Hi,
I want to set up a simple networking to serve 2 factory halls (60-80 workers) + management building (10 office workers). They are all in the same location.
When I say simple, I won’t have servers or storage devices, as they will be in the cloud (as well as IP phone). Since I won’t have servers to manage, I won’t need an IT guy to look after devices.
I have the knowledge to connect unmanaged switches + access points together to ISP router and assign the DHCP to the ISP router where all is managed by the router itself. However I have a feeling when there are 100 people with devices, a better solution is required. (There may be more than 254 devices logging in at 1 time)
I have looked for VLANS where the Factory Hall 1 and Hall 2 and management building can be separated into 3 VLANS and all can these connected to the same ISP router for internet connectivity. So I need advise please. Simple so I can understand, at the same time will provide some security and resilience. I am not very technical about VLANs at this moment, so if you can kindly guide me to the right direction, will appreciate.
2 Spice ups
But what equipment and/or hardware or devices would be served by your “network” ?
So what do you understood about what VLANs are ??
1 Spice up
Hi,
Equipments will be switches, access points and 1 router + modem (100/20 MBPS internet) for the internet access. There will be usual PCs (clients, IP Phones etc). No servers. There will be shared files in the cloud (Google Drive).
I can certainly set this up without any VLANs by maybe changing the subnet so rather than 254 devices, we can serve more? However, I am not sure what bottlenecks I will face, therefore some suggestions were, dividing the network into VLANs, that is why I wanted to ask about it.
If you are going to have more than 254 devices (IP addresses) why not use a /23 (255.255.254.0) for your subnet mask. This will give you 510 usable IP addresses, that’s how we have handled it in our factory, a single flat network no vlans needed
1 Spice up
Can provide more details ? Like Domain Joined PCs ?
Hi,
I can definitely do as Chris suggested, the Asus Router can handle the DHCP. I can build a flat network however as I have not set up a flat network with these many devices before. Asus routers have basic QoS or bandwith management. If someone implemented this before and it works with no issues, no need for VLANs I suppose. I want to keep all simple as much as possible.
What cloud(s) ? Or Which cloud(s) ?
Then are your PCs Domain linked ?
Also you mentioned 80 + 10 workers…given each using a PC and a IP phone…thats max 200 devices ? But nonetheless you should prepare for a larger subnet like Chris mentioned ?
VLANs would not help with the Internet bottle neck if you have 200 devices using a 100mbps Internet network ? If all are using concurrently, you have probably like 0.5mbps (or 500kbps) per device IF your “Asus Router” can handle the load ?
QoS does not work when there is way too many concurrent connections vs a small bandwidth as you need to know the minimum bandwidth needed for each IP phone & thus the max concurrent IP phones can be used ?
tb33t
April 7, 2025, 5:10pm
8
I’d highly recommend a business grade firewall to start. While you can get away with consumer level devices, if this is a business, please give it the 1st layer of protection this LAN deserves. I’d highly recommend creating at least 3 VLANs: one for network equipment (firewall, switches, APs), one for computers, and another for VOIP phones. Having these devices segmented will at least get you the data of what is using up the bandwidth on your network.
If you’re anticipating the employee base getting larger anytime in the near future & you want to run a flat network, then use a /23 or /22 subnet as other have already said.
If it’s available in your area see if there is a plan with your ISP that is larger than the 100/20 Mbps plan. I saw a company’s network upload pipe crippled after a network migration because I think they only had 10 or 20 Mbps upload speed with their ISP. Of course, this was part of everyone’s OneDrive syncing at the same time for 80+ employees. Good luck!
1 Spice up
Thank you this really helps.
In our area 100/20 Mbps is maximum we can get unfortunately.
I am new to VLANs and firewalls, can you kindly recommend the equipments which are easy to set up, configure ( An easy to use GUI is preferred) to achieve this kind of network architecture?
I am not sure if VLANs are configured by the consumer grade router (if supports) or managed switches?
If VLANs are configured by switches, is this the setup?
Firewall → Modem Router (DHCP) →
Switch 1 (VLAN 1) - PCs
Switch 2 (VLAN 2) - IP Phones
Switch 3 (VLAN 3) - APs
Or am I completely wrong?
Thanks
dmc1981
April 7, 2025, 5:52pm
10
Like others said, you need to leverage a firewall for the gateway between all the applicable networks and zones, including public internet.
Segmenting your networks into specific VLANs is more secure. Anytime you can force a network segment to traverse a gateway for IDS/IPS, ACLs, etc, you are making it more secure.
Are you the “tech-support” representation for this factory? Do you have any other resources you can pull in to help you out? Even if you need to engage a 3rd party resource, there’s no shame there. If I were the factory “owner” I wouldn’t want you experimenting or learning as you go on my dime.
2 Spice ups
tb33t
April 7, 2025, 5:53pm
11
Most of the modern firewalls have a GUI to click & edit settings as needed. Last one I implemented was a FortiGate firewall. Generally, VLANs are created on the firewall and assigned/untagged on the switches unless you’ve got Layer 3 switches.
Check your router’s admin console or give it a quick google search to see if it supports VLANs. Your firewall could also handle DHCP should you choose that route.
spiceuser-oyyp:
I am new to VLANs and firewalls, can you kindly recommend the equipments which are easy to set up, configure ( An easy to use GUI is preferred) to achieve this kind of network architecture?
I am not sure if VLANs are configured by the consumer grade router (if supports) or managed switches?
If VLANs are configured
In very simple terms…VLANs are like breaking or splitting a Network switch.
Then most often, for security and ease of routing, different IPs using different subnets are used for each VLAN thus creating different networks. Very often, routers & firewalls are used between the VLANs to route data between the VLANs and block unwanted traffic.
For your case, I do not think you need VLANs at all as only max 300 devices as compared to 5000 devices ? Then you may also not want servers and/or appliances like highend firewalls and/or routers but a Internet firewall is still always recommended.
I could propose maybe using using like 10.x.x.x IP address with a 255.255.252.0 (/22)
10.1.0.1 to 10.1.0.255 used for appliances (if any)
10.1.1.1 to 10.1.1.255 used for IP phones
10.1.2.1 to 10.1.2.255 used for PCs
10.1.3.1 to 10.1.3.255 as standby in case more PCs come in
Then you may have DHCP to issue IP addresses from 10.1.2.xxx then can later increase to 10.1.2.xxx & 10.1.3.xxx when required.
spiceuser-oyyp:
Firewall → Modem Router (DHCP) →
Switch 1 (VLAN 1) - PCs
Switch 2 (VLAN 2) - IP Phones
Switch 3 (VLAN 3) - APs
Or am I completely wrong?
I would not say you are completely wrong, but the main idea of VLANs is such that no data (or very limited data) is being transmitted to other VLANs.
Then if you do split to using 3 independent switches, where does your Internet solution (ONT or modem & firewall) connects to ?
Do note that all my assumptions is that
All the PCs are using MS Entra or non-Domain Joined
All the users are using 100% cloud or SAAS applications like MS365, Exchange Online, Google workspace, eHR, eERP, eHR
The IP phones are directly using cloud SAAS like Google phone or zoom phones which are already programmed to log on to the SAAS
If you’re not going to have an IT guy to look after things, I’d probably say just get yourself a firewall, let it handle DHCP, and set the subnet to /23 (255.255.254.0 subnet mask) so you have 500+ IP addresses. I wouldn’t mess with VLANs because then anyone who is changing things up would need to respect/understand them.
For your firewall, I’m partial to OpnSense, which is free if you have your own hardware or they have this €649,00 desktop one: DEC697 – OPNsense® Desktop Security Appliance – OPNsense® Shop
Getting a basic business firewall like the above or others will be a big impact because in addition to some upgraded network security, it’ll let you improve your network in the future if you get the appetite to. You could set up a VPN to connect work-at-home people to your compapny network with one. You could get a second ISP and set it up to fail over to the second one if the first goes out. You can monitor actual bandwidth usage, applications and protocols being used, etc.
Edit: it’d be worth your time to make a plan of how to recover from a ransomware attack that locks up all your machines locally. Some more network configuration (VLANS) and various “IT guy” type stuff could really reduce the pain and impact (and likelihood) of that happening.
A lot of good advice here. One thing I would do is have a cable modem for a guest network. This would help with bandwidth and if your fiber went down something your clients could connect to.
jrblood
April 8, 2025, 8:09pm
15
A couple of things to consider:
If there are any kind of controllers on the factory equipment, you should ALWAYS set them up on their own VLAN and subnet. It’s best-practice to help prevent any devices on the user side from interfering with the production environment. If you need a workstation on the production side, dedicated PCs are preferred. You could set up specific restrictions to allow some devices to cross-over from one VLAN/subnet to another, but this is discouraged. The main reason for all of this is to prevent one rogue PC/user from taking down the production network, costing the company hundreds, if not thousands of dollars on lost production. If a hacker manages to get into a user’s PC, they could also control your factory equipment, and that is not a scenario you want to live through.
A dedicated Voice VLAN for the IP phones. VLANs configured for voice traffic help with traffic priority to prevent call drops and glitchy audio. The last thing you want is the boss talking to an important client, and then someone in the office decides to start downloading a bunch of large files, saturating your Inet connection.
Thank you for all the good advises, I now have an idea about what to do.
One question, if I buy the OPNsense firewall, I can also setup VLANs from this device if required?
As I understand, the device will be connected to the modem in bridge mode and it will take care of firewall, DHCP, VPN, 2nd ISP etc…Basically with one firewall device, we can plan all for the future?
Yes, OPNsense can handle and route VLANs as well (VLAN and LAGG Setup — OPNsense documentation ). If you’re thinking about using VLANs though, you’ll need managed switches that can understand VLANs as well (edit: “setting up VLANs” is not done on just one device, but on every switch/router in the network path). So if you’re also buying switches, go ahead and get some managed ones. If you already have unmanaged ones and want to keep using them, just note you’ll need to replace those once you want to put things on VLANs.
