I was hoping that "dumb" switches could be used behind the router and the router itself would take care of the VLAN separation. Is that line of thinking incorrect?
Briefly, a dumb switch may pass data frames without issue; another may not pass the tags; yet another may choke entirely on tagged frames and cause major network issues. You do not want to loose your hair when trying to resolve chaos.
Essentially, VLAN inserts a (VLAN) tag into a dataframe on a switch. As a result, a switch needs to understand 802.1q protocol that adds a VLAN tag, or removes it, when and if needed.
A router typically has an switch (i.e. multiple LAN ports) built-in that tends to blur its routing (IP addressing) function from the MAC addressing of a switch.
Lastly, each switch on each router model is 'wired' internally differently, as a result, it's unwise to treat specific VLAN settings the same for all router models.
Thank you for the explanation, @D.F.Cruizer. You've convinced me it is worth upgrading the POE switch to a managed one. Luckily, I found a decent deal on a used one on eBay. Thanks again.
While some dumb switches may pass the VLAN header, provided you have the switch connected to a router LAN port with a VLAN assigned to it. The switch will only work with that one VLAN (some can even passthrough Trunked VLANS, but I have never seen one able to do this, only read about it). However, with that said, many dumb switches also strip out the VLAN headers leaving you with zero passthough (ie not working). The only way to know for sure is to connect a computer to that switch and see if it gets assigned an IP from the proper VLAN subnet.
EDIT: Opps, I didn't see page two of this thread and this was already answered. My bad! _________________ Linksys EA8500 (Internet Gateway, AP/VAP) - DD-WRT r53562
Features in use: WDS-AP, Multiple VLANs, Samba, WireGuard, Entware: mqtt, mlocate
Wireless 5ghz only
Netgear R7800 (WDS-AP, WAP, VAP) - DD-WRT r55779
Features in use: multiple VLANs over single trunk port
Linksys EA8500 WDS Station x2 - DD-WRT r55799
Netgear R6400v2 WAP, VAP 2.4ghz only w/VLANs over single trunk port. DD-WRT r55779
OSes: Fedora 38, 9 RPis (2,3,4,5), 20 ESP8266s: Straight from Amiga to Linux in '94, never having owned a Windows PC.
there are no tagged VLANs configured so you don't need a managed switch that supports IEEE 802.1Q.
If you connect the switch exclusively to the VLAN1 port, there is nothing to separate because only vlan1 is available via the port (same with VLAN4)
Quote:
I intend to connect a switch directly to the VLAN1 port and eventually turn off the wireless radios on the dd-wrt router.
Quote:
I intend to connect an access point and a POE Switch to the two ports assigned to VLAN4 and plan to utilize both the wireless and ethernet connections for devices.
so the way the switch is configured and the way swampgator352 has described his plans, a managed switch is definitely not needed
with a manged switch, however, there may be other configuration options
simply learn and understand the difference between port-based and tag-based (IEEE 802.1Q) VLANs
Lastly, each switch on each router model is 'wired' internally differently, as a result, it's unwise to treat specific VLAN settings the same for all router models.
These differences are already taken into account by dd-wrt under the hood in the sysinit.
The GUI settings are all the same for routers with 1 or 2 CPU ports.
Before setting up my custom iptables rules, I did some testing of the "Net Isolation" GUI setting and it appears that devices on br1 and br2 are able to ping devices on br0 (VLAN1). I did not expect this behavior based on the explanation in the Quick Start Guide
Is there something I can test to determine why this is happening? Or should I just proceed with the iptables rules listed in the guide?