some research again to confirm this, but the switch0 interface is the default for all "untagged" traffic. You could make switch0 the management vlan if you wish, but any VIF you create is automatically expecting "tagged" traffic unless you specify it as the PVID for a specific port.
@@ToastyAnswers So in the scenario of your video, switch0 with 192.168.1.1/24 is not the default/native vlan1? Is that why you had to create switch0.1 with 192.168.2.1/24 to make it the default/native vlan1? I'm trying to set eth1, eth2 and eth3 on my ER-X to be trunk ports...
I really shouldn't have created that extra interface. I just did it to give myself a safety net. Technically, switch0 is the default/native interface for all untagged traffic, but once we specify a PVID for the ports the PVID becomes the native VLAN ID (For example, I assigned Eth1 a PVID of 1. This means that all untagged traffic on Eth1 will be a part of switch0.1 and fall in network 192.168.2.0.). I could have simply left Eth1 out of the VLAN awareness or left the PVID blank and it would have fallen under switch0 (192.168.1.0) for untagged traffic. I kind of took the more confusing route for reasons I can't explain.
For Eth2, I assigned a PVID of 10. So, the untagged traffic on Eth2 would fall under switch0.10 (192.168.10.0).
Whichever VLAN you assign as the PVID will be the "native" VLAN of the port and the traffic will fall under the corresponding switch0.X interface.
how to create vlan with ipv6 (example with the following structure)
eth0 with wan
vlan switch0.100 delivering ipv6 on vlan switch0.100
I've been loving these videos. But I can't for the life of me figure out why on a Cisco SG300 you need to have the native vlan tagged on each port that requires internet.
That shouldn't be the case... there may be something else going on.
@@ToastyAnswers I have an Edgerouter-4 with two vlans (3 & 10). Cisco switch trunk/uplink port untagged for vlan1 (native) tagged for 3 and 10.
Port 7 for my PC, untagged for vlan3 and tagged for 10. I can do all the pings and connections and have zero outside (internet) connections unless my port 7 is also 'tagged' with the native/default vlan1. ~17 hours logged trying to figure this out....and many of those hours watching your videos because of your specific hardware. 🎉
Was hoping for a simple easy to follow guide to setting up my edgerouter x for home use. No additional switches just Access Points for wireless equipment. This wasn't it. I am walking away more confused then when I started.
GO here @16:50 to get to what the title says.
EdgeRouter v2.0.8 (EdgeMax)
How can I configure VLAN on a specific port in this router?
For example, I did this:
Add Interface -> Add VLAN.
VLAN ID: 255
Interfaces: eth7
As a result of this, I got the interface: eth7.255
Why can't this interface work with VLAN?
Why is it necessary to create a switch port and assign a VLAN to it?
For example, in the same Mikrotik, you do not need to create any switch ports. Everything works in exactly the same way as I wrote above. But for some reason, such a scheme does not work on EdgeRouter. I want to register VLAN for guests on the UniFi AP AC PRO access point so that they only go to the Internet and do not see the local network and other clients that are connected to the guest WLAN network.
Set interfaces bridge br0 command - Creates a bridge interface, but you cannot hang VLAN settings on it like on a switch port.
If you try to create a switch port, you get an error:
ubnt@ubnt # set interfaces switch switch0 vif 10 address 10.0.10.1/24
interface switch switch0: does not exist
Value validation failed
Set failed
[edit]
ubnt@ubnt#
Which model of Edgerouter are you using? The configurations are a bit different depending on if the model contains a "switch-chip" or not. Since VLANs are a layer-2 technology, and routers are layer-3, you don't always have the full configuration available. I'm just assuming you have one without the chip since you are getting the error "switch0: does not exist".
When you create the "VLAN" using the GUI (add interface -> vlan -> ID: 255 -> interface: eth7) you are creating a virtual sub-interface under Eth7 which will only respond to traffic tagged for VLAN 255. This is typically how routers are configured to understand VLANs without a switch-chip. You are splitting the physical interface into multiple sub-interfaces and the VLAN tag from incoming traffic is what determines which sub-interface will respond.
Since router rules state you can't have two interfaces in the same subnet, you typically can't extend a VLAN through a router without a dedicated switch-chip. That is where the bridge interfaces come in. A bridge interface will allow you to bridge layer-2 traffic through the router, but typically you can't do much in the way of customization on them (such as assign VLAN tagging).
For your scenario, you can assign a VLAN to the AP-AC-PRO for guests which will be tagged as VLAN 255. If your AP-AC-PRO is connected to Eth7 of the router, then it will function just fine as the router will see the traffic with a tag of 255 and the sub-interface eth7.255 will respond to this traffic as the gateway. However, you will have to use firewall rules to lock it down from the rest of the network and ensure it only has access to the internet. By default, the router will do its job (it will route..) between all the connected networks.
The routers with a switch-chip (i.e. the Edgerouter-X used in this video) technically accomplish the same thing, but they go about it differently by using a virtual-interface under Switch0 since they have a dedicated switch-chip. Instead of the virtual-interfaces being per-physical-interface, all physical interfaces are tied to a switch interface where the vifs are configured and able to be accessed on any interfaced designated to use the switch chip. You also get the added benefit of being able to extend VLANs through the router by simply assigning VLANs to ports without creating a vif. This benefit comes from the fact that a physical switch-chip is present (not something most routers have built-in).
Edit: I'm glad I don't have to pay for every mention of "switch-chip".... I'd be broke.
How to change mtu? Ppoe
Try the following. I go them from a Ubiquiti Community Post.
configure
set interfaces ethernet ethX pppoe X mtu 1458
set firewall options mss-clamp mss 1418
set firewall options mss-clamp interface-type all
commit;save
Why do the switch ports configured have IP addresses? Anyone?
The IP addresses are a part of a "virtual interface" and not the actual switchports themselves.
Wow, and I thought networking was easy....Thanks for making networking the same as tax code.
No firewall rules?
Firewall rules are in the next video
if I make so, i can only use 192.168.2.x
No, you can use any "valid" network for your VLANs. The ones I give in the video are just examples.