logo elektroda
logo elektroda
X
logo elektroda
Advanced Search
logo elektroda

Network Segregation: Implementing VLANs for 5 Computers, IP Camera, and Printer - How To?

EjMaciejus 5070 11
ADVERTISEMENT
Treść została przetłumaczona polish » english Zobacz oryginalną wersję tematu
Report a violation of the law
Reply | New topic
  • #1 16628902
    EjMaciejus
    Level 2  
    Posts: 4
    I want to separate the computers on the network from each other.

    There are 5 computers in the network (3 connected via cable, 2 via Wi-Fi), one printer (via cable) and several Wi-Fi phones. Additionally, an IP camera (Wi-Fi) is connected to the network. Internet is from UPC.

    I want three computers to "see" each other and have access to the printer, the next two computers are completely separated, i.e. they cannot see any devices on the network (good if they can see the printer, but that's not a condition), phones should not see any devices either ( possibly they can see each other). The IP camera should be visible from the outside.

    I do not know much about networks, I started reading a bit about it recently and I read about virtual lan networks (VLANs) and this will probably be the solution to the topic. However, before I invest in hardware that will do the job, I have a few questions:

    1) Is it really, if the computer is assigned to a virtual subnet, it is not possible to discover devices in another subnet? Of course, I am considering the situation when the VLANs are properly configured.
    2) The second question relates to the printer - will it be able to belong to several VLANs or do you have to implement it somehow to make it visible to all computers? If there is no workaround, it will only be visible for the first three computers.
    3) How is the device assigned to the appropriate network? By MAC address or otherwise? What if a new device logs in after Wi-Fi to which network it will be assigned?

    4) What equipment do you recommend to make it relatively easy? I found Mikrotik routers, eg RB2011UiAS-2HnD-IN but maybe something cheaper is enough.

    It's also nice if the router had the option to save logs for devices logged into the network - connection log for individual devices.
  • ADVERTISEMENT
  • #2 16629148
    bogiebog
    Level 43  
    Posts: 24793
    Help: 2569
    Rate: 1528
    EjMaciejus wrote:
    How is the device assigned to the appropriate network?

    Usually after a physical port

    EjMaciejus wrote:
    after Wi-Fi a new device logs in to which network will it be assigned?

    to which the physical port connected to the AP is assigned
  • Helpful post
    #3 16629633
    Heinzek
    Network and Internet specialist
    Posts: 3732
    Help: 554
    Rate: 493
    EjMaciejus wrote:
    1) Is it really, if the computer is assigned to a virtual subnet, it is not possible to discover devices in another subnet? Of course, I am considering the situation when the VLANs are properly configured.

    The computer will only see what you allow it in the VLAN configuration.
    EjMaciejus wrote:
    2) The second question relates to the printer - will it be able to belong to several VLANs or do you have to implement it somehow to make it visible to all computers? If there is no workaround, it will only be visible for the first three computers.

    The printer can be in a separate VLAN and you can configure which VLANs will access it.
    EjMaciejus wrote:
    3) How is the device assigned to the appropriate network? By MAC address or otherwise? What if a new device logs in after Wi-Fi to which network it will be assigned?

    VLANs will be assigned to ports. You can also set several VLANs for one port, but an AP must be connected to this port that will tag these VLANs and it will send several ssids (e.g. company / home / guests) and each ssid will be connected to a different VLAN.
    EjMaciejus wrote:
    4) What equipment do you recommend to make it relatively easy?

    It will never be easy, once you embrace it, you will think less about it. You can easily do it on routers with OpenWRT / LEDE, even in graphics mode.
    If you do not need crazy speed, the ordinary TP-Link WR1043ND is enough for you.
  • #4 16630219
    hermes-80
    Level 43  
    Posts: 12013
    Help: 1177
    Rate: 740
    Managed switch - cheapest TP-L TL-SG2008 + router with alternative FW + packet management on the switch - ebtables.
  • ADVERTISEMENT
  • #5 16630514
    EjMaciejus
    Level 2  
    Posts: 4
    Heinzek wrote:
    VLANs will be assigned to ports. You can also set several VLANs for one port, but an AP must be connected to this port that will tag these VLANs and it will send several ssids (e.g. company / home / guests) and each ssid will be connected to a different VLAN.


    If I set up several VLANs for the port with the printer, then this printer will be available to all those networks that have the port with the printer added - do I understand that?
  • ADVERTISEMENT
  • Helpful post
    #6 16630532
    Heinzek
    Network and Internet specialist
    Posts: 3732
    Help: 554
    Rate: 493
    I would
    Wan in vlan1
    computers in vlan2
    printer in vlan3
    wifi on vlan4

    then rules where vlan2 has access to 1 and 3
    vlan 3 has no access to any vlan
    vlan 4 only has access to vlan1
  • ADVERTISEMENT
  • #9 16683488
    EjMaciejus
    Level 2  
    Posts: 4
    Back to the topic. I have decided that I will probably buy a router for OpenWRT but I have some doubts.

    http://eko.one.pl/?p=openwrt-vlan#obsugavlanw

    On the above page I read that the router requires a proper chip to handle VLANs.

    Can anyone know if the following device has the chip mentioned above and whether they will work properly in a VLAN-based configuration?

    TP-Link Archer C2600
    Linksys WRT1200AC


    If not these, maybe someone knows others (it's important that they handle VLANs correctly).
  • #11 16683525
    EjMaciejus
    Level 2  
    Posts: 4
    Well, I just wrote to him on the forum, but unfortunately this question does not answer.
Reply | New topic
Report a violation of the law

Topic summary

✨ The discussion revolves around implementing VLANs to segregate a network consisting of 5 computers, an IP camera, a printer, and several Wi-Fi phones. The user seeks to configure the network such that three computers can communicate with each other and access the printer, while the other two computers remain isolated from all devices, with potential limited access to the printer. The Wi-Fi phones should not see any devices, although they may communicate with each other. The IP camera needs to be accessible externally. Participants suggest using managed switches and routers with VLAN capabilities, such as TP-Link and OpenWRT-compatible devices. Specific VLAN configurations are proposed, including separating devices into different VLANs and setting access rules accordingly. Recommendations for hardware include the TP-Link WR1043ND and TP-Link Archer C2600, with emphasis on ensuring the router has the necessary chip for VLAN support.
Generated by the language model.

FAQ

TL;DR: Use 4 VLANs to isolate 5 PCs, a printer, phones, and an IP camera; “WAN in VLAN1, computers in VLAN2, printer in VLAN3, Wi‑Fi in VLAN4.” [Elektroda, Heinzek, post #16630532] Why it matters: This setup stops device snooping while keeping shared resources (like the printer) reachable where needed—ideal for small offices or homes wanting simple, low-cost segmentation.

Quick Facts

What’s the simplest VLAN layout for 5 PCs, a printer, Wi‑Fi phones, and an IP camera?

Follow the 4‑VLAN plan: VLAN1=Internet/WAN, VLAN2=PCs, VLAN3=Printer, VLAN4=Wi‑Fi. Permit VLAN2 to reach VLAN1 and VLAN3; block VLAN3 from others; allow VLAN4 only to VLAN1. This keeps three PCs and the printer together, while isolating guests and cameras as needed. It’s a clean starter design that fits small networks without complex rules. [Elektroda, Heinzek, post #16630532]

Will devices in one VLAN discover devices in another VLAN?

No. Discovery stays inside each VLAN unless you explicitly permit cross‑VLAN access. As one expert put it, “The computer will only see what you allow it.” Enforce rules on the router or L3 switch to control any exceptions (for example, printers or updates). [Elektroda, Heinzek, post #16629633]

How do I share one printer with selected VLANs?

Place the printer in its own VLAN. Then add firewall rules so only chosen VLANs (for example, the PC VLAN) can reach the printer’s IP and ports. Do not multi‑home the printer to several VLANs; route to it instead. This keeps the print device isolated while still usable. [Elektroda, Heinzek, post #16629633]

How are devices assigned to a VLAN: MAC, port, or Wi‑Fi SSID?

Use port‑based VLANs on the switch for wired gear. For Wi‑Fi, map each SSID to a VLAN on the AP’s tagged uplink. New wireless devices join the VLAN of the SSID they select, while wired devices join the VLAN configured on their switch port. [Elektroda, bogiebog, post #16629148]

Can one access point serve multiple VLANs?

Yes. Trunk multiple VLANs to the AP and broadcast multiple SSIDs, each bound to a VLAN. Edge case: if the AP cannot tag VLANs, clients will not be separated even if the switch is configured. Choose an AP that supports 802.1Q tagging and multiple SSIDs. [Elektroda, Heinzek, post #16629633]

What gear is recommended for an easy, low‑cost setup?

Use a budget managed switch like TP‑Link TL‑SG2008 for VLANs and ACLs. Pair it with a router that supports VLANs and firewalling; OpenWRT on devices such as TP‑Link WR1043ND gives a friendly GUI and flexibility without high cost. [Elektroda, hermes-80, post #16630219]

How do I keep guest phones off my LAN but online?

Put guest Wi‑Fi on its own VLAN and allow only Internet (WAN) access. Block access to the PC and printer VLANs. This mirrors the proposed rules: Wi‑Fi VLAN allowed to VLAN1 only, preventing lateral movement while preserving browsing. [Elektroda, Heinzek, post #16630532]

Can I make the IP camera visible from the Internet but isolated locally?

Yes. Place the camera on the Wi‑Fi VLAN (or a dedicated VLAN) and restrict local LAN access. Allow only necessary outbound or port‑forwarded traffic from WAN to the camera. Keep it separate from PCs and printers to reduce risk. [Elektroda, Heinzek, post #16630532]

What’s a VLAN in plain English?

A VLAN is a virtual network inside your switch that isolates traffic like separate physical networks. You assign switch ports or Wi‑Fi SSIDs to VLANs, then route between them only where needed (e.g., to reach a printer or the Internet). [Elektroda, Heinzek, post #16629633]

How do I assign a new wired device to the right VLAN?

Plug it into a switch port configured for that VLAN. Port‑based assignment is straightforward and avoids relying on device MACs or software agents. Update your switch’s VLAN membership and PVID for that port. [Elektroda, bogiebog, post #16629148]

Is there a 3‑step how‑to for the initial configuration?

  1. Create VLANs for WAN, PCs, Printer, and Wi‑Fi on your switch/router.
  2. Tag the AP uplink; map SSIDs to VLANs; set PC/printer ports untagged in their VLANs.
  3. Add firewall rules: PCs→WAN+Printer allowed; Wi‑Fi→WAN only; block others. [Elektroda, Heinzek, post #16630532]

Which low-cost firmware supports VLANs with a GUI?

OpenWRT/LEDE supports VLAN configuration via its web interface on compatible hardware. It’s flexible and well‑documented, making small multi‑VLAN designs manageable without enterprise gear. [Elektroda, Heinzek, post #16629633]

Do I need ACLs in addition to VLANs?

For fine‑grained control between VLANs, ACLs help. On switches like TL‑SG2008, ACLs can block or permit specific protocols or IPs between segments, reinforcing the router’s firewall. [Elektroda, hermes-80, post #16630640]

What if my router doesn’t support VLANs natively?

Consider hardware that runs OpenWRT or similar. Community guidance highlights models like TP‑Link WR1043ND that handle VLANs well once flashed, offering a low‑budget path to segmentation. [Elektroda, Heinzek, post #16629633]

How many devices are we segmenting in this scenario?

The thread covers 5 computers (3 wired, 2 Wi‑Fi), 1 wired printer, several Wi‑Fi phones, and 1 Wi‑Fi IP camera. Plan VLANs and firewall rules around these roles to balance access and isolation. [Elektroda, EjMaciejus, post #16628902]

Can a printer be in several VLANs at once?

Avoid multi‑homing the printer. Place it in one VLAN and route to it from authorized VLANs. This preserves isolation and simplifies management and logging. [Elektroda, Heinzek, post #16629633]
Generated by the language model.
ADVERTISEMENT