this post was submitted on 21 May 2024
10 points (100.0% liked)

homelab

6635 readers
24 users here now

founded 4 years ago
MODERATORS
 

I would like to create a VLAN that can access the internet but cannot access the rest of my network, with one exception. It should still be able to connect to my HomeAssistant server which isn't on the VLAN.

I have never set up a VLAN before so I am a bit lost. Does anybody have any good guides on how to set up something like this on a GL.iNet router? I am able to access the OpenWRT settings including interfaces, devices, etc. from LuCI.

top 4 comments
sorted by: hot top controversial new old
[–] litchralee@sh.itjust.works 7 points 6 months ago (1 children)

To lay some foundation, a VLAN is akin to a separate network with separate Ethernet cables. That provides isolation between machines on different VLANs, but it also means each VLAN must be provisioned with routing, so as to reach destinations outside the VLAN.

Routers like OpenWRT often treat VLANs as if they were distinct NICs, so you can specify routing rules such that traffic to/from a VLAN can only be routed to WAN and nowhere else.

At a minimum, for an isolated VLAN that requires internet access, you would have to

  • define an IP subnet for your VLAN (ie /24 for IPv4 and /64 for IPv6)
  • advertise that subnet (DHCP for IPv4 and SLAAC for IPv6)
  • route the subnets to your WAN (NAT for IPv4; ideally no NAT66 for IPv6)
  • and finally enable firewalling

As a reminder, NAT and NAT66 are not firewalls.

[–] Crack0n7uesday@lemmy.world 5 points 6 months ago

People that down voted you don't know how to network engineer...

[–] jet@hackertalks.com 3 points 6 months ago
[–] Crack0n7uesday@lemmy.world 0 points 6 months ago* (last edited 6 months ago)

VLANs are layer 2, they don't really need things like a router to work and should be set up at the switch//layer 2 level and are not routable across the internet. Based on the specifications you've stated you want to make a DMZ which is a lot different and will require knowledge of IP subnets, access control lists, and wildcard masks. It's not much harder to do, but it is different than what your doing, you wouldn't use a hammer for a screw.