Managed Ethernet Switches: What gets managed?

I know it’s an old(ish) thread but I’m playing catch-up…

A managed switch allows you to segment one or more ports into a separate virtual LAN (VLAN). This enables you to divide the network into sections based on use. For most people, in a home environment, it’s probably overkill. You will also need a VLAN router to route traffic between the VLANs (or prevent traffic through the use of firewall rules).

I have a 24-port TP-Link managed switch at home and I’m running five VLANs currently: virtual (VMs running assorted functions, e.g. AD domain controller, file shares, Docker instance - for Plex and others), physical (anything that is plugged in, so laptops, desktops, NAS), external (PS4, Xbox One, Sky+, Sonos), management (UniFi controller, switch, router, APs), lab (segregated network for testing stuff for my day job).

Handling the routing is a UniFi Security Gateway and Wifi is provided by two UniFi AC APs, one at the front of the house and one at the back - the latter being connected via TP-Link powerline adapters.

I have four WiFi networks/SSIDs, one for each of the physical, external and lab networks, and one for a Guest network. The USG and UniFi controller software manages all these.

Everything pretty much manages itself. Occasionally I’ll fire up the UniFi app on my iPhone to get a status update, check traffic stats or print out some more voucher codes for the Guest network.

If you’re getting powerline adapters, make sure you get ones that do at least 1Gb. In my experience you’ll never get that speed as many factors will affect the throughput, mainly the wiring in your house. I get around 80Mbps which is good enough for the devices at the back of the house to connect to the internet.

I think that just about covers it.

The TL;DR version:

  • basic requirements with a few devices, use the ISP’s router
  • more complex requirements, lots of devices, multiple APs - UniFi gear
1 Like

It’s reasonably straightforward to be honest. The only incoming port forwarding rule I have is for Plex, which is forwarding to a VM running my Docker containers. The only other incoming connection I have is for VPN, which is handled by the USG natively.

As for VLANs, I have the following:

VLAN 1 (default/management) - the switch, USG and APs are all connected to this VLAN
VLAN 10 (internal) - laptops, desktops, physical devices, VMs running on Hyper-V
VLAN 20 (external) - PS4, Xbox One, Sonos, Sky+, anything that doesn’t need to be on the internal network
VLAN 30 (guest) - guest network provisioned by the UniFi controller software. Routes to internet only. Access granted through one-time use tokens
VLAN 40 (lab) - where I do my R&D for my day job.

I have SSIDs mapped to each of the four VLANs. Internal, external and lab are secured using WPA2, guest is open in order to connect to the portal to enter the voucher code.

I’ve had the TP-Link switch (Layer 2) for about five years. It’s a 24-port and at one time, I think 18-20 ports where in use, back when I had three 1U servers, each using three ports, plus assorted desktops. Now I think I am using around 8-10, including the two APs, one desktop, one server (four ports), a small NAS, plus the USG.

The UniFi gear I have only had since the beginning of this year. Previously to that, routing was handled by a VyOS instance running in a VM. The downside to that was that if the Hyper-V host was down, so was all network routing and internet connectivity, hence the desire to reduce the reliance on virtualisation. It served a purpose years ago when I was running a two-node Hyper-V cluster as most “services” were fault tolerant. When one of the hosts started developing hardware issues, it made me aware that not everything was.

Given nearly all of my Microsoft infrastructure (Active Directory, etc.) is slowly being turned off for “Production” use - I still have the lab environment - I am actually considering whether I keep the Hyper-V install or install unRAID on the host instead.