Help with Subnets and Network Layout

Product Discussion Peplink Balance
1

Before I go messing around too much with my Peplink, I’d like to get some input on what I’m proposing to do since this is new territory for me.

Problems

  1. I’m running out of IP addresses. I mostly use DHCP Reservation on my network for my Macs, Printers, iPads, Voip phones, network scanners, IP Cams. I also have several WAPs that provide a private network and a guest network. I’m hovering around 200 devices now and expect that in the next year I will go above 255. So, my single subnet is going to run out of addresses
  2. With the growing number of devices, i’d like to make sure i’m doing what I can to optimize network performance.

Hardware

  1. Peplink 305
  2. A Netgear 48 port switch - GS748T
  3. A Netgear 24 port POE switch - FS728TP
  4. 2 TP link 8 port POE switches that I also have just sitting around

My strategy

  1. I’m planning to put all my computers, printers, scanners, and NAS onto the 48 port switch and have them on 1 subnet.
  2. My VOIP phones are all POE and I’d plan to put them onto the POE. The phones do not need to communicate at all with anything else on the network and their traffic should be given high priority.
  3. The IPCams and WAP’s that I use for the guest wifi network are all POE, but I’d like to plug them into a separate POE switch that is not on UPS power backup. The 2 switches above and the Peplink are on UPS. I would like to deny the guest wifi users access to any other part of the network. I also want to do everything I can to prevent a guest bandwidth hog from affecting my phones and network in general.

The IPCams, however, are controlled by the NAS on switch 1 which also acts as an NVR. Notably, the NAS does have 2 ethernet ports and it may be possible to connect 1 port to the switch 1 and the other port to switch 3 instead of requiring the video traffic to be routed across the switches.
4. Next, I have 5 Peplink WAPs for my private network that need to be kept as low latency as possible, support numerous high bandwidth ipads at a time, and be connected to backup power. I figure they could be on the other TP link switch.
5. Finally, I have about 15 sonos speakers. they are just plain taking up a lot of IP addresses. Not sure where to connect them. The computers and ipads need to be able to connect to them to change music.

Setting up multiple subnets will give me the IP address space that I need, but am i otherwise making this more complicated than need be? Will segmenting things among the switches and subnets lead to any significant performance gains?

I’m very open to suggestions here.

2

Separate VLANs for seperate functions will keep you sane, give you the address spaces you need and allow you to segregate traffic and apply firewall rules between devices / subnets. So all good.

You’ll unlikely see performance gains unless you have multiple WANs that you can manage.

We’ll frequently allocate a dedicated WAN for important traffic and keep the rest of the traffic going out on secondary WANs. That way if there is a guest wifi user hammering the internet they are locked to a specific WAN and do not affect important traffic on the other WANs.

Your NAS subnet configuration can either be done by plugging both ethernet connections into both VLANs or you could use a single ethernet connection (my preference) and firewall rules to block all communication between the subnet the NAS is on and the one the IP CAMs are on apart from traffic to and from the NAS on the required ports (http for ONVIF and RTSP ports most likely).

1 Like
3

Sounds like you are considering using all your switches. You may want to consider having a spare switch to serve as a cold standby. Anything can break. If nothing else, it can be helpful for debugging.

As for keeping guest users isolated, that entails putting them in their own VLAN that does not allow communication with other VLANs and turning on Layer 2 isolation. For more, see Using VLANs for Network Isolation - RouterSecurity.org

1 Like
4

Ok, so i’m trying to set this up. Starting Slow.

I have two pepwave minis that provide guest wifi. I’d like to have them be their own VLAN. THey are controlled by my peplink 305.

On the 305 I created a new LAN called Guest with VLAN ID of 10. Gave it IP address of 192.168.13.1 / 255.255.255.0

Enabled DHCP server with range of 192.168.2 - 255

Went to AP and SSID settings for my guest network, gave it VLAN of 10.

Not working.

I can associate with the guest wifi, but cannot get an IP address. What am I missing?

5

We had a similar challenge. Went with a 255.255.254.0 / 23 subnet which gives you 500 addresses instead of 250. Problem solved. Did not need to create a vlan or any other managed switch programming.

We do have a guest SSID but in the Peplink AP setup you can block LAN access using the guest protect feature. The guest devices still get a LAN IP on the same subnet as everyone else, but they can’t talk to any of the LAN devices. You can also block PepVPN access on the guest SSID.

2 Likes