Not sure about VLANs

[bruci3]

Hi guys,

I have the below setup in my home:

https://imgur.com/UhEQYaC


I want to have LAN 1 and LAN 2 separate, so no client or wifi devices from LAN 2 can communicate with LAN 1.

Should I be putting LAN 1 and LAN 2 on different subnets or should I also be putting them on different VLANs too?

Also do I need to have a firewall rules to prevent LAN 1 and LAN 2 to communicate or would the Subnets or VLAN take care of that?

Lastly, how do I prevent clients on LAN 2 from communicating with each other?

As I have some chinese devices that connect to internet on LAN 2, and I prefer it not being able to reach any other devices or computers on LAN 1 or LAN 2.

Any advice? Thanks.

[bartjsmit]

You cannot stop clients on the same broadcast domain from communicating. They can configure any protocol between themselves, independent of the firewall. You create separate broadcast domains through physically different networks, or VLAN's.

In practical terms, this means that you have to put your Chinese (IoT?) on their own network. You can either have a separate NIC on the firewall, or you can create a separate VLAN on a managed switch. In both cases you need to separate the downstream networks, either by VLAN, physical switches, WiFi AP's, or a combination of these.

Bart...

[bruci3]

In practical terms, this means that you have to put your Chinese (IoT?) on their own network. You can either have a separate NIC on the firewall, or you can create a separate VLAN on a managed switch.

Ah...thanks for your help. I understand now and know what I need to do. Thanks 

[bartjsmit]

You are very welcome. I run four internal networks separated by VLAN on Netgear, Ubiquiti, and VMware. Ping back if you get stuck.

Bart...