I’ll start with my vlan knowledge is limited, almost all of my networking experience is unmanaged switch based networks etc.
I have a situation where a business is moving to a cloud based POS system that ships a managed meraki router, managed switch and ubiquiti AP’s that are also managed. For PCI compliance (they own the payment stack for their system as well) they basically don’t want any other devices on the network with theirs. If any other device gets added you get notifications etc. The business has other hardware etc. that they use that will be on a separate network using current hardware.
Here is what current idea is using a Balance 20 that hasn’t been purchased yet.
Balance 20 so they can use the two ISP connections they have in WAN failover mode
make one VLAN for the POS system
make another VLAN for the other office hardware (pc’s etc. security cams)
Can the VLAN for the meraki be setup so there is no NAT on balance 20 for it? But still retain NAT for the separate VLAN for office pc’s etc.? I setup this same POS system at another business that had syncing issues. The POS vendor basically had no answers, they originally said it was fine to put the meraki router behind the ISP router being double NAT’d wouldn’t affect anything. After continued issues I enabled IP passthrough on the ISP router for the meraki and the issue seems to have gone away. Ideally I could replicate that with the balance.
Last question (not balance related), can I use their existing unmanaged switches with VLAN configured on router port?
as to this question, I did not understand it
Can the VLAN for the meraki be setup so there is no NAT on balance 20 for it? But s
as to the unmanaged switch, peplink does give you full control over which VLANs can communicate on each LAN port. The Peplink Balance manual is available here
Management of the ports for the Meraki and the separate VLAN for office pc’s will need to be controlled by the Balance 20X so they don’t collide. I.e., if the Meraki uses external port NN, then you don’t want NAT for the office pc’s to also map to external port NN. So disabling NAT translation for the Meraki but not office pc’s really isn’t feasible. Maybe you can determine what ports are needed for the Meraki system and see if they can be port forwarded through the Balance 20X in conjunction with setting up a static IP address for the Meraki router (outside of the DHCP range for the VLAN).
Two VLAN’s will work fine. You will want to set up the Balance 20X ports in “Access” mode, not “Trunk” mode. Access mode means VLAN tagging is only inside the Balance 20X, not in the communications between the Balance 20X and LAN devices. Your unmanaged switches will work fine then.
Thanks for the info. I do have a list of ports the service uses via the meraki so I’ll add that to the list of possibilities come setup time.
Re: VLAN tagging you mentioned. If the meraki is on it’s own VLAN and the vendor supplied switch is also managed would there be any impact from them being on a VLAN w/ tagging via the Balance?
I wouldn’t expect the Meraki router WAN port to using tagging. The Meraki might be using tagging on its LAN ports to the switch and Ubiquiti AP’s, but that is immaterial to the communications between a Balance 20X and the Meraki.
It does bring up one other item to check. Right now I believe that the Meraki is set up to talk with your ISP. Setup for most ISP’s is to use DHCP. However, there are a number of other options that sometimes involve tagging. When hooking up to the LAN port of the Balance 20X, you want to make sure that the Meraki is configured to use DHCP. If the Meraki isn’t configured to use DHCP and can’t be (unlikely), then you are going to have to figure out what it needs. That could be setting up a VLAN that matches a fixed IP address that the Meraki wants to communicate to. It could be tagging the VLAN with a specific tag which would require setting the Balance 20X port to “trunk” mode.