SG-1100 with AX6000 physical setup

TechSnazzy

Hello, I'm new here and have a question and hoping someone here can point me in the right direction:

I have a typical AT&T modem (dhcp) and a TP-Link AX6000 router.
My devices connect to the AX6000 with both wired and wireless connections.

I recently purchased the SG-1100 for a couple reasons:

1. Because I just want to learn more about how this works and...
2. Since I've been working from home, I want to separate my work devices from my home devices using VLANs.

Only problem is, I can't figure out the physical setup.

Is this right?
Internet <--> Modem <--> SG-1100 <--> AX6000 (router) <--> devices

Or this?
Internet <--> Modem <--> SG-1100 <--> Switch <--> AX6000 (access point) <--> devices

Any comments on this are greatly appreciated. Thanks!

johnpoz

@techsnazzy said in SG-1100 with AX6000 physical setup:

I want to separate my work devices from my home devices using VLANs.

Well unless your running 3rd party firmware on that AX6000, I find it hard to believe it supports vlans.

Also what switch are you using - does it support vlans?

What you could do with such hardware is connect your ax6000 as AP to one of the sg1100 ports. And anything on wifi or wired to the ax6000 would be on vlan X... And then connect your dumb switch to other port of sg1100 and that could be your LAN network.

This would isolate stuff on wifi, and wired to AX6000 to their own network, while stuff connected to your other switch would be on different network/vlan to isolate. But without a AP that supports vlans its not really possible to create SSIDX vlanX, SSIDY vlan Y, SSIDZ vlan Z..

If your goal is vlans and segmentation of your network.. You really need a AP that supports them and switch that supports them. Then you can put any wireless device on any vlan you want based upon what SSID they connect to, and any wired device on any vlan you wan just be configuring the port they connect to on the switch to be in that vlan.

TechSnazzy

Well the VLANs would be configured on the SG-1100 I believe.

johnpoz

Yeah but if your switch and AP do not support them - that doesn't get you much.. Since there will be no tags coming into pfsense for its vlan settings to do anything with.

The only way that could work is every single device on your network would have to tag its traffic - and then you would have be sure your AP or switch do not strip them. And highly unlikely IOT devices support tags.

To do vlans correctly your AP needs to support them, and your switching infrastructure needs to support them - not just your router.

With support of vlans on AP and switch you might as well just running different L3 networks on the same L2.. And there is no actual isolation of networks.

If you want to do vlans correctly - you need the correct hardware to support them.. It might be possible for your ax6000 to support them with 3rd party firmware like ddwrt or openwrt? Not sure if that hardware is supported by those firmwares?

You can not do vlans with most soho/consumer hardware - you need prosumer stuff, ie small business entry level at a min. A smart switch that can do vlans can be hand for like 35-40$ for 8 port gig.. So its not like you need a huge budget. Currently the cheapest AX AP that I am aware of that can do it would be the new unifi
https://store.ui.com/collections/unifi-network-access-points/products/unifi-ap-6-lite

at $99 but its only 2x2 mimo

TechSnazzy

@johnpoz Oh interesting. Thanks for the info. Sounds like I have some research to do and some other hardware to get first.

TechSnazzy

I think I'm starting to understand what I need to do.

I was just reading the product page on this SG-1100.
Here: https://www.netgate.com/solutions/pfsense/sg-1100.html

It says, "Get up to 500 Mbps of throughput when used as a firewall, and up to 1 Gbps when used as a router."

So basically I think this device would replace my AX6000 as my network router.

Then I can create VLAN's with the SG-1100.

As for the AX6000, I can put change it from router mode to AP mode and use it as a wireless AP.

johnpoz

You can use any wifi router as just an AP.. be it they support a mode or not.

To turn any wifi router, I mean ANY.. all that you have to do is set its lan IP to be on the network your going to connect it to, turn off its dhcp server and connect it to network via one of its lan ports, not the wan.. There you go instant AP..

But that device isn't going to support vlans.. At best a guest mode network.. But that not going to do anything for you.. That is only a way to isolate wifi devices from wired devices when the thing is used as your router.

I would look to see if that device is supported by 3rd party firmware if you want any hope of using it with vlans.

TechSnazzy

Thanks for your help. I appreciate it.

TechSnazzy

Update: To do what I wanted to do just required a 5-port, TP-LINK Easy Smart Switch. I was able to create my VLANs and now my work computer is separate from the rest of my network. So great! And a lot easier than I realized.

Next will be to replace the AX6000 with the SG-1100 as my router.

Once that is done, I'll then change the AX6000 from a "router" to an "AP" and use it for wireless.

johnpoz

That AX6000 supports vlan tags... I find that really really unlikely..

It might support vlans on the internet connection - but if supported 802.1q for ssids or ports I would be dumb founded..

TechSnazzy

@johnpoz Actually, I don't care about VLANs on the AX6000. But the SG-1100 supports the tags.

By the way, tags are the next thing I need to learn more about. Trying to figure out the difference between tagged and untagged now.

johnpoz

yeah if all you want is to put some devices on different vlans switch would work, and AP where all wireless on same vlan would be fine.. Its if you want to put different wireless devices on different vlans when you need an AP that supports vlans.

But if all you want is to isolate ssid from wired, then you wouldn't even need a smart switch. Plug dumb switch into lan on sg1100, and then AP into opt.. on sg1100

TechSnazzy

@johnpoz Exactly what I'm thinking. :)