VLAN - Have I got this correct

[strop]

I am seeking some help with a network setup that I keep breaking and my wife has just about had it with me constantly breaking things, especially as it interrupts the other thing I am trying to play with - Home Automation. So I am here for some more help please.

My setup is Synology based with a TP-Link smart switch (TL-SG1024DE). My main router is a WRX560. I also have 2 X MR2200ac units and an RT2600ac. A bit of overkill but right price and I am trying to get a super stable Wi-Fi network for my home automation stuff in a difficult environment. I have an ethernet backbone to support where these access points are located.

What I want to achieve.

VLAN ID 1: Default/Primary Network (Only used by householders - All equipment known and given reserved IP addresses). This network should be able access all the other VLANs except VLAN ID 222. Wired & wireless devices

VLAN ID 1733: Guest Wifi Network - default synology

VLAN ID 21: Internet of things network. Should not have access to VLAN IDs 1 & 1733 but limited access to VLAN ID 31. Wired and wireless. Our printer will be on this network so we want to have access to this VLAN from the VLAN 1 & 1733

VLAN ID 222: Internet network - ethernet only. No access to any other local network. So our kids friends can plug their stuff into the wall and our local stuff is secure. Air gapped when not in use. Comes off the WRX560 to switch so not mentioned in the TP-Link Switch

VLAN ID 31: Security Cameras. No access to other local networks. Ethernet only. Do want to be able to access it from Vlan ID 1 & 21

Hardware.

WRX560 Port 2 connected to TP-Link router, Port 21. This port is a Trunk port. Port 4 allocated to VLAN ID 222 (Internet Only) and connected to a dumb switch so easy to air-gap by removing 1 cable. This leaves 2 unused ports both marked as Trunk.

To complete the WiFi/Router setup I have the other 3 Synology routers attached to Ports 19, 20 & 22 of the switch. The main router recognises them and they are working as expected. Only one of the Access Points has anything attached to the extra ethernet ports and that equipment is part of the Primary/Default VLAN ID1 (All those extra ports show up in SRM as being attached to Vlan ID1 with no current option to assign them like you can on the main router.

I also have a 4 port NAS. Ports bonded for Balanced SLB. NAS ports 1&2 go into ports 17 & 18 of the switch and they get allocated an IP address for VLAN 1. NAS ports 3 & 4 go to ports 13 & 14 of the switch and it also gets allocated an IP address by the router in relation to VLAN ID 21 (Iot). Relevant services of home and the IoT stuff are run on the NAS in Docker and Virtual Machines. Allocated networks according to which side of the fence I want them to sit.

So the switch configuration will look like this: -
Ports 1 - 14 being used for VLAN ID 21 equipment
Ports 15 - 18 being used for VLAN ID 1 equipment
Ports 19, 20 & 22 being used for Wi-Fi Points
Port 21 connected to Router
Ports 23 & 24 being used for VLAN ID 31 equipment

So now comes to where I seem to be stuffing thing up.

This is my configuration on the router:

I have not designated VLAN ID 222 on the switch as I thought it would never get past the router and it was therefore not necessary.

Setup like this I am having some issues with services in the background dropping out. Netflix, Home Assistant, Cameras. I can't ping anything across the vlans also. Home Assistant is only working because I have it on both VLANS 1 & 21 at the moment. I have disabled all my firewalls on the router to see if that was the issue but still ongoing.

So back to a simple (for some) question.

Is this setup I have described, so far, fit for purpose before I go on any further.

Thanks. Any advice appreciated.

 

[fredbert]

The switch VLAN ID and PVID look OK, as far as I can see: the PVID needs to be set to the ‘untagged’ VLAN ID of the port.

You need to have SRM firewall rules configured to allow inter-VLAN communications, and also each local network has to not have its isolation setting checked. With VLANs there must be a router (or firewall, a glorified router) to mediate traffic between the subnets.

 

[strop]

Ok, thank you for that.

At this time I can see all the networks coming up and they are seeming to stay apart (for lack of a better term). My IoT stuff is isolated and able to talk with one another so lights work, multi media etc.

Unfortunately I am not able to get cross VLAN access for the primary network. I have tried making a rule on SRM saying Primary Network has access to all other networks across all ip addresses and all ports. Can not get a ping response or http/https response from anything. I tried entering a rule for the ip address of the computer I was using and could not get a ping response etc. I tried turning off firewall security totally and still not getting a ping response etc. With ping always Request timeout. Also tried restarting the router after changing the SRM rules. No difference

I ensured that network isolation was off for all VLANS.

The odd thing is that I can run the Camera Desktop app on my computer and I can access the cameras. As I typed this I thought about it and made up a rule preventing internet access for my camera network and suddenly no cameras. So it kind of confirmed for me that I can not go across VLANS, access was via internet.

I was able to access VLAN resources via Reverse Proxy if I wanted to - did this just to test that the services that should be there were working (and they were), though I could see Plex was working on my IoT network already.

I have it floating around in the back of my head that I read somewhere here that bonded network connections could cause problems with Synology routers but perhaps I am just clutching at straws here.

Any ideas?

 

[fredbert]

All the routing between VLANs will be done at the main router, so client devices should have the correct gateway IP set for their VLAN subnet. The main router will have an IP on each subnet and that is what you should use for the respective DHCP/manual default gateways.

So if you have selected to always use IP address .1 for each of the router’s IP on the VLANs, you would have to ensure that A.B.C.1 is correct for each VLAN default gateway.

The firewall rules have to define that they are applying to the internal LAN source/destination, and you can select specific LANs or all of them.

Your test of Camera Desktop is a good one and would imply that there is an Internet service being used to interconnect it to the cameras. So if your aim is to avoid this then you’ll need to find a way to do a direct connection LAN-to-LAN.

 

[strop]

I am having trouble being able to communicate across vlans to access devices on another vlan - printers, IoT devices and some docker containers.

I have configured my router firewall, WRX560, to allow the primary vlan to have access to all the other vlans. All IPs, all ports in both TCP/UDP and ICMP. I have ensured that I have network isolation turned off. Unfortunately when I try to ping any device on another subnet it just times out. Pinging locally works.

I have tried with both the firewall rules turned on and off.

I have a single network cable coming from the router to my managed switch. Everything else is hanging off the managed switch. I can’t figure out why the router is not doing its job of routing stuff across the vlans. Any ideas?

 

[fredbert]

If you have no SRM firewall rules controlling the inter-LAN traffic, and you have set the end rules to drop, then there will be no communication between the different LANs. So you do need firewall rules that are specific for these networks (LANs).

The simplest rule you can do is the source and destination is all internal networks and allow for UDP and TCP. Then another rule for ICMP. These should work for any non-isolated network. Also there is the main Local Networks advanced setting that enables multicast DNS relay between local network.