Understanding Unifi and VLANs for IoT devices
Discussion
I currently have 3x Ubiquiti UAP-AC WiFi access points and a controller running on a Synology Docker.
Since creating a Home Assistant environment, the amount of WiFi IoT devices I have has prompted me to think about VLANs and getting these chatty devices into their own IoT network.
Although I can create a new VLAN in Unifi, it falls apart pretty quickly because I think I need a layer 3 switch or router to handle the new Gateways these new VLANs will use?
I bought a Unifi Flex Mini switch, but that is Layer 2 - so I'm guess that's no use here?
My router is a fairly dumb jobbie provided by Gigaclear, and it isn't VLAN aware.
So my question is, in order to set up VLANs, will I need a layer 3 switch between my Router and the rest of my network which will act as a Gateway for the various VLANs I'll probably end up creating?
Since creating a Home Assistant environment, the amount of WiFi IoT devices I have has prompted me to think about VLANs and getting these chatty devices into their own IoT network.
Although I can create a new VLAN in Unifi, it falls apart pretty quickly because I think I need a layer 3 switch or router to handle the new Gateways these new VLANs will use?
I bought a Unifi Flex Mini switch, but that is Layer 2 - so I'm guess that's no use here?
My router is a fairly dumb jobbie provided by Gigaclear, and it isn't VLAN aware.
So my question is, in order to set up VLANs, will I need a layer 3 switch between my Router and the rest of my network which will act as a Gateway for the various VLANs I'll probably end up creating?
A VLAN is a layer 2 concept, so you are quite right, you will need something to connect your VLANs together at layer 3.
I also have a Unifi WiFi network that I'm using to do Home Assistant stuff. I use a Unifi Edgerouter-X which is a cheap way of getting some quite good enterprise-level features including VLANs. I've got the ER-X firewall set up so that the IOT VLAN can't initiate a connection to anything else internal, it only has internet access (apart from mDNS, see below)
You might find you can bin your ISP router and replace it with the ER-X, it depends on which ISP you use.
Whatever router you pick, you'll probably need to enable mDNS Relay between your Home Assistant VLAN and your IOT VLAN, as quite a bit of IOT stuff seems to depend on that.
Timothy Bucktu said:
Interesting...thanks. I Googled the ER-X, but that appears to be Layer 2? Can that box have multiple Gateways?
From https://dl.ubnt.com/datasheets/edgemax/EdgeRouter_..."VLAN interfaces for network segmentation
• Static routes and support of routing protocols: OSPF, RIP, and BGP"
wondering about a couple of these and running BGP between upstairs and downstairs...:-)
Somebody said:
Bookmarked.
I have IP cameras which I access remotely via allocated ports against each camera's internal IP. When using VLAN, does it mess up port forwarding?
TIA
No, not at all. You'd just forward the traffic to whatever IP address the camera has, same as you do now. With VLANs, this would be on a different subnet to your "main" network. You also need to get the firewall rules correct for what you want to allow/deny.I have IP cameras which I access remotely via allocated ports against each camera's internal IP. When using VLAN, does it mess up port forwarding?
TIA
The ER-X is cheap partly because it's nowhere near line rate 1GB/s performance, and if you're using it to terminate a VPN as well it'll be even slower. That said it should be perfectly fine for pretty much any home network scenario.
The ER-4 is another option which is higher performance, although at least 2x the cost.
Timothy Bucktu said:
Interesting...thanks. I Googled the ER-X, but that appears to be Layer 2? Can that box have multiple Gateways?
Yes, as xeny confirms. It's a proper router that supports multiple interfaces, which can be native ethernet, VLAN ("vif") , PPPoE, GRE, VPN Tunnels, etc. The latter is quite useful if you want a secure way of connecting in to your home from outside without having to open firewall ports, you can set up the router to be a VPN server (L2TP, OpenVPN etc). That's much safer for accessing Home Assistant from outside than just opening a firewall port for your HA instance.
Timothy Bucktu said:
OK thanks...I'll get qn ER-X and try it out. Nice to have everything managed in the Unifi controller as well.
I have a VPN running on my NAS already.
Given the choice, I'd rather risk my router being compromised (as a VPN server is inevitably externally exposed) than the device with all my files on it.....I have a VPN running on my NAS already.
Timothy Bucktu said:
OK thanks...I'll get qn ER-X and try it out. Nice to have everything managed in the Unifi controller as well.
I have a VPN running on my NAS already.
The Unifi controller app won't manage the Edgerouters, they're managed directly from a web interface or CLI (or a phone app to do some basic stuff only).I have a VPN running on my NAS already.
The USG router is more integrated with the Unifi Wifi controller app, and it also does VLANs so is an alternative choice if you don't need all the enterprise routing stuff that the Edgerouters can do.
outnumbered said:
Timothy Bucktu said:
OK thanks...I'll get qn ER-X and try it out. Nice to have everything managed in the Unifi controller as well.
I have a VPN running on my NAS already.
The Unifi controller app won't manage the Edgerouters, they're managed directly from a web interface or CLI (or a phone app to do some basic stuff only).I have a VPN running on my NAS already.
The USG router is more integrated with the Unifi Wifi controller app, and it also does VLANs so is an alternative choice if you don't need all the enterprise routing stuff that the Edgerouters can do.
Timothy Bucktu said:
outnumbered said:
Timothy Bucktu said:
OK thanks...I'll get qn ER-X and try it out. Nice to have everything managed in the Unifi controller as well.
I have a VPN running on my NAS already.
The Unifi controller app won't manage the Edgerouters, they're managed directly from a web interface or CLI (or a phone app to do some basic stuff only).I have a VPN running on my NAS already.
The USG router is more integrated with the Unifi Wifi controller app, and it also does VLANs so is an alternative choice if you don't need all the enterprise routing stuff that the Edgerouters can do.
https://uk.store.ui.com/uk/en/collections/cloud-ga...
Gassing Station | Computers, Gadgets & Stuff | Top of Page | What's New | My Stuff