New hardware VLAN questions

[pjp]

I need to replace my wifi switch / router.

What I'd like to do is use another downstream switch with two VLANs. 1 general use, and 1 for tftp booting or similar.

I've never used a "plug-and-play network extender" switch, but I presume they would only be able to do what the upstream wifi router told that specific port to do. I'm also guessing 1 port can handle only one VLAN?

To clarify RTR1 (wifi) provides a VLAN on port 1 to which RTR2 (PNP net extender) is connected.

What kind of switch would RTR2 need to be to handle at least 2 VLANs. I presume it could not be one of the "network extender" varieties, but I don't know what to look for.

The TP-Link BE3600 lists "Tag VLAN", but I'm anticipating that it is RTR2 which should handle the VLANs.


On the wifi side, how useful are the 6 & 5GHz bands? The BE9300 has both, and there seems to be a natural emphasis on "total" bandwidth, but it believe I've read of at least 5GHz not being that reliable.

The BE series probably aren't worth it as I have no immediate need for 2.5Gbps ports, but they're on the upper end of what I'd consider for low-end broadband internet. Aside from a One-Device-To-Rule-Them-All solution that wasn't enterprise priced.

[Ralphred]

What I'd like to do is use another downstream switch with two VLANs. 1 general use, and 1 for tftp booting or similar.
I've never used a "plug-and-play network extender" switch, but I presume they would only be able to do what the upstream wifi router told that specific port to do. I'm also guessing 1 port can handle only one VLAN

When you get into the realm of VLAN aware switches it's not "what the upstream wifi router told that specific port to do" but what you configured that port to do.

What kind of switch would RTR2 need to be to handle at least 2 VLANs. I presume it could not be one of the "network extender" varieties, but I don't know what to look for.

Just a "managed" switch, sometimes referred to as "layer 3", but not necessarily.

The TP-Link BE3600 lists "Tag VLAN", but I'm anticipating that it is RTR2 which should handle the VLANs.

In this use case, possibly, it depends how many LAN ports you need, if it's more than 4 in total then you are better off just getting a managed switch downstream of your router.

The problem is that it's become ubiquitous amongst the average user to think of a router as something that is a modem-router-WAP-switch all rolled into one, and the use of VLAN's is generally an SME level solution, meaning you are buying SME level equipment for all 4 components when you go "all in one", in your case you'd only justify the use of an SME level switch. When it comes to specifying switches I use d-link for cheap domestic, draytek for decent domestic, HP for cheap commercial, Cisco for decent commercial, but if you anticipate wanting a 2.5G switch within 2 years then TP-link will do, 4 years and you'll get away with netgear.

NAT type routing ("masquerading" or "overload") and firewalling happens in software, so personally I've always just stuck a second nic* in my "server" and done it there - seems a waste of time, energy, space and cash to have a little box do what can be done by pppd the kernel and iptables. This also leaves you free to buy a PoE powered WAP and stick it somewhere sensible with a single cable, or get a normally powered one and still not drag your switch/modem and it's associated cabling with it.

If I were you, I'd get a second hand one gig managed ProCurve or Cisco switch with enough ports to serve your whole network, and consider it the the first step in unrolling the modem-router-WAP-switch bundle.

*though, with a managed Gbit switch you could do it virtually on one nic for most "broadband" set-ups.

[Hu]

VLANs are a software construct, so how much or little you can do with them depends heavily on the quality of the software involved. A quality switch can allow multiple VLANs on the same port, and restrict which VLANs that port is allowed to send on.

[GDH-gentoo]

What kind of switch would RTR2 need to be to handle at least 2 VLANs. I presume it could not be one of the "network extender" varieties, but I don't know what to look for.

Just a "managed" switch, sometimes referred to as "layer 3", but not necessarily.

To clarify, you'd need a "VLAN-aware switch", that is, one that supports IEEE standard 802.1Q. I believe most "managed switches" —i. e. those that provide a user interface for configuring the switch— sold these days should be VLAN-aware.

VLAN-aware switches can be just "layer 2 switches" (only capable of "bridging", i. e. MAC layer forwarding), or "layer 3 switches" (capable of both bridging and IP forwarding). Depending on how you plan to "handle 2 VLANs", you might not need the "layer 3" functionality.

I'm also guessing 1 port can handle only one VLAN?

A single port can handle multiple VLANs, as Hu said, provided the device supports transmission and reception of VLAN-tagged Ethernet frames, which any VLAN-aware switch should do.

[pjp]

When you get into the realm of VLAN aware switches it's not "what the upstream wifi router told that specific port to do" but what you configured that port to do.

Thanks for clarifying, but that is what I meant. I have sufficient experience to know I should ask questions (my CCNA was from the mid 00s, and I never held a role where it was my primary responsibility). I also thought a port could handle more than one VLAN, but doubted my vague recollection.

Part of the issue is that I've read of some Netgear hardware not handling VLANs well, and these being those labeled for business use. As well, some models being labeled with a "E" and/or "Ev3" may support VLANs. So it isn't at all clear to me at the consumer level that any of this stuff works.

Just a "managed" switch, sometimes referred to as "layer 3", but not necessarily.

I'll have to revisit what I've seen available, given what I've read about what Netgear hardware supports.

In this use case, possibly, it depends how many LAN ports you need, if it's more than 4 in total then you are better off just getting a managed switch downstream of your router.

That's what I'm leaning towards. 4 probably isn't sufficient.

The problem is that it's become ubiquitous amongst the average user to think of a router as something that is a modem-router-WAP-switch all rolled into one, and the use of VLAN's is generally an SME level solution, meaning you are buying SME level equipment for all 4 components when you go "all in one", in your case you'd only justify the use of an SME level switch.

I've tried to identify the distinct components, but it seems impractical. I'd still have to identify the switch (which I should have called SW1 instead of RTR2... I hastily tried to be more clear using fewer words). Then I need a WAP. The modem-router is currently provided by the ISP.

I was trying to avoid Ubiquiti because they seem to have tried making their product line as complicated as possible, with a push toward cloud and other special devices to manage their equipment. Cloud Key / Gateway and I forget what else.

When it comes to specifying switches I use d-link for cheap domestic, draytek for decent domestic, HP for cheap commercial, Cisco for decent commercial, but if you anticipate wanting a 2.5G switch within 2 years then TP-link will do, 4 years and you'll get away with netgear.

I probably don't need 2.5G, but it is available without too much additional cost. Residential fibre is supposedly on it's way, but no specific schedule. I've seen ISP related vehicles in the area and have heard it's close by, so who knows. As a hedge, the port could be used to connect to SW1, and eithe rof those TP-Link BE models I think should be able to replace my ISP's modem/router device, though I'd have to verify.

My dying all-in-one is a D-Link, but they seem to have abandoned physical retail, at least locally. I've never heard of Draytek. My only interest in TP-Link is they seem to get decent reviews, and I can get them locally. I would have preferred Netgear, but having read of questionable performance vs. claims, I'm leery of them. My original thought was a decent Netgear switch and WAP. That seemed easy until I tried to identify capabilities.

NAT type routing ("masquerading" or "overload") and firewalling happens in software, so personally I've always just stuck a second nic* in my "server" and done it there - seems a waste of time, energy, space and cash to have a little box do what can be done by pppd the kernel and iptables. This also leaves you free to buy a PoE powered WAP and stick it somewhere sensible with a single cable, or get a normally powered one and still not drag your switch/modem and it's associated cabling with it.

Well, the device seems much more convenient with less power draw. I'd like to use WoL to shut most of the hardware down when not in use. I've looked for low power devices to take on that role, but few have enough ports or capacity to do much of anything else. On the plus side, the first result for a 4 port NIC was only ~$70.

If I were you, I'd get a second hand one gig managed ProCurve or Cisco switch with enough ports to serve your whole network, and consider it the the first step in unrolling the modem-router-WAP-switch bundle.

I'm not familiar with HP, but Cisco tend to be very loud due to the small screaming fans. Then there's availability and cost. I don't use e-bay, and most companies idea of support is to not provide it. In particular I'm thinking of getting used hardware that has problems.

*though, with a managed Gbit switch you could do it virtually on one nic for most "broadband" set-ups.

In theory a good switch should make it easier. I once configured a PC to act as a router, and also used TUN/TAP for VMs on a system. But for 8 or 16 ports, the dedicated solution seems easier. Except for the lack of ssh acccess. All web interfaces are heinous and only exis to make life difficult (in my experience).

I'll try looking again. Maybe I'll see something I overlooked. Thanks!

[pjp]

VLANs are a software construct, so how much or little you can do with them depends heavily on the quality of the software involved. A quality switch can allow multiple VLANs on the same port, and restrict which VLANs that port is allowed to send on.

I didn't realize how bad consumer grade equipment was, even when target at business use. I doubted my memory on the multiple VLANs/port thing. If I recall, it may have been (then) recommended against for performance considerations.

To clarify, you'd need a "VLAN-aware switch", that is, one that supports IEEE standard 802.1Q. I believe most "managed switches" —i. e. those that provide a user interface for configuring the switch— sold these days should be VLAN-aware.

VLAN-aware switches can be just "layer 2 switches" (only capable of "bridging", i. e. MAC layer forwarding), or "layer 3 switches" (capable of both bridging and IP forwarding). Depending on how you plan to "handle 2 VLANs", you might not need the "layer 3" functionality.

Managed seems to be the minimum, which I presumed to be the case. The more difficult challenge finding one of sufficient quality to claims made ratio.

And I naturally remember why I didn't do this any of the previous times I looked into it.



I'll try to see what I can find as there isn't much can left to kick.

Thanks everyone!

[pjp]

It's not looking good so far for anything better than an all-in-one but not enterprise $.

TP-Link JetStream TL-SG3428 (24port) and TL-SG3210 V3 (8port) both list Omada centralized management. At least for some devices it requires a separate "on premises" device to not manage it from the cloud. I'm not sure which ones if it is limited.

HPE Networking Instant On 1930 8-Port
configure using web-based or mobile app
Cloud-hosted web interface management

ZyXEL GS1900-8HP 8-Port
ZyXEL One Network, Intuitive Wizard, designed to relieve users

TRENDnet EdgeSmart TPE-TG82ES 8-Port
intuitive web-based interface
(I don't know if it means cloud.)

Hah! Ubiquiti's is a subscription service. Although anything cloud likely is.

Even the sub $100 NETGEAR ProSAFE GS108Tv3 8-port is "w/ Cloud Management"

Without checking I presume most will work without cloud management.

For used ProCurve, Amazon lists something like "Amazon Renewed". I stopped using Amazon because I can't trust them to sell me the product I ordered from the seller I chose, so I certainly can trust their renewal process (one review included a picture with a poorly retouched rusty chassis fan exhaust area).

[pingtoo]

May be consider OpenWrt supported devices. This way you will have full control, no more "cloud management"

[pjp]

Oh my. It's worse than I thought, at least for one of the "improved" v3 Netgear models (GS108T v3):

The switch will prompt you to create a Netgear cloud account to manage the device and offer you 'limited access' to the device until you do so. According to the Netgear knowledge base, however, this 'limited access mode' should still allow you to update the firmware.

There are two ways to work around this:

Block access to 8.8.8.8 from the device in your router's firewall.
Connect the switch to a computer without internet access.

This method sometimes fails. Be prepared to open the device and solder a pin header for serial console. The holes are filled with solder, so having desoldering tools is also highly recommended!

That pretty much guarantees I won't buy Netgear.

[Ralphred]

I'm still gonna advocate for a local used re-seller: I borrowed a dumb-switch from a mate to power some extra cameras, and he needs it back, so I picked up a JG926A for under £30 this afternoon.
I'd offer to ship you the freshly redundant JG921A, but the shipping would probably cost more than it's worth...

It seems the smaller SME level stuff nowadays is trying to bypass local network admins entirely, not a great "security feature" IMHO.

[pjp]

Hah, yeah, shipping. I once paid "too much" for a friend to send me an old Pentium. It was an interesting experiment, but it locked up while compiling one day, presumably due to the CPU fan having died.

I'll see if I can find any resellers. If I recall, Cisco used to be bad about allowing any updates without a contract. I don't know about any other enterprise gear. Noise is still my concern with those.

OpenWRT seems like a great idea, but I can never find anything on the site that's available, and it generally seems to focus on the all-in-one devices. Which makes sense.

[pingtoo]

OpenWRT seems like a great idea, but I can never find anything on the site that's available, and it generally seems to focus on the all-in-one devices. Which makes sense.

Try this link switches.

I tried with ZyXEL GS1900-16, I was able to find it on Amazon and few other places.

[pjp]

Amazon is the only place I see with which I'm familiar. I can find the 8-port on some other sites, as well as the 24 and 24E models.
Oh, the 16 is unmanaged. I still can tell what version though. I'd buy it without hesitation if I thought I could just use simply use it.

Unfortunately openwrt doesn't list a page for those, only the 8 and 10. I'm also unable to determine versions of those available.

[pingtoo]

Amazon is the only place I see with which I'm familiar. I can find the 8-port on some other sites, as well as the 24 and 24E models.
Oh, the 16 is unmanaged. I still can tell what version though. I'd buy it without hesitation if I thought I could just use simply use it.

Unfortunately openwrt doesn't list a page for those, only the 8 and 10. I'm also unable to determine versions of those available.

This is same problem everywhere. There is no way to easy identify exact product. You can't even do this in a store because the packaging. And Marketing usually intentionally made it unclear for lesser liability.

May be you can get into the real online store (Not Amazon) and ask for tech support for detail information. I see the 24 port version can do vlan. So OpenWrt just a good to have.

[Banana]

I can recommend https://mikrotik.com/products. I do only have two small ones, but their router OS is very powerfull, even if you do not buy the permium stuff. I even think it is always the same and only limited by the hardware.

[pjp]

@pingtoo@,

Yeah, I know. It just makes it difficult given that I have no idea how usable it would otherwise be.


@Banana,

I forgot about them. Interestingly, I don't think I noticed the name while searching.

The CSS610-8G-2S+IN seemed promising...

Cloud Smart Switch ... comes with the lightweight SwOS which is easy to configure from your web browser. It gives you all the basic functionality for a managed switch, and more:

I don't expect to not have to use a web browser, but I wonder if any of those really mean Chrome. Then there's the issue as with Netgear and whether they force you to create an account to manage it. What if it isn't internet connected?

I'll have to think about it. I'm leaning toward giving up and seeing what one of the sub $100 TP-Link all-in-one devices does. If I can get it setup to replace the existing device, I can probably ignore it for at least 5 years.

[Banana]

With mikrotik you do have multiple configuration options available:

MAC-based access for initial configuration
WinBox – standalone Windows GUI configuration tool
Webfig - advanced web-based configuration interface
MikroTik - Android and iOS-based configuration tool
Powerful command-line configuration interface with integrated scripting capabilities, accessible via local terminal, serial console, telnet and ssh
API - the way to create your own configuration and monitoring applications

[pjp]

That could make it a lot easier.

I was still going to see about resellers (low expectations) and possibly contact a manufacturer or two for clarification, but if mikrotik includes command line, then that's a strong case for not trying to make it difficult to use. As long as local web interface doesn't require Chrome, I'd probably use that most of the time, but sometimes it's nice to get a quick response.

I'll give their hardware another look this weekend. Thanks for finding that!

[szatox]

but if mikrotik includes command line, then that's a strong case for not trying to make it difficult to use.

Haven't worked with them myself, but a few of those were used in a company I worked for;
AFAIR network guys had one laptop with windows stashed somewhere, solely for the purpose of doing the initial configuration via serial console (and using winbox, I think) before they could switch to ssh.
They were doing config backups for all switches in the whole building too, including those few microtics, but never tried injecting initial configuration this way (while I was there). Knowing them, there must have been a reason for doing it in such a roundabout way, so better double check that part.

[AJM]

That could make it a lot easier.
I was still going to see about resellers (low expectations) and possibly contact a manufacturer or two for clarification, but if mikrotik includes command line, then that's a strong case for not trying to make it difficult to use. As long as local web interface doesn't require Chrome, I'd probably use that most of the time, but sometimes it's nice to get a quick response.
I'll give their hardware another look this weekend. Thanks for finding that!

I can confirm that Mikrotik's web UI doesn't require Chrome. While they have their faults, they're not that kind of company... their "Winbox" software has worked fine under Wine for years but they have recently released a (beta) version which runs on Linux / Mac natively as well. (Maybe I shouldn't admit here that my Mikrotik router is actually currently running OpenWRT!)

One point regarding Ubiquiti - once configured, their Unifi APs / switches do not require the controller to be running in order to work; it's possible (easy) to self-host the controller software in a VM and only run it when you want to (re)configure something or add new hardware. I look after a fair number of UniFi wifi deployments and their system is pretty easy to manage, far easier than Mikrotik at scale; far less flexible than Mikrotik at small scale though.

[saellaven]

It's not looking good so far for anything better than an all-in-one but not enterprise $.

TP-Link JetStream TL-SG3428 (24port) and TL-SG3210 V3 (8port) both list Omada centralized management. At least for some devices it requires a separate "on premises" device to not manage it from the cloud. I'm not sure which ones if it is limited.

I'm running an Omada network both at home and at work. The switches are all pretty decent and the APs are good from my experience. Routers can be a little lacking compared to more comprehensive solutions.

The Omada controller can be done from the cloud, a hardware controller, or a software controller.

You don't absolutely need a controller and can configure it all standalone, but the controller gives you some extra benefits like fast roaming on your APs.

[pjp]

I can confirm that Mikrotik's web UI doesn't require Chrome. While they have their faults, they're not that kind of company... their "Winbox" software has worked fine under Wine for years but they have recently released a (beta) version which runs on Linux / Mac natively as well. (Maybe I shouldn't admit here that my Mikrotik router is actually currently running OpenWRT!)

I presume "Chrome required" is an effective result rather than a goal. But it's good to know there stuff isn't. They have an AP that references a management tool that can be run from some of their devices. Maybe that's fine, but it seems obnoxiously complicated. On the plus side, many of their devices have console ports. Rhetorically, can I configure the AP from the router directly? I suspect not, and that the special software has to do it. If I go that route, those are some of the questions I'll have to ask them. I'm leaning toward not at this time though. The total price of ~$300 is more than I'd set out to spend. I'll keep it in mind though if fibre arrives anytime soon. Which is another reason to put off buying expensive equipment that I won't use.

One point regarding Ubiquiti - once configured, their Unifi APs / switches do not require the controller to be running in order to work; it's possible (easy) to self-host the controller software in a VM and only run it when you want to (re)configure something or add new hardware. I look after a fair number of UniFi wifi deployments and their system is pretty easy to manage, far easier than Mikrotik at scale; far less flexible than Mikrotik at small scale though.

Thanks. I really don't want to have to use a VM to manage anything. It's simply not required for small office / home setups in my opinion. That does somewhat confirm my concerns about their move away from easily configurable devices. (And no, a VM or the cloud does not make it "easy.")

[pjp]

I'm running an Omada network both at home and at work. The switches are all pretty decent and the APs are good from my experience. Routers can be a little lacking compared to more comprehensive solutions.

The Omada controller can be done from the cloud, a hardware controller, or a software controller.

You don't absolutely need a controller and can configure it all standalone, but the controller gives you some extra benefits like fast roaming on your APs.

Thank you. I don't recall if I noticed price much for their devices. Now that you mention it, I do recall the "software controller", but it very much seems geared toward large deployments.

https://www.tp-link.com/us/business-net ... ontroller/

"Up to 1,500 Omada access points, JetStream switches, and Omada routers."

That's all good and well, but I'm going to have 1 or maybe 2. They do list supporting some Linux OSes, so that's nice. I may see if I can download it and get it working, or if I need the device first (it says it is freely downloadable).

"Ubuntu 14.04/16.04/18.04, CentOS 6.x/7.x, Fedora 20 (or above) and Debian 8/9"

[saellaven]

I'm running an Omada network both at home and at work. The switches are all pretty decent and the APs are good from my experience. Routers can be a little lacking compared to more comprehensive solutions.

The Omada controller can be done from the cloud, a hardware controller, or a software controller.

You don't absolutely need a controller and can configure it all standalone, but the controller gives you some extra benefits like fast roaming on your APs.

Thank you. I don't recall if I noticed price much for their devices. Now that you mention it, I do recall the "software controller", but it very much seems geared toward large deployments.

https://www.tp-link.com/us/business-net ... ontroller/

"Up to 1,500 Omada access points, JetStream switches, and Omada routers."

That's all good and well, but I'm going to have 1 or maybe 2. They do list supporting some Linux OSes, so that's nice. I may see if I can download it and get it working, or if I need the device first (it says it is freely downloadable).

"Ubuntu 14.04/16.04/18.04, CentOS 6.x/7.x, Fedora 20 (or above) and Debian 8/9"

My home consists of 2 switches and 4 APs (soon to be 6 to extend things outside) and my business 3 switches and 4 APs.

I'm using a hardware controller (note the OC200 is too underpowered to do DPI and such, so it's going to start losing feature parity), but there's a docker container with the software controller out there. It's all the same software and it's just as easy to configure as Ubiquiti (in fact, some people accuse it of being a Ubiquity knockoff). The controller (hardware or software) allows things like fast roaming and easy configuration/migration when you replace components, but isn't necessary.

I'm using the ER7206 router in both locations.

Hardware is relatively cheap, but more expensive than an All-in-one home router.

Current Amazon prices:
ER7206: $140
SG3248: $200
SG2428P: $280 (if you want POE)
SG2010P: $115 (what I'm using in the secondary offices at work)
APs range from $70 and up depending on the features you want

The nice part is being able to swap out and upgrade components as needed. Everything is running linux under the hood (you can ssh into the devices if you want).

You can use 2 APs to bridge the networks together too. My (very non-tech related) office consists of 3 suites and it isn't possible to run ethernet between them, so the two secondary suites have an AP connected to a POE switch that serves that respective suite.

There is a demo of the controller software on the TPLink Omada site too, if you want to see what configuration is like.

[AJM]

They have an AP that references a management tool that can be run from some of their devices. Maybe that's fine, but it seems obnoxiously complicated. On the plus side, many of their devices have console ports. Rhetorically, can I configure the AP from the router directly? I suspect not, and that the special software has to do it.

You can configure and use any Mikrotik AP directly (built in web ui, mobile app, ssh etc) without any other Mikrotik device or software involved. They also have an optional managed wifi controlled feature (like UniFi/Omada) for which the controller (called CAPSMAN) can be run on any device running Mikrotik RouterOS (so you could run it on an AP to manage other APs for example, or run it on a MT router).

Frankly in its current state CAPSMAN not worth the bother IMHO - I've done it and it does make configuring additional APs trivial (hold down the button on the AP and release when the LED flashes sort of thing), but it's nothing like as good as UniFi from a UI point of view. If you just want a couple of APs it's much easier just to configure them directly. To me Mikrotik's biggest strength AND weakness is the flexibility and number of features RouterOS offers; it's trivially easy to do simple stuff but you can easily get bamboozled figuring out their way of configuring more complex networking scenarios.