Are you learning networking? You’re entering the world of vlans. In the networking OSI model, Layer 3 is where you’re dipping your toes.
I’m gonna try to over-simplify this, but each network has a gateway, which is a layer 3 device that helps a local network talk to other networks, either in the house or on the internet. That doesn’t have to be a physical device, it can be a virtual network device on your bigger layer 3 device. Most residential network gear won’t understand this. When you get into vlans, it’s like having multiple separate networks on the same devices; if you have “vlan 10” and “vlan 20”; devices on vlan 10 cannot see devices on vlan 20, even if they’re connected to the same switch. This is done by “tagging” ports, which is where you specify what network each port is on. You can also have a port with multiple vlans on it, which is called a “trunk”, but for this to work the network traffic has to carry a tag specifying what vlan each packet belongs to (though each trunk also has a “native” port, think of it like a default vlan if a packet isn’t tagged). The verbage changes based on the vendor, but that’s the idea.
In the actual world, here’s how that works. Ports with devices on the other end with multiple devices/networks on them (access points, switches, firewalls) usually are trunks, then end client ports (your computer, a printer) are “access” ports. You would apply a single vlan to access ports, or make it an “untagged” port, whereas you “tag” multiple vlans on trunk ports. The networking devices will make most of that happen.
So how can you shape the traffic between them? Your firewall/gateway/layer3 device. The easiest entrypoint into this is get a small computer (1L PC which you can get nearly as ewaste, having multiple network ports is good) and installing opnsense on it. It’s free and good for learning, and I use it in prod today. The opnsense box, let’s say, has 1 physical nic, then you create a virtual vlan interface on vlan 10 and 20. That becomes your “default gateway” on all client devices on the respective networks. All traffic leaving the networks go through this device (so faster network ports is better) and that is why firewall rules get to allow/block ports, IP’s, endpoints, etc. Your port forwards to the internet happen here as well. You can make a firewall rule to say your other network allows passing traffic to the original network on port 53 to the pihole, for example, so dns servers on a different “lan” can still be used.
This is a complicated subject, but getting some gear on ebay (a “managed switch”) is a great way to learn. For example, I have an access point with a management interface on my “mgmt” vlan (99, number is arbitrary), then I have 2 ssid’s, one for IoT stuff (vlan 5) and one for my devices (vlan 4). The port going to the access point on the switch is native vlan 99 but tagged to allow traffic with packets tagged with vlan 4 or vlan 5, and the access point tags the traffic based on which SSID the client connects to, the client doesn’t care.
Are you learning networking? You’re entering the world of vlans. In the networking OSI model, Layer 3 is where you’re dipping your toes.
I’m gonna try to over-simplify this, but each network has a gateway, which is a layer 3 device that helps a local network talk to other networks, either in the house or on the internet. That doesn’t have to be a physical device, it can be a virtual network device on your bigger layer 3 device. Most residential network gear won’t understand this. When you get into vlans, it’s like having multiple separate networks on the same devices; if you have “vlan 10” and “vlan 20”; devices on vlan 10 cannot see devices on vlan 20, even if they’re connected to the same switch. This is done by “tagging” ports, which is where you specify what network each port is on. You can also have a port with multiple vlans on it, which is called a “trunk”, but for this to work the network traffic has to carry a tag specifying what vlan each packet belongs to (though each trunk also has a “native” port, think of it like a default vlan if a packet isn’t tagged). The verbage changes based on the vendor, but that’s the idea.
In the actual world, here’s how that works. Ports with devices on the other end with multiple devices/networks on them (access points, switches, firewalls) usually are trunks, then end client ports (your computer, a printer) are “access” ports. You would apply a single vlan to access ports, or make it an “untagged” port, whereas you “tag” multiple vlans on trunk ports. The networking devices will make most of that happen.
So how can you shape the traffic between them? Your firewall/gateway/layer3 device. The easiest entrypoint into this is get a small computer (1L PC which you can get nearly as ewaste, having multiple network ports is good) and installing opnsense on it. It’s free and good for learning, and I use it in prod today. The opnsense box, let’s say, has 1 physical nic, then you create a virtual vlan interface on vlan 10 and 20. That becomes your “default gateway” on all client devices on the respective networks. All traffic leaving the networks go through this device (so faster network ports is better) and that is why firewall rules get to allow/block ports, IP’s, endpoints, etc. Your port forwards to the internet happen here as well. You can make a firewall rule to say your other network allows passing traffic to the original network on port 53 to the pihole, for example, so dns servers on a different “lan” can still be used.
This is a complicated subject, but getting some gear on ebay (a “managed switch”) is a great way to learn. For example, I have an access point with a management interface on my “mgmt” vlan (99, number is arbitrary), then I have 2 ssid’s, one for IoT stuff (vlan 5) and one for my devices (vlan 4). The port going to the access point on the switch is native vlan 99 but tagged to allow traffic with packets tagged with vlan 4 or vlan 5, and the access point tags the traffic based on which SSID the client connects to, the client doesn’t care.