What is VLAN, why and how
-
I use Netgate 2100 device as a firewall to protect my home network. I am generally happy with it. I have good understanding of IPv4 networks for home management, but little of IPv6.
Unfortunately, I found that with IPv6 I cannot control device access to WAN and started to think how I could manage that. At some point people mentioned use of VLAN for this purpose.
I would like to try, but I really don't understand what to expect and levels of problems I can run into.
For example, I could have VLAN per kid, but will they be able to play games that use LAN connection? How about access to home server with Windows Shares?
What do I risk? Do I manage firewall to each VLAN? Perhaps I need some links to good introduction materials.
Thank you
-
@Sergei-0 To me, a VLAN is like a pipe within a pipe (only logical, not physical). Group some small pipes within a larger one and you can run water, oil, chemicals, whatever through the same plumbing without mixing. VLANs are helpful in larger networks where departments, printers, etc., can be isolated for security and management purposes. I don't personally run them in my home environment, but there are many that do. One of the most common is to split off guest wifi access so they just go to the Internet and have no access to other network computers. Or to isolate IoT devices so if they are hacked they cannot be used to attack other systems. A small complication is that they require "smart" (VLAN-aware) managed switched that can say "OK, ports 1-4 are VLAN 10 and 5-8 are VLAN 20". That's how the VLAN traffic remains isolated.
Whether it's worth the complexity and expense is up to you. Anyway, that's my 20 cents (which is 2 cents in 1950 dollars).
Much more confusion awaits using any search engine! HTH :)
-
@Sergei-0 said in What is VLAN, why and how:
IPv6 I cannot control device access to WAN and started to think how I could manage that
You want a simple solution? Turn it off - can you name 1 resource on the internet that you can not get to with IPv4?
If you are not ready to manage IPv6 the way you want to - then just turn it off.. Unless you can name a resource you need to get to that you can not without IPv6 there is no reason to even enable it if you are not yet able to manage it the way you want.
There are many ISP that don't even offer it, my ISP doesn't - I need to run a HE tunnel to be able to use Ipv6, which is only for play and learning - I only have it enabled on device on my network I want to use it with.. My wifi networks do not have it enabled for example.
-
@Sergei-0 said in What is VLAN, why and how:
What do I risk? Do I manage firewall to each VLAN? Perhaps I need some links to good introduction materials.
Like all other things you may be false configurating.
If you have enough LAN port you may be connect devices there directly, if not you may be connect
a switch to one or more ports, but if it comes to
something like WiFi let us say you may be able to
set up multiple SSIDs and on top each in its own VLAN, so they are running all over one LAN port
but being separated each from another.I would say if enough port are there you should go buy routing and firewall rules, if not or it comes to WiFi with several SSIDs you should
take VLANs for it.
