New Home Office Setup with SOHO MK3 - HowTo: Doc added

I am setting up my new home office and part of that was purchasing the new Soho MK3 Router. Since my office is in my home I am sharing the internet connection with the rest of the home. To prevent others in the house from getting into my work computers I want to create four separate “virtual” networks that can not be seen by each others.

1. Office Computers/Devices
2. Home Computers/Devices (Trusted)
3. Phones/Cameras/TVs/(Non Trusted devices)
4. Guest (Non Trusted)

I have been reading up on Subnets and virtual networks and I am trying to figure out where to start. Do I

1. Create 4 Virtual Networks with different subnet masks (see below)

2. Others?

Also, what do I do with the Untagged LAN line in the Networks Screen below?

Below is what I currently have. I have the Network Screen and the Office Virtual Screen. Is this correct to begin with? The next step will be configuring the ports and the wireless to use these correctly. (FYI, I have just connected the MK3 to a downstream port of my existing ASUS router to get this configured correctly before switching the house over)

Network Setup

998×590 45.1 KB

Office Setup (Others are the same, just different IP Addresses)

993×761 45 KB

First, what other gear do you have that can support VLan tagging? You can put assign individual ports to a specific VLan, but the packets coming in should be tagged by a device downstream or they will get dropped.

Do you have any other wireless access points that can tag traffic on a per SSID basis? That is how I implement my VLans since I have no managed switches. There is an AP in the SOHO, so you have at least one.

The untagged LAN is the network that any untagged packets goes. Basically a VLan is a virtualized LAN. The hardware does this by putting values in the IP packets as it comes into an interface. You can do the tagging on a per port basis on the Peplink, but then every packet that comes in that port will be assigned to the corresponding VLan.

Example - you assign LAN port 2 to VLan1 (Office1). You plug in a 16 port switch to LAN port 2. Any device you plug into that switch will be part of the Ofiice1 network. Next, you assign LAN port 3 to VLan3 for phones. You connect a switch to it and start running cables from all of the phones to it.

If all your devices are wireless, you will be good assuming that you set up your SSIDs and put them on the correct VLans. When you start adding wired devices to specific VLans, it gets a bit trickier. that is where managed switches start to be required.

Right now I have no other routers other than the cheap 4 port ones that you buy at Office Max… I just have standard stuff you have in a home. 2/3 of my equipment is wireless so I could put that on different SSIDs. That would leave the my office port off the router. I would want to make just that port go to my office and be independent of the other 3 ports. This port has my 2 office computers, NAS and printer, What is the proper method to “isolate” this port from the other three ports on the MK3?

Why are you using public IPs for your private network address space? You should probably move those subnets back into RFC1918 space. I’d suggest keeping it simple and using a 192.168.x.0/24 subnet per VLAN where the 3rd octet matches your VLAN number. Using your VLANs:

Office (VLAN 1) 192.168.1.0/24
Office (VLAN 2) 192.168.2.0/24
Phones (VLAN 3) 192.168.3.0/24
Guest (VLAN 4) 192.168.4.0/24

If you make the above changes, don’t forget to change your DHCP scope to fall inside the defined scope of each network: personally I prefer a large scope such as 192.168.x.51 to 192.168.x.250. I believe the web interface will prompt you to make this change before you can successfully save the configuration.

If none of your other network gear is VLAN aware, you are going to be limited to cascading a single VLAN off each of the ports on the SOHO and VLANs on your SSIDs. Each port can be a different VLAN, but you won’t be able to trunk more than 1 VLAN on a port since you need to set each port to Access.

To “isolate” your office, navigate to Network > LAN > Port Settings and change the LAN port, to which your office equipment is connected (for example Port 3), to one of your office VLANs (for example VLAN 2). Change the port type to Access. Save and Apply Changes. You will need to reboot your devices for them to pull down a new IP address via your updated DHCP scope.

Next setup a Guest SSID – if you already haven’t – and change the VLAN to VLAN 4. Save. Back in Network > LAN > Network Settings > Guest, disable (uncheck) Inter-VLAN routing. Save and Apply Changes. Disabling Inter-VLAN routing prevents anyone on your guest network from seeing the other VLANs. If you also want to prevent anyone on your guest network from seeing others on the Guest network, enable Layer 2 Isolation in AP > Wireless SSID > Guest.

Thanks, I will give this a try when I get back home tonight.

Ken

Excellent input from the community, thanks guys!

I would only add that if you want to “isolate” networks (VLANs) from one another so that devices on those networks cannot “see” each other the inter-VLAN routing option (not checked) is all that is needed. Think of it as a “bridge” leading from one island to the next. If the option is not enabled on both networks (VLANs) then the bridge does not connect the islands.

Any VLAN without the inter-VLAN routing option enabled will not have a way to reach any other network (VLAN). I hope that helps a little more. Be sure to follow up with any other questions you may have as you move forward

@louisbohn good stuff man! Thanks for helping someone understand the network they are creating. You don’t see this kind of thoughtful response on other forums. Kudos

Ok, I tested it out and everything works great so far with just one computer. However, now another question before I go any further because of security concerns.

On the MK3, what type of internet facing firewall is enabled by default? I have the NAT enabled. How does this firewall default settings compare to a consumer grade router like my ASUS RT-AC66U that I am currenly using? The reason I am asking is that since this router is a more advanced router, they may allow the default settings to be less “idiot proof” than a consumer grade default settings I looked that the new manual they just posted, but the default settings is somewhat ambiguous with my skill level.

FYI, I am adding all of this information to a configuration document that I can refer back to in 6 months when I forget everything and I will be posting it here as well.

Ken

IIRC the default configuration of the SOHO does not expose any open ports. All ports/traffic would need to be configured in Advanced > Advanced > Port Forwarding and/or Advanced > Firewall > Access Rules. You can check for open ports using Steve Gibson’s ShieldsUP! web app. Visit grc.com and click Services > ShieldsUP! > Proceed > All Service Ports. Steve’s website has lots of good info regarding network security.

Solicited traffic – that is requests originating from your network – and responses will pass through the firewall as you would expect. This allows clients on your network to make requests to external servers on the internet (web, email, Xbox, Spotify, Netflix, Philips Hue, etc,) without any further configurations.

Unsolicited traffic – that is requests originating from external networks – will be dropped at the WAN interface of the SOHO since there are no open ports configured in the default configuration.

You can use the firewall rules to fine grain the behavior on/between your VLANS and/or the internet. You could – for instance – create a firewall rule to drop/deny all outbound internet traffic on VLAN 3. As a result any device on VLAN 3 would no longer be able to connect to the internet, while devices on VLAN 1, 2 and 4 could connect to the internet normally. Another example – you could create a firewall rule allowing 631/TCP to pass between VLAN 4 (Guest Network) and VLAN 2 (Office). Your guest network would be able to surf the internet and also print to printers on your Office network using IPP. Nothing else on your Office Network would be exposed to VLAN 4.

You could manage / restrict external requests for resources on your network using firewall rules & port forwarding. For instance, you could create two firewall rules to provide access while you are at your main downtown office. The first allows one external IP address – the IP address of your office – to pass through the firewall on ports 25/TCP (SMTP) and 445/TCP (SMB). A second rule would drop requests on those ports from all other IPs. Configure two port forwarding rules, one pointing to your self-hosted email server at 192.168.2.55 and one to your NAS at 192.168.3.60. Now you will be able to send emails using your self-hosted server and browse your NAS while at the office. However if you visited a branch office or hotel, you would not be able to use the email server and NAS on your home network because your firewall rule only allows requests from your main downtown office.

It should be noted the above are examples and may not be best practice. For accessing resources on your network while outside of your network, it’s recommended to setup VPN remote access rather than opening ports on the firewall.

Thank you for the detailed and quick response. This helps with my knowledge gap. I will check out the app above and then start adding computers to this setup. An act that will provoke lots of question from my family on why they can not connect to the wireless or the printer in the coming days as I fix these issues I will also add this information to my HowTo: document.

Ken

Thanks for the grc.com website. Looks like the MK3’s default is to enable “reply to ICMP Ping”. So people could see my computer and since this is connected to a cable modem. I have now disabled this.

Okay, I was able to get my system up and running and most of the key components are done. I thought I would write up my notes tonight before I forget them and I am uploading them here if anyone else wants to see what I did to configure my MK3 to work in my home office and home. I you see mistakes that need fixed let me know.

I just found out I can’t upload this. Here is a link. Enjoy…

I read through your document and had one comment. When you disabled inter-VLan routing, you basically said that no traffic can go from 192.168.1.0/24 to 192.168.2.0/24. Likewise, you can’t get from 192.168.1.0/24 to 192.168.3.0/24 (or 192.168.4.0/24). Basically, none of the different Lans can see or communicate with each other. It is like having 4 separate physical routers and no cables connecting them. So, when you are on your office VLan (vlan1), you can only see the router IP for that LAN (192.168.1.1). Likewise, if you are on VLan2, you would only be able to get to the router config through 192.168.2.1.

You can specify which VLans are “allowed” to manage the router. I would suggest locking it down to just vlan1 since all of those devices must be plugged in.

Hope this helps

Thanks, Yes it does. I think I found where I need to change this access and will update the docs tonight when I get home. Hopefully other SOHO newbies will find this doc useful. I found a $40-$50 5-port Netgear managed router and I am going to buy one. Im so far into this project I will just go all of the way.

Ken

Ok my Netgear Came Switch came late tonight. I’ve tried to configure it and failed i various ways. Here is what I want to do.

Port 3 of MK3 → Port 5 of SmartSwitch ----> Port 4 -->XBOX VLAN 3
… ----> Port 3 -->Misc VLAN 3
… ----> Port 2 -->HTPC VLAN 1
…----> Port 1 → Misc VLAN 1

So for the MK3 portion of the setup, What should I set the Port Settings → Port Type and Port Settings → VLAN?

Then on the ProsafePlus Switch, should I make Port 5 be any and then set ports 1-4 to the above settings?

In one of the attempts tonight I got a warning from the NetGear SmartSwitch SW that said the Subnet between the upstream and down stream ports was different.

My network settings are below.

995×606 45.4 KB

Since you will have multiple VLans coming in to the soho router on LAN interface 3 (L3). That port would be a trunk that includes all the potential VLans that need access to the internet – make it a trunk and include VLan1 and VLan3.

I don’t know about that SmartSwitch, but I would think that it should not be set to tag traffic since all inbound traffic would be tagged by the incoming port. I would make port5 be a trunk with all vLans (including untagged). It may be called an Access port instead of “all inclusive trunk”.

Hope this helps. I never had much luck with VLans for wired devices, but I have always had a router and not a switch. It only knew how to route to the WAN interface and only had one LAN gateway. It was a simplistic approach that really only worked if it was managing the internet connection. I am curious how it works out for you.

Keep me posted!

Ahh, I see my issue now. I didn’t see the “Custom” under the network ports. I can now see how I can send more than one VLAN down the port. Will test it out when I get home tonight. Thanks!

1027×460 30.7 KB

You can trim the VLANs on your trunk, or you can leave trunk set to ANY. ANY allows the SOHO to traverse all 802.1Q VLAN traffic across your trunk. This is typically a good thing.

Using your example above, if you change port 1 on the NetGear switch to VLAN 2 and connect a computer to it, that computer will not have any internet access. That computer would not be able to connect to the router to pull down a DHCP allocated IP address or the DNS configuration. The trunk linking the NetGear switch and SOHO has been pruned to just VLANs 1 and 3. You would need to add VLAN 2 to both sides of the trunk (that is, in both the SOHO and the NetGear web interface) to have VLAN 2 traverse the trunk.

Alternatively, if you leave SOHO set to TRUNK and ANY, you would only need to add VLAN 2 to the NetGear side of the trunk.

I skimmed the user manual for NetGear ProSAFE Gigabit Web Managed (Plus) Switches, and I recommend using the 802.1Q-Based VLANs in Advanced Configuration. The Port-Based VLAN setup limits you to VLANs 1-5 (the maximum is the number of ports on the switch). The 802.1Q Basic Configuration does not provide for defining Access (untagged) or Trunk (tagged) ports.

You should set port 5 (your trunk link to the SOHO) to carry, at a minimum, VLANs 1 and 3. Next configure ports 3 and 4 to carry VLAN 3; ports 1 and 2 to carry VLAN 1.

Next you will need to configure tagging using VLAN Membership. For VLAN 1, set ports 1 and 2 to untagged and port 5 to tagged. For VLAN 3, set ports 3 and 4 to untagged and port 5 to tagged. If you add additional VLANs to the trunk on the SOHO side (or set to ANY), you will need to add those VLANs as tagged on port 5. Ports that connect to computers, Xbox, etc will almost always be access ports and have a single untagged VLAN. Trunks will always be tagged with one, more or all VLANs.

Your last step will be to set the PVID for your access ports. The PVID adds a 802.1Q VLAN tag to ethernet frames entering the port; this will almost always be the same VLAN as the untagged VLAN on the port. Trunk ports don’t need a PVID. Set the PVID to 1 for ports 1 & 2. For ports 3 & 4, set the PVID to 3. You shouldn’t need to set a PVID for port 5, since it’s your trunk. However I’m not familiar with NetGear switches, so it might complain. If it does, set PVID to 1.

Wow! Now I am starting to understand why we have a large staff of people at my main job to take care of all of this. There are a lot of details here to address and solve. Plus planning and note taking here is very important. This is starting to make sense once you understand all of the pieces and have a couple good examples to go through.

Thanks for taking the time to help me out here.

Ken