VLANs - Configuring Three Ethernet Switches (VLANs, Part 2)

indeed!

And managed to configure several LANs on my TP link switch, trunked from a UDM. Thank you

Because each VLAN is a separate network, any one of them that needs Internet access also needs a way to get out to the internet, which means having a router on that network.
Consumer routers do not (as far as I have been able to determine) provide Internet access for multiple networks. But that doesn't mean that hope is lost. There are two paths you can take:
If your AT&T modem actually has a NAT router in it, you can use it to provide Internet for three additional routers for your 3 VLANs. Each router would be plugged into the AT&T modem on its WAN port, then a LAN port would then connect to a VLAN to provide Internet for that VLAN. That involves double NATting, but that isn't much of a problem these days. And in this configuration it might make sense to disable WiFi on the routers where you don't need wireless access for that network.
Alternately you could switch to a router which does support multiple networks (or VLANs). I use the Ubiquiti Edge Router X, but it's far from the only one that does. The trouble with it, and generally anything else that has this capability, is that they aren't very easy to setup to support this. The device is very capable of doing what you need, but it's not going to happen through the GUI -- it involves dropping down into the command line to setup the multiple networks, NAT, and a DHCP and DNS server for each. If you want it to natively support VLANs it can, but that, again means more command-line commands.
The GL.iNET routers I've talked about on this channel are technically capable of supporting VLANs as well, but it, again, involves dropping into a command-line interface to set it up. And most of the guides I've found online stop short of providing step-by-step instructions for doing so.

its super easy if you know pfsense. its an open source firewall and router that you can install on any pc hardware. czcams.com/video/rHE6MCL4Gz8/video.html

Ubiquiti Edge Router X

I'll summarize what is happening so this makes sense. Here are the scenarios that can happen with VLANs...
Incoming (ingress) packets:
- Untagged packet enters a switch port with PVID set to 3 -> packet is tagged as belonging to vlan 3 and is forwarded to applicable ports assigned to VLAN 3
- A packet is already tagged with VLAN ID 5 when it enters a switch port set to accept traffic for VLAN 5, the tag is preserved and packet treated like any other packets tagged as VLAN 5 and forwarded to any ports assigned to 5.
Outgoing (egress) packets: (All packets inside of a managed switch are tagged, even if you haven't configured the VLAN feature, usually defaulting to VLAN 1)
* The packet is tagged internallly as VLAN 5 -> packet is routed to all applicable ports assigned to VLAN 5, where...
- If the egress port is set to Untagged for VLAN 5, the tag is removed and the packet leaves the switch with the VLAN tag removed
- If the egress port is set to Tagged for VLAN 5, the tag is preserved and the packet leaves the switch with the tag in place
There is a difference between tagged and untagged packets. Tagging a packet with a VLAN ID of 1 is not the same as not being tagged; they actually have additional data and are structured slightly differently. In fact, most devices don't even recognize tagged packets at all and will just ignore them, even if that ID is 1. So when you connect a computer or printer or whatever, you have to make sure that the port it is connecting to is set to Untagged or it won't see any incoming data.
Now to your question... if both the sending switch and receiving switch are managed switches, you can either leave the tag in place (set to Tagged on egress and ingress), or set it as Untagged on one switch and set the PVID on the other and it will have the same net effect. In one case the tag is removed at one end (Untag assigment) and re-added at the other (PVID), in the other (Tagged on both ends) the tag is left in place so it neither has to be removed nor added.
These days, in most cases when connecting managed switches I will set the primary VLAN ID for that port as Untagged, and all other VLAN IDs on that port as Tagged. That gives two advantages: (1) that port could be used for a computer or other device if needed since it includes Untagged packets that the computer can recognize, ignoring all Tagged packets, and (2) If I need to re-assign to a different VLAN ID in another switch I can do so just by setting the receiving port's PVID value to whatever I'd like.
Most switches come with all ports defaulting to Untagged for VLAN 1, and PVID of 1. So to make configuration easier, it's not at all uncommon to have VLAN 1 be the default for the majority of connected devices since those ports probably won't have to be configured manually.
Does that clear it up?

Wow yes that clears it up for me! thank you so much for your time in responding to my question. your channel has helped me greatly in a lot of areas in A/V. @@djp_video

I'll do a spreadsheet or Word doc indicating which VLAN I want each port to be assigned to. But that's about as complicated as I make it.

Bottom line is without multiple network interface devices on your computer you can't.
If Dante wasn't one of the requirements, you might be able to. Some network interfaces will support multiple VLANs through a command-line utility, but Dante (by design) will not work with a network interface device which has VLAN support turned on.
So what you can do is add a USB network interface specifically for your Dante network. And maybe another for your PTZ cameras. Or possibly look into whether your current NIC supports VLANs.
If you do elect to use a NIC with VLAN support enabled, you'll setup your switch to tag outgoing Ethernet packets with the VLAN tag so the NIC will know which VLAN the traffic comes from. And each one of those VLANs will show up as its own virtual NIC in Windows. I don't recommend this configuration though, as it tends to be fragile and get reset after driver updates and the like.

Great! I’ll just get a couple USB to Ethernet dongles then. Thanks a lot!

T7 didn’t work for me - I hooked one up to a Blackmagic video assist 12g and it would record for a half second. Switched to a Sandisk and it recorded ok. Something fishy with the T7…

If you apply the same principles (setting ports to tagged or untagged, setting the PVID) you can figure it out.

A lot of reasons… some for purposes of organization (e.g. personal devices on one, business on another), but many are focused on security. Both networks have internet access, but are isolated from talking to one another. For example, keeping devices you can’t trust off of your primary network made up of your computers and other devices which potentially contain/process personal or sensitive data (passwords, financial/health information, etc.) Some of those I want to keep off of my LAN might include computers/phones of visiting guests, or devices designed or manufactured in countries or by companies with potentially malicious intent or are apathetic to security. I can’t trust a WiFi lightbulb made by a no-name company in China to take security seriously, or trust that the computers or phones owned by guests haven’t been compromised by malware, and would prefer that the opportunities for those to scan or infect devices on my network be kept as low as possible.

Thank you for the clarification.@@djp_video

I guess the best advice I would give would be to configure the ports on your switches that connect to your crucial devices (computer being used to do the configuration and router, for example) last, leaving them set to their default settings until you know you've configured and tested all of the other ports to make sure they're working as intended first. You can setup new ports for the required functionality and move the critical devices to the new ports temporarily to test them. Once you know everything is working as desired you can complete the configuration by copying settings from the working ports to the last ports.
But I'd advise that you always leave at least one switch port with its original configuration left alone so you can always use it to configure the switch.

@@djp_video Again full of valuable advices. Thanks a lot for your reply. Guess, I'm gonna give it a try this way.

@@CarbonRacer some switches have a feature were they dont fully save changes until you hit save all changes. so you can config and check if everything work if its not you can simply reboot the switch and revert the changes otherwise can press the reset button and start over

As mentioned in my last reply, you either have to have a router which supports routing across multiple VLANs, or use multiple routers -- one for each VLAN/subnet, plus one additional to combine traffic from the various VLANs.
Layer 3 switches can do routing for you as well, but those get expensive quickly.

The phone I mentioned could be anything, but I was thinking of a VoIP phone when I created the video.
I have wireless access points that provide WiFi for the VLANs that need it. And the access points that I use (as many business-grade units do) can provide wireless connectivity for multiple VLANs simultaneously over a single trunk connection -- so each VLAN gets one or multiple SSIDs (network name) and wireless security settings. (VLAN 1 might get a name of Wireless1 where VLAN 2 might be called WiFi2, or whatever you want). Just look for a Wireless Access Point (WAP) with multiple VLAN capability.

I should mention that some routers, like the Edge Router X that I use, can provide your routing needs for multiple VLANs simultaneously. You don’t necessarily have to have a separate physical router for each VLAN if you get a router than knows how to work with multiple VLANs.

@@djp_video Thank you so much. Once again that was very helpful. Have a super day!

I personally don't have any VLANs setup on my routers. Though many models do support it.

@@djp_video Ok, thanks for the reply. Are all devices other than the network ones with static ip's then? Or does the router still give devices on other Vlans ip's as well?

Even with static IPs you still have to have routers to move traffic from one network to another. In the case of getting out to the Internet, this usually means routers with NAT routing, which all consumer routers do. But when you have multiple VLANs which need Internet access and you're using consumer routers, this usually means multiple routers -- one for each VLAN, and all of those behind another router which combines the signals from the others.
There are routers out there which will support multiple VLANs simultaneously, but they are generally more complicated than the consumer routers that you'll find at your local big box store. I use the Ubiquiti Edge Router X in my trailer to accomplish this -- you can set up as many separate networks as you like, each with its own subnet, getting its own unique IP address range, and being able to route traffic between the various networks. But there are many other models that can do this as well... they just tend to be much harder to configure than consumer products.

@@djp_video Ok, so if I understand it correctly if I want to let different Vlans have internet it need's to be configuered in the Router, and if I just want to split up the network like dante I can do it on the switches?
Also could do a video on how you set up the router in your trailer? how does that work if you connect to a venues system that already has a router in it?

Not using just VLANs. Think of VLANs as completely separate networks that can't see one another. So, just like separate physical networks, a router is required to 'route' data between the two networks. Some managed switches provide some basic routing capabilities, but if you're using consumer gear like the GS308 you're unlikely to find routing features built-in. And when I say 'router' I'm not referring to consumer routers -- you need something a little more sophisticated than that.

@@djp_video Any recommendations? Will an Edge Router X work?

Yes, the Edge Router series will do it. You'll separate the ethernet ports into individual VLANs, then give the device an IP address for each VLAN, and then add entries to the routing table to route the required traffic between the VLANs.
If you haven't seen my video on IP networking yet, that's a good start: czcams.com/video/eSaKz1MKsVM/video.html

I think i found the issue, I found a layer two switch between the trunk line between the two layer 3 switches.

Yes, all of the equipment has to support and be configured for the VLANs you're trying to setup. An unmanaged (or unconfigured) switch won't know what to do with the VLAN tags and they usually just ignore those packets altogether.

Well, you'd need additional equipment to do that. Your ISP router almost certainly doesn't support VLANs, either in terms of providing Internet access for them or creating multiple wireless networks.
Almost no "consumer" routers support VLANs natively. You'd need to step up to a router that does, and a separate wireless access point to create your WiFi networks.
In terms of routers, the least expensive option I know of is the Edge Router X from Ubiquiti. But it isn't easy to setup, especially if you want multiple VLANs. Another option is to use an old PC and install pfSense on it. But again, not easy to setup.
Getting multiple wireless networks from multiple VLANs is a little easier. Most dedicate Access Points can do this. You'd set up multiple wireless networks, and tie each one to a separate VLAN.
The closest you're going to get with a single device would be a "Guest network" which separates network data on to its own wireless network, but that's about all you can achieve using consumer equipment.

Thank you, I have purchased Netgear Orbi pro (Multiple SSID and VLANs support )and I think I finally got the missing piece :) @@djp_video

I actually have two routers on my network... the one that is connected directly to my ISP (a Ubiquiti Edge Router X on VLAN 101) and a second (a D-Link something or other) which provides routing for my main LAN (VLAN 3). And yet another router in my trailer, and the LAN side of that is on VLAN 11.
While my Ubiquiti Edge Router X does have VLAN capability, I'm not using it. In my case it isn't even aware that I'm using VLANs on my network. It's plugged into a port which is set as Untagged for VLAN 3 and a PVID of 3.
In this demo my internet connection is on VLAN 101. My main LAN has Internet through my D-Link router on VLAN 3,and my trailer has Internet access through its own router on VLAN 11. The other networks do not have Internet access by design. My audio network (61) doesn't have any kind of router or DHCP server -- I use auto-configured IP addresses, as recommended by Audinate for Dante networks.

@@djp_video The ER-X is very flexible if you use the vlan-aware switch0. But there are some oddities when using vlan-aware, as it won't route between switch0 and the vlan subinterfaces (what EdgeOS refers to a vif e.g. switch0.101). So you need to have all your vlans "tagged" to the internal switch, then you can untag a specific switch-port by specifying the pvid. You can see the vlans that the ER-X reserves for itself using the unsupported /sbin/switch program. For example, sudo switch vlan dump, sudo switch pvid dump and to see the mac address table, sudo switch dump.

In these examples, port 1 on the switches shown connects to the upstream switch, which is then connected to my router. The network created by my ISP router is on my VLAN 101. That's something I setup, not something that came from the provider.
Did you watch part 1 of these videos?

Creating a VLAN doesn't on its own setup DHCP or assign any IP addresses to any devices. You decide on whether you want DHCP or static IP addresses, and have to add your own DHCP server to a VLAN if you want to use DHCP, or manually assign IP addresses to each device if you don't. It doesn't happen automatically.
If you're getting IP address/subnet errors in Dante Controller, you've got a different issue. What that likely means is that you've got a misconfiguration for your VLANs and you're getting network traffic from what you intend to be different VLAN(s) mixed into a single VLAN (for example, you want all Dante traffic on VLAN 20 but it's making it into VLAN 10). The most common cause of this would be assigning multiple VLANs to a single switch port. Go back and make sure that every port is only assigned to one VLAN, and that for each of those ports the PVID assignment matches the intended VLAN ID.

@@djp_video when creating vlan, it is asking to choose between manual ip assignment or dhcp. I have one switch in 192.168.1.1 and second switch in 192.168.10.1. Dhcp set on respective 192.168.1.0 /24 and 192.168.10.0 /24. I am positive i am communicating to correct vlan pvid. It just that vlan2 (for example) in first switch is in 192.168.1.xxx subnet and vlan2 is second switch is in in 192.168.10.xxx subnet.. I did not know what i do wrongly

What device are you using? Are you using the industry standard 802.1Q VLANs? From your description it sounds like something else. What model switch are you using?

The VLAN itself doesn't. Segmenting a network into VLANs means that each one of those VLANs, for all intents and purposes, is a completely separate network, just as if you were using two separate, un-connected switches.
For IP networking to work, you'd need to add that on top of the VLAN, just like you would for any Ethernet network. In most cases that means adding a router with DHCP to provide IP addresses and/or Internet access for that VLAN.

If the Proxmox has VLAN support enabled, you'll want to set the port up the same way as it is in Proxmox... which would likely mean that everything would be Tagged.

@@djp_video Thank you, I was thinking the same way: vlan aware Proxmox vmbr and then ports on switch ( I use multiple as redundancy) as Tagged for all VLANs that are supposed to be visible by VMs/CTs. Thank you again.

As you've probably figured out, each VLAN is completely separate from one another and having internet access on one VLAN does not grant internet access on another VLAN. It is just like having two completely separate networks, and some device needs to provide an Internet connection for each VLAN.
The way to solve this is to use a router for each VLAN. And if you do have multiple VLANs with multiple routers, you may also need another router in front of the VLAN routers to provide Internet access for each of those. Or, if your switch has routing capability and supports NAT, you can have your switch perform that function for you. Or use a router that can support multiple subnets. I use the Edge Router X from Ubiquiti, which can provide Internet access for multiple separate networks.

​@@djp_video Thank you for your prompt response. However, I would like to mention that my scenario differs slightly from what you gathered from my initial comment. Allow me to explain it clearly. I have three Netgear managed switches, each of which has been configured with two VLANs (1 and 30). In SW1, the SFP 25 port is set to T for VLAN 30. In SW2, both the SFP 25 and Gig18 ports are set to T for VLAN 30. In SW3, the Gig18 port is set to T and connected to the Gig18 T port in SW2. These connections are for my internet connection and are functioning without any issues.
VLAN 1 is dedicated to my TV feed, which is encoded by an encoder. I want to transmit this feed over IP using Cat 6 and then transfer it via fiber to another building where it will be decoded. In VLAN 1, the SFP 26 ports in SW1 and SW2 are set to T. However, in SW3 with VLAN 1, I do not have a T port. Whenever I connect the TV feed Out (from the encoder) to the U port in SW3, my internet connection in VLAN 30 gets disconnected, and simultaneously, I am unable to receive the TV feed.

Most are good. But I've had really good luck with the TP-Link models, for example:
8-Port: amzn.to/42ntM6h
8-Port with PoE: amzn.to/3JRb5R6
24-Port: amzn.to/40lWgv9

@@djp_video 🙏 thank you !!!

Just remember that each VLAN is its own separate network, so if you want Internet access, it has to have a router of some kind. And that means DHCP for each VLAN as well.
You can either setup a dedicated DHCP server for each network, or configure a managed switch with DHCP relaying to send those requests to a DHCP server which supports it (hint: consumer routers don't do that). One inexpensive, easy way to provide DHCP to each network is to add a dedicated consumer router to each.
In my case, I use a Ubiquiti Edge Router X, and have it setup to provide Internet connections for up to 4 separate VLANs. (It can do more than that though.) Each of its Ethernet ports can be setup to be on its own network, and those connected into a separate VLAN, or with a little time and patience one or more of its ports can be setup with VLAN support as well, so you can serve DHCP and routing to multiple networks with a single cable. That's starting to get into some complicated configuration, though, so if you aren't up for that the simplest solution is just to pick up a few consumer routers and put one one each VLAN that needs Internet, and then connect the WAN side of those to a single master router which provides Internet for everything.
pfSense can be made to do it too -- you'll either need separate NICs for each network, or to configure a supported NIC for separate VLANs and make sure that packets are tagged properly in both directions. Again, it can be done, but it can be a little tedious to get it all setup and working.

@@djp_video One thing: if I need to physically isolate the networks from each other, it kind of defeats the whole 'virtual' aspect of a VLAN. Physical isolation is easy, I wouldn't need any help with that. I could use a Raspberry Pi to act as a DHCP server on the isolated network, but I thought you could 'virtually' isolated the traffic using VLAN's. Am I wrong to assume that?

You are virtually isolating the LANs. They behave as if they are completely separate and have no connection to one another, unless you explicitly have some kind of router on the networks to relay data between them. Because they are separate networks, even though they are on a single switch, each one needs its own DHCP and routing. The VLANs can't talk to one another without routing between them.
The advantage of VLANs is that you can (1) manage and troubleshoot multiple networks on a single network switch, and (2) combine traffic from multiple VLANs on to a single cable, provided that the devices on both end of that cable know how to handle VLAN tagging. VLANs also limit the size of the broadcast domain, which essentially means that you get a reduction in "broadast" network traffic since broadcasts don't cross VLANs, and the broadcast traffic increases almost in an n^2 relationship with the number of devices on the network. But that's beyond the scope of this discussion.
Let me back up just a little bit to help this make sense.
VLANs are a function of Layer 2 of Ethernet -- basically managing network traffic based on device MAC addresses and the switch ports they are connected to. IP, TCP/IP, etc. are Layer 3 protocols -- they happen above layer 2 -- in other words, on top of, but independent from Ethernet and MAC addresses and the like. (That essentially means that IP can also travel over other types of networks, like WiFi, dial-up, VPNs, etc. and don't require Ethernet to function, and Ethernet is independent of IP). VLANs segment a network and normally devices on different VLANs cannot see or talk to each other without a device configured to route data between them, hence the term 'router.'
Managed switches come in a few varieties... A classic 'Layer 2' Managed switch lets you isolate different networks into VLANs by having the switch 'tag' packets with a VLAN ID. And they have rules internally which tell them how to distribute that traffic. That's what the video you watched is about-- setting the rules for the switches on how they tag incoming packets (PVID), where to send them based on those tags, and whether or not to remove the tags when sending out to a device (Tag/Untag rules). All of that happens in Layer 2, which means that it is unaware of IP, TCP/IP, DHCP, DNS, all of that. So a strictly Layer 2 Managed switch can't help with IP routing. It doesn't even know that IP exists.
Layer 3 managed switches do everything a Layer 2 switch does, but are also aware of IP, and can route traffic based on IP addresses, routing tables, etc. They usually provide some basic services to make that happen, like DHCP, DNS, routing tables, ARP, etc. So if a switch is a Layer 3 switch, it can handle the routing between VLANs if you configure it to do so. Layer 3 switches can be classified as routers. But most routers are not layer 3 switches. But, that said, if a L3 switch doesn't support Network Address Translation, you STILL need another device (router) that does.
So if you have a strictly Layer 2 switch, you have to have something on your network to provide IP-based services. The switch can't do that for you, because it just doesn't have the software to handle things happening at layer 3. DHCP and DNS and everything else related to connecting to the internet are IP-based protocols, so they happen in layer 3... which means that devices which are layer 2-only can't provide services related to those protocols/functions.
Many consumer switches are labeled as "managed" or "smart" provide some subset of the functionality of a full layer 2 managed switch. But usually enough to do the kinds of things we're talking about. They almost never provide any layer 3 services.
There is also a bit of a gray area -- we'll call it Layer 2.5 Managed Swiches for the sake of discussion -- where a Layer 2 switch does have some limited Layer 3 functionality. For example, the TP-Link switches I use in my home, video production trailer, and on location at client venues, can do really basic routing ("Take traffic from the 10.1.1.0 network destined for 10.2.2.0 and send it over to that network") and provide DHCP relay, where a device on one of the VLANs can make a DHCP request and these switches will take it from that particular VLAN and send it to a DHCP server on another VLAN which has been configured to know how to respond to a relayed request, and then send the response back through the switch so devices on that network can get an IP address. That said, most of those types of devices do not support NAT routing, so even in those cases you still need a separate router with NAT functionality if you want Internet access.
In terms of connections to pfSense, it can provide all of the Layer 3 functionality you need and then some -- routing, DNS, etc. if you happen to have a NIC which supports VLAN tagging (not all do), and the driver for that NIC supports VLAN tagging, you can run a single cable from a managed switch to your pfSense router, and set up the connected switch port and PC to preserve the VLAN tags, then you can have pfSense perform any routing between VLANs and/or the Internet as you'd like. (Sharing traffic from multiple VLANs on a single cable is called trunking, FYI). But if your NIC or its driver don't support VLANs, or you'd prefer not to take the time to set that up, you do need to have separate NICs in that computer for each VLAN for them to talk to each other or the Internet. Once pfSense is setup to talk to the VLANs, you can assign unique IP address ranges for each VLAN, then add a DHCP server for each VLAN, and add some routing rules to tell it how to route data between them.
If you'd like a primer on IP and how it works (and how it relates to layer 2), I have a video about that specifically: czcams.com/video/eSaKz1MKsVM/video.html. While I don't explicitly cover the layers of the OSI model, conceptually I do cover a lot of what is happening under the covers and it might clarify some things for you.

For networks that need it, yes, it is provided by my Ubiquiti Edge Router X.
For my Dante network, I don't use DHCP. I let my devices use auto-configured IP addresses unless I"m integrating into a Dante network at a client venue, at which point I use their DHCP.

@@djp_video I used to do all this with Cisco command line. Never liked the GUI. It's been over 10 years now since I last worked tagged and/or trunked VLANS/PORTS. Trying to figure it out how to do this (trunk) on a draytek vigor router. VLANS is the easy part but one trunked link to another switch is doing my head in. Hence I'm watching videos on CZcams lol

Start with a really basic setup... just one VLAN per port. Write down on a sheet of paper what your VLAN IDs are going to be and the purpose/name for each, and then decide which (single) VLAN each port should be a part of. With that written down, in the web interface or app for your switches, assign each port to its designated VLAN ID by setting it as Untagged for that VLAN ID, and remove all other assignments (only that one VLAN ID as Untagged, and none set to Tagged), and set the PVID for each port to its assigned VLAN ID. That includes any links between switches... for the initial setup, use Untagged ports to relay traffic between switches (if you want to get traffic for 3 VLANs from Switch A to Switch B, use 3 separate cables at first); don't attempt Tagged ports or multiple VLANs per port just yet. When that is configured correctly, any devices on each VLAN should be able to talk to other devices on the same VLAN, but nothing else should see each other. That usually means that you won't have Internet access on anything but your primary VLAN, and devices on non-primary VLANs won't even be able to obtain an IP address automatically.
Once you've got that working and are comfortable with that, you can move to the next level -- tagged VLANs. And keep in mind that those should only be used when connected directly to devices which support that feature. Pick which ports need to convey additional VLAN traffic (on top of the assignments you've already made), then add those VLAN IDs as Tagged for those ports (e.g. Add VLANS 10, 20, 30 as Tagged to port 8, which is already assigned as Untagged for VLAN 1). If you connected any cables between switches for VLANs besides your default (e.g. to relay VLAN 10), disconnect those cables between the switches before adding those VLAN IDs as tagged to another connected trunk/relay port.
Depending on the model of switch, you might need to adjust the port/link type/VLAN mode to support some of these configurations. ACCESS is used for ports which will only need to be on one VLAN, GENERAL is for ports that need to be on multiple VLANs but one of them will be untagged, and TRUNK is for any multiple VLAN configuration (though usually all tagged).

@@djp_video I finally figured it out. Thanks for the reply. Might've been helpful two days ago but behind on my email. Well probably still will be helpful.
What I've been doing is taking a strip of masking tape across the top of the switch and laying out what should be what.
Although I've had this layout figured out for a good few years and not had time to work on things, I have actually most of my switch ports labeled with the LabelMaker. I probably have 5x 8 ports and 2x 5 port units at this point.
I have a text document that lists in number order my VLANs and descriptions, bold and large font.
I have 4 to 6 local VLANs and 4 WAN VLANs. ( primary Cable, cellular back up, Cellular hotspot and Test. That's at Home but I also wanted to mirror that onto my smaller unit which I plan to use as a super powerful travel router ). And mostly everything can stay virtual except for one port for each and not everything actually needs to come out. My original goal was that I wanted to be able to enable a VLAN Interface on my laptop and get a public facing IP to test stuff bypassing the router entirely from within my local network. And the other goal was sometimes I need to set some thing up and it would really be nice if I could just plug a switch into My LAN which would break out those 4 WAN connections anywhere I would want them.
I ran into 3 problems. The first one was second-guessing myself and wondering if I was actually setting the right settings in the switch and this video was so helpful. I got so deep down into it I was thinking I have to be doing something wrong. I've watched probably a dozen videos over the last few years, but nothing has been this clear. And covered the same configuration across different vendors.
The second problem is that I'm using a NetGate 3100 hardware box and I think when I originally set it up their documentation was different. It has 3 dedicated interfaces one of them breaks out into a 4 port switch built into the unit. And their documentation said to add the tags to each of the four ports that you wanted them on, easy.
What was neglected to mention I think and the biggest part I was missing the internal 5th port is between the switch and the router and it needed to also be tagged to pass that traffic. so as soon as I did that, boom I'm getting IP addresses on 4 different interfaces.
And the third problem. My management network is untagged zero and I wanted to bridge that within the router out to a VLAN. so devices could either be on the management VLAN or on the untagged LAN and get the same IP, Broadcast domain, visibility.
I Could never quite get this working, then I got to a point where enabling something would break everything.
Finally I got to a point where the switch I was using would tell me that there is a loop condition and what port which really helped me narrow down what was happening and where. Unfortunately I think I'm gonna have to set up another IP address range and forward through routing rules. But at least everything else is functional.
Part of what was tripping me up there's no distinction between general and trunk with the TP Link Smart switches (dumb smart switches).
Very helpful information though I'll be rereading it multiple times as there's always something to learn.
It was a lot of I turn switch on, light should come on, why is light not coming on, check lightbulb, repeat.
At least 4 of my VLANs are pretty much identical with different IP addresses it was a lot of repeat 4 times and everything should be set up and working but wasn't. The 4 WAN VLAN were also pretty much similar just going into the router rather than out. so again just repeat 4 times and that was sort of working, I was getting WAN connections with IP's but they weren't passing through the switch to another switch.
And I had part of this working with my old router so I was trying to rebuild from scratch on the new router over the course of the last four years on and off.
I was Hired by a very manipulative person who hired me to do his event and some computer work. and it turned into a two-story addition working on classic cars cleaning the garage working on tractors and a heavy dose of manipulation whenever I asked for a day off. because apparently I was supposed to be there Monday through Monday 8 to 8 then go set his event up on Friday and get home at 11 (mostly by myself, but he wants TED talk Apple event quality) then be there Saturday morning two hours before he shows up with the guest speaker but he would never say when he was going to get there. Then in November last year he called me a liar said I was off loafing on company time and a month earlier there's no way I could've gotten lost in the nearby state when I took his truck and trailer and other employee to pick a literal 2 tons of wood scrap up at an auction. that's when I said if you're gonna play that card I'm gonna play my card, I'm not your employee, goodbye a week before his event. Which put the bargaining chip back in my realm to say I'm only doing your events. And then of course that follows 3 to 4 months of catching up on 3 years worth of lost sleep before I could be productive again. But I digress.
I do live video streaming, audio, sound mixing, video, small Office IT and computer support etc. so most of my home network configuration can get mirrored to my travel router as well NetGate 1100, although the interfaces on this one are a little bit different which makes setting a lot of this up easier. Which means all my segmentation can pretty much carry over. As I am planning to have hotel Internet on WAN1, 2 Cellular hotspots on WAN2/WAN3 so it just makes sense to have 4 WAN connections available. On the LAN Side primary, secured guest, guest/public/IOT, Test.

@@djp_video TLDR I've only been half shooting myself in the foot part of it was a router problem part of it was a me problem. Finally at a point in my life where it's time to use the knowledge of the VLAN's and actually having a reason to implementing it makes sense and then when I go to implement it for myself it just doesn't seem to work. But then I go over and fix somebody's computer no problem. It's like when did I move to the Bermuda triangle?
I finally got things talking. Most of the problem was an extra step on the router which I think the documentation missed and then the floodgates opened, which helped me narrow down the other problems I was having.

I don’t buy that. For virtually every managed switch out there #1 is the default admin VLAN

What do you mean? It's high quality 4K.

I thought the video and audio quality were great. No problems viewing on my end.

Thank you!