subnets or vlans - is this possible?

[JoshNelson]

I'll probably post this in wireless too....but figure this might be the better forum.  Anyway....here goes:

I have a number of devices on my network and would like to isolate them by type....and I'm not quite sure how to go about it or if it's even possible. Most of the devices connect via wireless (netgear orbi RBR50 - router and 1 satellite) though a couple connect via wired connection (on a port on the main orbi router).

So - I have a few groups of various types of equipment connecting to my network. They are:

1. office equipment (work pcs, printer, etc)
2. entertainment (ps4, firetv, etc)
3. IoT devices (canary security cameras, random raspberry pi homebrew projects)
4. Guest devices (phones, tablets, etc)

All of these groups need internet access but none of them really need to access devices in the other groups. What I was trying (and failing) to do is create vlans for each group, and have separate dhcp scopes/subnets for each group (office being 192.168.1.xxx, entertainment being 192.168.2.xxx, etc).

I have the following equipment available to me:

1. netgear orbi rbr50 (router and 1 satellite) latest firmware 2.0.0.74 (btw - when is this going to be patched to address the wpa2 issues?)
2. a couple netgear N600 WNDR3700 routers (though I would not want to use the wireless radios on these and would want everything to use the orbi). One of these I have installed open-wrt on, the other is running the regular netgear firmware.
3. TP-Link TL-5G108E managed switch

So - my question is can I accomplish separate subnets and network isolation (vlans?) for each of these groups using the equipment that I have taking into consideration that 98% of them will connect wirelessly via the netgear orbi.

[deanwebb]

As with the wireless one, this is more a SOHO issue, but I'll leave it here so we can talk about the different VLANs and such.

If the switch allows it, you can set it up to offer multiple VLANs and then also act as a DHCP server for those VLANs. Check with your switch documentation. If it's not in the documentation, you can't do it.

Now, this specifies that the devices are statically connected to their ports. You plug into Gi0/0, you get VLAN 10. Gi0/1? That's VLAN 20, and so on. If you want *dynamic* VLAN assignment based upon device type, then you need to get a switch from a major vendor and then start posting about dynamic VLAN assignment in the *Security* part of the forum, because that's where my specialty is - network access control, or NAC.

And NAC is not cheap...

[Dieselboy]

Hi OP the requirement which you have described has a solution with a technology called 'Private VLAN'. Private VLAN (or PVLAN) allows devices to be on the same subnet / network but prevent them from communicating with each other. But you need fancy hardware to get this feature. I don't know if this feature can work for wifi though.

I have an older Cisco WLAN controller and recall seeing an option to prevent wifi clients from communicating with each other, but I'm having one of those moments and can't find it. If I do later, I'll post back.

Cisco Meraki allow you to stop wifi clients from speaking with each other: https://documentation.meraki.com/MR/Client_Addressing_and_Bridging/NAT_Mode_with_Meraki_DHCP
But their equipment isn't cheap. Actually, there's a webinar going around somewhere that if you attend, they will send you a free wifi AP. Bearing in mind that after the 3 year license runs out, you will need to re-purchase a 1 or 3 year license (which covers hardware support and software upgrades which is good). You don't have to re-purchase but if you don't then the wifi AP becomes a paperweight until you do.