I want to separate my home network into different VLANs. The router provided by my ISP has no functionality for this, so I am considering buying a separate router to make this separation possible. Unfortunately, I am not sure if it is even possible with a separate router.
The ISP router supports:
- in the NAT settings:
- can be turned on/off
- there is port mapping
- in the firewall settings:
- allows on/off of NAT loopback/hairpin
- IP address and MAC address filtering
- DMZ configuration
Overall the admin panel is very limited, even in “Expert Mode”. The ISP explicitly states that they do NOT support bridge mode. My idea would be something like this:
- put a second router (
my_router) behind my ISP router - Use the ISP router’s DMZ feature to forward all incoming traffic to
my_router - Set up VLANs and firewall rules (although I am not sure how these would look like, the ISP has just a toggle) on
my_router - Place
- my hosting server on an isolated VLAN
- Keep my devices on another VLAN
Are there any potential problems with this and is this a safe thing to do?
To be honest, I am not set on VLANs, I just want to separate devices which I trust (e.g. my phone, laptop, etc.) from devices which I don’t or that could be compromised (e.g. smart devices, RPi that hosts some services over a Cloudflare Tunnel, etc.). If there is a simpler way than a VLAN, that would be perfectly fine as well…
Notes
- If possible I would like to not introduce problems (is double NAT a bad thing in this context?) or compromise the up/download speed by introducing this second router, i.e. I don’t want to compromise the entire local network just because of this…
- As a reference, I have read this questions which seems to try to achieve the same things as I am, although they want to do this with only a managed switch instead of a VLAN capable router. I also found this answer quite enlightening, although I am not yet sure how to correctly achieve this with submasking and routing (although this is a problem once I have cleared this hurdle…).
