Need some hand-holding to create separate LAN

Product Discussion Peplink Balance
#1

I have a Peplink Balance 20 with (currently) one WAN connection and one big happy LAN. I need to create a separate LAN to host a network for my neighbor (long story), and I want to keep that LAN completely separated from my LAN. I’d be grateful for some step-by-step help in getting this setup. I’m assuming that VLANs are what I need to set up, but I’ve not done this before, so I’m unsure of what needs to be done. (I.e., do I need to do something to my current unnamed/untagged LAN before I create a named/tagged VLAN)?

Here’s a basic network diagram of what I have:

  [current LAN switch] -------- LAN Port 0 [Balance 20] WAN 0 -------- [cable modem] --- ( ISP )
    |
  (( my LAN clients ))

And here’s the change I want to make:

                         (( my neighbor's LAN clients ))
                                  |
                                LAN Port 1
  [current LAN switch] -------- LAN Port 0 [Balance 20] WAN 0 -------- [cable modem] --- ( ISP )
    |
  (( my LAN clients ))

Is it as simple as turning off Inter-VLAN routing on my existing LAN, and creating a second (tagged) VLAN that also has Inter-VLAN routing turned off?

When a new device appears on my network, and asks for a DHCP-assigned address, what determines which VLAN’s DHCP server will respond?

Thanks!

VLAN setup not working as expected
#2

Is it as simple as turning off Inter-VLAN routing on my existing LAN, and creating a second (tagged) VLAN that also has Inter-VLAN routing turned off?

Yes, this is basically step 1, just make sure you assign a new IP address and DHCP range for the 2nd VLAN. example: 192.168.2.1

When a new device appears on my network, and asks for a DHCP-assigned address, what determines which VLAN’s DHCP server will respond?

You either need to set an Ethernet port up as an access port for that new VLAN, and all devices connecting via this port will be in the new VLAN - or - you can create a new SSID that is tagged with this new VLAN and all clients on this SSID will be in the new VLAN.

#3

You need to create your first VLAN and disable inter-VLAN routing for both your network (untagged LAN) and the new VLAN. I have step by step instructions for the Surf SOHO, but its a good starting point for the Balance 20x too.

What is not clear to me is that your diagram omits Wi-Fi. Are you neighbors connecting to you via Ethernet or WiFi or both?

#4

Wow. Excellent write-up, @Michael234! Thank you!

Re: neighbor-net use of WiFi – that’s TBD. Neighbor hasn’t provided the hardware yet, so I don’t know for sure whether it will be hardwired ethernet or WiFi or a mix of both. Does it matter? Based on the helpful reply from @Travis, it seems if I tag the new LAN, I can create a corresponding SSID with that tag, and that will serve the purpose. Is that correct to the best of your knowledge?

#5

So, @Michael234, I’m glad you asked about WiFi. Turns out, I will need to set up a separate WiFi SSID. Here’s a better drawing of my current network config:

                 +-------+
                 | Cable |
          +------+ Modem +-----> (ISP)
          |      +-------+
          |
+---------+--+
|  Peplink   |
| Balance 20 |
+---------+--+
          |      +----------------+
          +------+ Gigabit Switch |      +-----------+
                 +-+-+-+--------+-+      | Ubiquiti  |
                   | | |        |        |  UniFi    |
                   | | |        +--------+ AP AC PRO |
             +---+ | | | +---+           +-----------+
   My LAN    | X +-+ | +-+ Z |             XXXXXXX  SSID=MyNet
   Devices   +---+   |   +---+              ^  ^
                   +-+-+            +---+   |  |  +---+
                   | Y |            | A +---+  +--+ B |
                   +---+            +---+         +---+

And here’s what I expect I need to do – create a new SSID named “NeighborNet” and set it to use VLAN 2, as defined on the Balance 20. This should work, shouldn’t it?

                 +-------+
                 | Cable |
          +------+ Modem +-----> (ISP)
          |      +-------+
          |
+---------+--+                                     +---+
|  Peplink   |                              +------+ P | Neighbor's
| Balance 20 |                              |      +---+ WiFi Device
+---------+--+                              V
          |      +----------------+        XXXXXXX  SSID=NeighborNet
          +------+ Gigabit Switch |      +-----------+   [VLAN=2]
                 +-+-+-+--------+-+      | Ubiquiti  |
                   | | |        |        |  UniFi    |
                   | | |        +--------+ AP AC PRO |
             +---+ | | | +---+           +-----------+
   My LAN    | X +-+ | +-+ Z |             XXXXXXX  SSID=MyNet
   Devices   +---+   |   +---+              ^  ^
                   +-+-+            +---+   |  |  +---+
                   | Y |            | A +---+  +--+ B |
                   +---+            +---+         +---+

I expect that I would not follow your recommendation to lock ports on the Balance 20 to different VLANs in this case, since all VLANs will mingle on the same physical connection from the WiFi access point, through the switch, and to the router. Otherwise, I think I can follow your instructions exactly, right?

#6

I would not use the term “tag a new LAN”. You are creating a new VLAN. That VLANs add tags to each packet, is really besides the point for your purposes. You can assign an SSID to a VLAN, yes, its pretty simple. VLANs get a name and a number and a new subnet. Peplink does not document the rules for VLAN numbers but start with 2 and go up by 1.
And to be clear, you have a Balance 20, not a 20x?
Why are you only using one LAN port on your Balance router?

As to your main question, the answer is no, I do not think this will do what you want. First off, part of the question is for ubiquiti not Peplink. And, you don’t say who made the switch or what type of switch (smart or dumb).

If I were you I would get a 2nd Wifi thingy, plug that directly into the Balance into a LAN port that is an isolated VLAN. Simple is always better. Much better.

2 Likes
#7

Gotcha – thank you for the correction.

Correct - mine is a Balance 20, not a 20x. Most of my network is plugged into the switch because I have more than just the one UniFi AP, and they all need PoE, and once I had a few things wired to the switch, it was just easier to wire everything that way. I also thought that part of the point of having a switch was to help isolate traffic – my understanding is that switches build a map of MAC addresses to ports, and when an incoming packet is addressed to a known MAC, the packet is only re-transmitted on the corresponding port. Is this untrue? Have I made a mistake by doing this?

True. The Ubiquity APs can do VLAN tagging for any given SSID (and they can support a substantial number of SSIDs simultaneously on the same APs). What more do we need to be concerned about?

Can you help me understand why the topology I’ve described would not work? This is (obviously!) not an area I have much experience with, so I’d be grateful for enough details to help me understand why I’m wrong. Only way I’ll learn!

The switch is a TP-Link 24 Port gigabit PoE+ “Smart Managed” switch, specifically the T1600-28PS (https://www.tp-link.com/us/home-networking/smart-switch/t1600g-28ps/). I have honestly never accessed the switch’s configuration interface since it was installed. Mainly have the switch because of the PoE budget and rack-mountable chassis; until now, I had no compelling reason to farkle with the settings…

That’s certainly true – and undoubtedly that would work. However, I’m trying to minimize cost, and I also need the range of my existing WiFi network which covers the area where the guest equipment will be operating, and that’s on the opposite side of the home from where my network equipment (Balance 20) is located. So, to make that solution work at all, I’d need the cheap WiFi AP, and a long (~80 ft) home-run of CAT5e through my attic, which is not something I’m really excited about tackling… :wink: Also, is there risk of increased interference when multiple WiFi APs are located in close proximity, and would that impede performance of both nets?

#8

Most of my network is plugged into the switch because I have more than just the one UniFi AP, and they all need PoE,

Understood

and once I had a few things wired to the switch, it was just easier to wire everything that way.

The flip side of this is that the LAN port on the Balance 20 is now a single point of failure. Off-topic however.

I also thought that part of the point of having a switch was to help isolate traffic – my understanding is that switches build a map of MAC addresses to ports, and when an incoming packet is addressed to a known MAC, the packet is only re-transmitted on the corresponding port. Is this untrue? Have I made a mistake by doing this?

This is my understanding as well. However, unless you are copying huge files between one LAN device and another LAN device, then its not an important issue.

The Ubiquity APs can do VLAN tagging for any given SSID … What more do we need to be concerned about?

You need to separate your traffic from your neighbors traffic in the AP, in the switch and in the router. Doing it in the switch is possible, because its a smart switch, but error prone. Doing it in the router is probably not possible as you are sharing a single LAN port. I say probably because I am not sure. Since it is a smart switch, maybe it can send your neighbors traffic out one and only one port and you can connect that port to a different LAN port in the Balance 20. But, again, I am over my head here.

The switch is a TP-Link 24 Port gigabit PoE+ “Smart Managed” switch, specifically the T1600-28PS. I have honestly never accessed the switch’s configuration interface since it was installed.

Then, its now acting as a dumb switch. To do what you want you will need to learn the “smart” aspects of the switch.

How does your Wifi get from one of your home to the other now? Are the Unifi APs forming a mesh?

If you had a dedicated WiFi AP for the neighbors it could use different channels from the ones you use in your home, so no interference at all.

#9

Off topic, but great point. I’ll consider that going forward.

Ah. This helps to crystallize things for me. Maybe not completely clear yet, but much moreso. I wonder if I might do this:

  1. Create VLAN “2” on Balance 20, named NeighborNet (or such). Use a different IP subnet for that new VLAN, and run DHCP server on Balance 20 for the VLAN (alongside the DHCP server that’s already running for the pimary untagged LAN already in use).
  2. Tie VLAN “2” to port LAN Port 2 on my Balance 20. (Primary untagged VLAN is still on Port 1)
  3. Connect LAN Port 2 to the switch (so two connections from Balance 20 to the switch)
  4. Create 2nd WiFi net on Ubiquiti APs, and tie it to VLAN 2.

By itself, this doesn’t fully isolate the nets – obviously, anything plugged into an ethernet port will be on the primary LAN, and anything hardwired can see traffic from both VLANs if its promiscuous. Some changes to the switch settings could prevent VLAN 2 from going anywhere but WiFi – and maybe that’s enough for my purposes… Do you think that would work?

The long story I alluded to in my original post is that neighbor’s home is under construction and isn’t occupied. The equipment that he’s asked me to host is a set of security cameras, which would be mounted close enough to my property that they are in range of my WiFi. Neighbor is not asking me to host a router or extend my WiFi to cover his property. But likely, he’ll add his cell phone and tablet to my WiFi for when he’s onsite.

#10

This is at my technical limits. The hard part I suspect will be configuring the switch. It has to know that VLAN 2 is coming from the Ubiquiti AP. Then, it also has to send the VLAN 2 data packets and only these packets out the Ethernet port that is connected to the Balance LAN port 2. And the Balance router has to be told whether to expect VLAN tags on data packets or not. If you get this last part wrong, just change it.

Have fun with TP-Link.

#11

One more thing. You need to limit the broadcast domain within the switch, so that packets on VLAN 2 do not get broadcast to any of the other ports, only to the VLAN 2 port, i.e., the ports for the B20 port 2 and the Ubiquiti. And vice versa - packets on your untagged VLAN (VLAN 1 on the switch) should not be broadcast to the VLAN 2 ports.

Check page 177 and onwards of your switch user manual:

Assume that your B20 port 2 and the Ubiquiti devices are connected to ports 3 and 4 on the switch. For those two ports (only) on the switch, set
PVID = 2
Ingress checking = true (the default)

That will refuse packets from other VLANs on these ports, and broadcast packets tagged as VLAN 2 only to these two ports. Additionally, packets on VLAN 1 (i.e., corresponding to being untagged in the default set-up) will not be broadcast on switch ports 2 and 3.

You have effectively isolated your neighbor’s traffic from your own.

Good luck.

S

1 Like
#12

Thanks @zegor_mjol and @Michael234 for all the helpful advice! I will post a follow-up here when I get the equipment set up, to confirm this all works. Really appreciate it!

I don’t know who to give credit to for the [Solution], but I suppose @Michael234 offered the most guidance in getting to this place, so I’ll credit him accordingly.