Regular Member
Posts: 334
Registered: ‎07-17-2013
Kudos: 52
Solutions: 6

VLANs to separate WAN from LAN

I am looking at a potential temporary residential installation with a very small structured wiring panel.  The issue is the temp equipment is too large for the panel (ER8). The desired location for most equipment is the garage whereas the panel is on the 3rd floor.  There is single existing Cat6a drop to the garage.  It would require substantial sheetrock refinishing to pull a second drop ($$$).

Are VLANs secure enough to use the single drop for both WAN and LAN traffic? The thought is to use a small smart+ switch that supports VLANs in the panel and another switch that supports VLANs in the garage.  The ER8 will use eth0 for WAN and be on VLAN 100 and eth1 will be for non-VLAN traffic for the LAN. VLAN 100 would be configured on both switches for the ports for Cable Modem and ER8 eth 0; with ports between the two switches trunked.

Established Member
Posts: 1,043
Registered: ‎02-17-2014
Kudos: 386
Solutions: 40

Re: VLANs to separate WAN from LAN

[ Edited ]

VLANs are as secure as putting the networks on completely sepperate equipment which does not connect with each other.  In other words, there is no communication between VLANs without using a router (or other layer 3 device) to route the traffic.  Period.

Established Member
Posts: 1,043
Registered: ‎02-17-2014
Kudos: 386
Solutions: 40

Re: VLANs to separate WAN from LAN

[ Edited ]

I could put all of these interfaces on one port (including the WAN from eth0) and the only difference in operation would be total speed as they would all be on a single gig port.

interfaces {
    ethernet eth0 {
        address dhcp
        description WAN
        duplex auto
        speed auto
    }
    ethernet eth1 {
        description "DMZ SUBNETS"
        duplex auto
        speed auto
        vif 130 {
            address 10.112.130.1/24
            description Public_Servers
            mtu 1500
        }
        vif 160 {
            address 10.112.160.1/24
            description BCF_Guest
            mtu 1500
        }
    }
    ethernet eth2 {
        description "LAN SUBNETS"
        duplex auto
        speed auto
        vif 20 {
            address 10.10.20.1/24
            description BCF_Home
            mtu 1500
        }
        vif 30 {
            address 10.10.30.1/24
            description BCF_Servers
            mtu 1500
        }
        vif 40 {
            address 10.10.40.1/24
            description BCF_VOIP
            mtu 1500
        }
        vif 50 {
            address 10.10.50.1/24
            description BCF_CCTV
            mtu 1500
        }
        vif 60 {
            address 10.10.60.1/24
            description BCF_Wrls
            mtu 1500
        }
        vif 99 {
            address 10.10.99.1/24
            description BCF_Mgmt
            mtu 1500
        }
    }
    loopback lo {
    }
}

 In my network, eth1 & eth2 go to the same switch (see pic below).  VLAN130 is my DMZ and has limited access to my LAN networks and VLAN160 is my GUEST network which has no LAN access whatsoever.  That is the power of VLANs.  Common shared equipment which keeps networks safely sepperated.  Without my ERL, none of these networks would be able to talk with one another even though they are all on the same switch.

Switch Ports.png