Hi, I have set up a few routers and Digital DVR’s but trying to get more secure and set up multi lans on SOHO Surf. I have set up my SURF with Several VLANs. My intention is to keep the home computers using ethernet separated from our DVR system and the TV Network. I also set up 2 Wireless Lans For home and guest use. Keeping things Isolated on different VLANs but keep devices that need to communicate on the same VLAN
I cant get the the Tivo and Tivo Mini both to be assigned IP addresses. Im not really sure how to get each LAN to properly assign the devices as I wish. So I only enabled the Tivo Lan’s DCHP server and turning the others off. Figuring the Tivos would get assigned IPs to the proper Lan. Only one will get an IP assignment for some reason. The last one to be connected shows up in the Client List, but the previous one disappears for some reason - even though they are both still connected. I tried switching the port for the tivo plugged directly into the SURF from Trunk to Access and back again with no luck.
The other Tivo (mini) is connected to the Surf via an 8 port switch via a port set to Untagged and Trunk. Should I change the SURF port going to the Switch to see all my wired networks? I had it set to Untagged (House) + TV . If so, Trunk or Acess - and most importantly, if I link the switch port on the surf to all my wired LANs, is bad security - defeating the reason for separating all the LANs in the first place? Can anyone shed any light? Thanks!!!
Make separate VLAN’s for everything you want isolated.
Turn on DHCP for each VLAN (it’s on by default). If a client needs a fixed address then go to the “client list” and click the luggage tag on the right to give it a fixed IP. Always keep a window with the client list open so you can keep an eye on things. The SURF allows 2 windows open.
Port’s default setting is “trunk” which allows all traffic / any VLAN to broadcast to it. To isolate the ports set them to “access” - this allows only 1 VLAN to use it and the assign the VLAN. Turn “inter-VLAN routing” off if you want it isolated (it’s on by default).
Keep all the home computers on the “untagged LAN”. Turn “inter-VLAN routing” off if you want it isolated.
If wireless devices don’t need to communicate with any other devices on the home network then you can assign them separate VLAN’s too. Set layer 2 isolation (under SSID advanced settings / blue ? mark) if you want wireless clients isolated from each other.
Switch all wireless clients to 5Ghz 802.11ac exclusively if possible.
Stick the TIVO’s on a wired connection (if you can) to free up the radios.
Make a configuration save so you can reload it just in case you run into problems during configuration/testing.
The SURF is nice because you can make most of these changes without disconnecting or otherwise disturbing network clients. Changing WiFi settings will interrupt WiFi clients so try to keep that to a minimum.
This is literally how I set up my home network with the SURF.
Its a little strange, The Tivos see each other via the switch. The Romio is plugged directly into the Surf and the Mini is plugged into a switch that goes to another port in the Surf. I can only get a DHCP assignments from the untagged Lan. They will not get an assignment from the Tivo Vlan for some odd reason.
To try and force them onto the Vlan (one of the main reasons I am going thu all this is to isolate all the IoT stuff from our computer systems per Michael H ) So I set both Tivo’s with fixed IPs on the Tivo Vlan subnet and listed that Vlans Server IP as the Gateway in the Tivo Network Menue’s. I then entered the mac addresses into the Surfs Tivo Vlan and gave them the fixed IPs. Still, they don’t show as connected to the network in the Client List. I am going to try and force them by plugging them into a port set to ACCESS and the Tivo VLan and get the IPs handed down from the Surf and then reserve them. I dont know what else to try after that
If I am successful, I was surprised to see settings for DNS in the Tivo itself. What are these settings supposed to be? Do they go to regular DNS or should the have some setting that is Tivo Server specific? If you know…
Another question if thats OK? You kinda answered above but not 100% sure. When you set a port to Trunk and share it with the Untagged Lan and a Vlan, does that defeat the isolation or do the tags keep them from seeing each other? Assuming you have interVLAN set to off.
Thanks again for your reply. Very much appreciated!!
If the “untagged LAN” port is set to “trunk” then it can see all traffic = it’s not isolated from the other VLANs. The easiest way to isolate it would be to deselect “inter-VLAN routing” under Network>Network Settings>untagged LAN
If you want the TIVO’s isolated on their own VLAN then assign that VLAN to them under the SSID settings if its wireless, or under “Network Settings” if its plugged in by network cable. For now keep all the ports set to “trunk” and “untagged LAN” except for the two ports your TIVOs are on.
If your TIVOs were plugged into ports 2 and 3 then you would set the page like this…
Check your Network>Network Settings>TIVO VLAN IP range/subnet settings. Use the untagged LAN IP address settings as a template to study from. It should look something like this:
ex.1
TIVO VLAN
IP address: 192.168.51.1
IP range: 192.168.51.10 - 192.168.51.250
DHCP server: enable
DNS servers: enable
inter-VLAN routing: unchecked
Turn the TIVOs off and unplug them, wait for 1 min then plug them back in. Do they pop up in the client list? Do the network settings in the TIVO match your TIVO VLAN? Just work on one TIVO for now - once you get it working, do the same thing for the other one.
If the TIVOs still don’t connect then try resetting their network settings by either a hard or soft reset as their default settings should “just connect” if hardwired or you may have to enter the IP addresses into them from the TIVO VLAN. Bear in mind a hard reset you will lose all your settings and data on them - make sure its written down or screen shot it.
I am still a little unsure of what your saying, if you have interVLAN off, can sharing the LAN and VLAN on a port be insecure or are they isolated from each other??
My Vlan Settings are pretty much as you describe. I think I understand this part of all the moving parts the best … there are a lot of Moving parts (settings) I dont get! However I did use Michael H’s suggestion and go with a 10.xxx.xxx.x scheme Would that mess up the Tivo’s??
If “inter-VLAN routing” is not selected on the TIVO VLAN then it can’t see any other VLANs or the untagged LAN, but should connect to the internet. That would be “most secure” as you don’t want the TIVOs being able to see your untagged LAN or any other.
If “inter-VLAN routing” is not selected on all networks then none of them can see each other, but can still connect to the internet. That’s even more secure!
If “inter-VLAN routing” is selected on all networks then all of them can see each other and still connect to the internet. Nothing is isolated.
If it worked before then it should be okay.
If the other TIVO is on a managed switch that is shared with other computers on it, then I believe you would set the SURF port to “trunk” so all traffic can go there and use a custom VLAN rule which allows you to assign multiple VLANs to it as necessary - but that only works properly on a managed switch.
If its an unmanaged switch then every client on it will see everything you send to it and all the clients on it will be able to see each other. It sounds like you need to upgrade that to a managed switch or it might just be easier to unplug the TIVO from the unmanaged switch and run a cable to it so it can sit on its own TIVO VLAN. Or you could unplug the TIVO from that switch and assign it to a wireless network using the TIVO VLAN in the meantime.
Cant thank you enough. Going out for some fresh air and will try again tonight. Can’t believe how much time I’ve got invested in this! Yesterday I bricked my Surf like 6 times when I changed the port access such that I restricted access to the router firmware to - No One - not even me … so walk downstairs reset to factory and then upload my config without my dumb error - reboot twice to get back to where I was… I’m just checking and unchecking stuff feeling my way in the dark. But making headway I think. Hopefully my Tivos will be able to see the net. Right now I think they are just communicating thru the Unmanaged switch and cant connect to the outside world.
Take good care! I’ll post an update on my progress later
Thanks thats a great idea. I am trying to lock down as many settings as possible but your right that would have saved me a bunch of headaches yesterday.
My Tivo saga continues. Everything else is working fine. Really happy. All our mobile are on one VLAN, The Chromecast is working on my TV VLAN. Network printer is up… But the Tivos are making me crazy. I have tried a million configurations on the ports and I am not getting it. I am trying to keep them both on their own TV VLAN. They are set with Static IPs that work perfectly when all the equipment is in the same room and directly connected to the Surf with ethernet cables. I found that the Romio needs to be set to TRUNK to connect to the Mini. Can’t be on ACCESS. When I put the Mini in the MBR and it connects via a ethernet switch it connects to the surf with another IP that is on my main LAN and ISNT listed on the Mini’s IP screen. How is this happening? It attaches with DCHP on a completely different subnet even though its set to a static IP that previously worked and was reserved on the Surf?? It seems like anytime either Tivos are exposed to the primary LAN they somehow bind to it - instead of the reserved IP assigned on the VLAN?
I guess I can open the ports on the Surf to be wide open but doesnt that defeat the purpose of having all these separate VLANS? I have been trying to negotiate the 2 ports that need to communicate with various combinations of Trunk and permissions to connect the TV VLAN to the untagged lan. Apologies for dragging you into my mess
I would just run an ethernet cable to the mini. Then configure the port and VLAN accordingly.
The roamio is already configured like this. Both should have the same port settings: “access” and TIVO VLAN assigned.
Plug them both into the SURF directly.
Solution 2:
If you can’t run a cable to the mini use WiFi instead. Create a wireless network for the mini and assign the TIVO VLAN to it.
That’s the easiest solution.
Solution 3:
The “better”(?) solution is to leave the mini plugged into the managed switch.
If its an unmanaged switch this won’t work and you will have to get one or go with solution 1 or 2.
Then configure the SURF port the switch is plugged into as “trunk” with a “custom” VLAN assignment.
For this example I will assume the switch is plugged into port 4 on the SURF. Set the port type to “trunk” and the VLAN is already set to “untagged LAN”. Click custom and add TIVO VLAN to it. Click save and then “apply changes”.
Happy, Thanks once again for your time and help. I feel like I’m adrift out to sea in a raft and a ship is steaming my way.
Without pulling new wire, I can’t figure a way to run ethernet from the Mini to the Roamio. I only have one Cat5 wire near the main Tivo and it serves the Modem/Surf Router connection to the rest of the house. For the record our house was built in 2000. They didnt have a single ethernet outlet in the whole house when we moved in 5 yrs ago. But luckily! they ran Cat5 for the entire phone system - which was substantial - outlets all over the place. I converted them all to an ethernet system. They all converge in the basement, where I need a switch to form the network.
Moving on - So the olderTivo Mini we have will not do Wifi! I was looking at the MoCA setting / connection but our Roamio will not do MoCA without an adapter and looking at the adapter I am not sure how it would then connect to the internet - since the ethernet port is used to support the MoCA adapter - which has no provision to connect to another ethernet cable - leaving the main Tivo using Wifi I guess? Whew! Sorry figured I would share.
So either I allow the TIVOs onto the untagged LAN like it was with our old Netgear router or as you suggest, I go with a managed switch that has POE for our IP cameras (which I hope will NOT be a whole other ordeal to set up…) don’t worry not doing that right now.
So more questions (sorry!):
Does the managed switch need a lot of configuration? Is it like the router with its own firmware that gets accessed with a password to enter its firmware / menus?? Or does it just take the streams from the router and keep them properly sorted on its own? If so I totally get how to configure the ports so that I can let VLANS communicate. (I’ve spent countless hours looking at that NETWORK / PORTS configuration screen the past few days
Why do the Tivo’s grab onto the untagged Lan even though they are set to STATIC IP with IP subnets that are not even close to the Untagged Lan’s subnet? Curious as to how this is possible? If you know or have a clue.
Sorry I couldn’t help you - I suggest you contact a peplink licensed solution provider in your area and link them to this thread to help them get a better understanding of your home networking situation.
In the meantime the main thing is its all working. You might also consider the possibility of contacting your point of sale for the security camera stuff, managed switches and TIVO’s. Ask about their technical support services or upgrade options? Maybe it’s cheaper to just get a new TIVO with wireless capabilities?
You helped immensely! I am nearly there as you say and understand some of the settings much more than I would without your help. Be Well and thanks again!
