Recommendations For Smart Network Switch

Discussion in 'Networking, Internet, Web Applications & The Cloud' started by Floppyman, Feb 12, 2017.

  1. Floppyman

    Floppyman PCMech Owner Staff Member

    Joined:
    Mar 10, 1999
    Messages:
    7,691
    Location:
    Northeast U.S.A.
    Hi all,

    I'm looking to purchase a 16 - 24 port smart gigabit switch for a home network. Does anyone have any recommendations? Just looking through choices at Newegg I see that prices can vary quite a bit. Is it worth paying the premium for Cisco smart switch?

    Thanks in advance.
     
  2. reggie14

    reggie14

    Joined:
    Feb 1, 2015
    Messages:
    896
    I've been using TP-Link switches for a couple years now. I have some of each of these models:
    The 8-port model above supports the most features, including things like port mirroring. You can read a review here. But, if all you want is VLANs, the others should do.
     
  3. Floppyman

    Floppyman PCMech Owner Staff Member

    Joined:
    Mar 10, 1999
    Messages:
    7,691
    Location:
    Northeast U.S.A.
    Thanks - can these be rackmounted easily as well?
     
  4. reggie14

    reggie14

    Joined:
    Feb 1, 2015
    Messages:
    896
    The 16 and 24 port versions seem to be. My 16 port ones came with rack mounting brackets. The switch itself isn't very wide, but the mounting brackets are a few inches wide, so I assume it brings it out to the standard rack size.
     
  5. Jbc223456

    Jbc223456

    Joined:
    Oct 23, 2008
    Messages:
    951
    Location:
    Louisville, KY
  6. rjfvillarosa

    rjfvillarosa Moderator Staff Member

    Joined:
    Sep 15, 2004
    Messages:
    7,858
    Location:
    Cardiff, Wales. UK
  7. Floppyman

    Floppyman PCMech Owner Staff Member

    Joined:
    Mar 10, 1999
    Messages:
    7,691
    Location:
    Northeast U.S.A.
    Thanks everyone. Are Cisco smart switches worth the premium or am I just throwing money away? Thanks again.
     
  8. reggie14

    reggie14

    Joined:
    Feb 1, 2015
    Messages:
    896
    If you want something nicer than the TP-Link gear (or the Netgear ProSafe), get a Ubiquiti EdgeSwitch Lite 24. If you need PoE, they have a model that supports that (for about twice as much).

    There's nothing particularly special about the Cisco gear in a comparable price range (like the 200 series). The Ubiquiti, on the other hand, is a Layer 3 switch, not that you'll get much practical use out of that on a small home network.
     
  9. Floppyman

    Floppyman PCMech Owner Staff Member

    Joined:
    Mar 10, 1999
    Messages:
    7,691
    Location:
    Northeast U.S.A.
    Thanks @reggie14 -that Ubiquiti is a very nice switch! What additional features/capabilities does one get for about twice the cost (relative to the TP-Link)?

    Thanks again.
     
  10. reggie14

    reggie14

    Joined:
    Feb 1, 2015
    Messages:
    896
    The main difference is that the Ubiquiti is a Layer 3 switch, meaning it will route packets. Why is that useful? Suppose you have multiple subnets on your home network, perhaps because you've set up VLANs. Consider the case where a computer on one subnet is talking to a computer on another. Regular switches operate at Layer 2 (i.e., ethernet). They can't route packets directly between subnets, so they instead have to forward those packets to the default gateway (i.e., your router).

    That's how my network is set up. If devices on my two different VLANs talk to each other, packets ultimately flow like this:
    Device1 <-> SmartSwitch/VLAN1 <-> pfSenseRouter <-> SmartSwitch/VLAN2 <-> Device2

    The hop back the router seems a bit silly given that the packet is going right back to the switch.

    A properly configured Layer 3 switch would be able to route those packets without sending them up to the router. The main advantage of this performance. On a large, busy network (i.e., not yours), your router might struggle to keep up with all the traffic going between subnets. At the most basic level, you can fairly easily see that you can't route packets on your router above the throughput of the two gigabit interfaces. A Layer 3 switch, on the other hand, wouldn't have that constraint, but would be limited by how quickly it's microcontrollers can process packets (which likely is in the 10s of gigabits).

    Should that be a source of concern for you? Almost certainly not. If you're using VLANs at home, you're probably doing so to isolate the devices from each other. You might not want devices on different subnets talking to each other. Or, at least, in the cases where you do, you might want that traffic going through your firewall so you can process rules.

    Still, the Ubiquiti is the nicer switch. The additional cost is mostly due to the Layer 3 functionality, but it also includes two SFP+ ports for fiber and a better webGUI. I'm sure there are other differences, but those seem to be the big ones.
     
  11. Floppyman

    Floppyman PCMech Owner Staff Member

    Joined:
    Mar 10, 1999
    Messages:
    7,691
    Location:
    Northeast U.S.A.
    Thanks again - that's very good to information to have. I am planning on setting up different VLAN's. I do have one follow up question though: Is there a way to filter traffic between two VLAN's (subnets) if using just the Layer 3 capability of the switch (i.e. only allow some traffic/services)? Or would it have to go through the gateway (firewall) to be able to filter traffic? If traffic does have to go through the firewall, and two VLAN's can essentially freely talk to each other through Layer 3 on the switch (i.e. no limitation of filtering is possible), what would be the point of setting up two VLAN's instead of just one (unless thee point was to separate them explicitly and have the gateway/firewall inbetween)? Thanks in advance for the clarification.
     
  12. Floppyman

    Floppyman PCMech Owner Staff Member

    Joined:
    Mar 10, 1999
    Messages:
    7,691
    Location:
    Northeast U.S.A.
    Hey @reggie14 - I think have a better idea now what Layer 3 switching is all about. I'm struggling though how the connection works back to firewall/router though when one is using several VLAN's in their network:

    Let's take a simple example:
    VLAN 1: 192.168.1.0/24
    VLAN 2: 192.168.2.0/24
    VLAN 3: 192.168.3.0/24

    Assuming the routing is done by firewall/router (e.g. a pfSense box) - how is this physically connected so that all VLAN's have access to the internet? Is the pfSense router plugged into the switch in a separate VLAN that needs to be created for it, or just into a port on the switch that is NOT part of a VLAN? Or, is there a physical connection from the pfSense box to EACH of the VLAN's?

    Now, let's take this example one step further and assume that routing and DHCP is done at the switch level (i.e. Layer 3). So we have:

    VLAN 1: 192.168.1.0/24; Gateway: 192.168.1.254
    VLAN 2: 192.168.2.0/24; Gateway: 192.168.2.254
    VLAN 3: 192.168.3.0/24; Gateway: 192.168.3.254

    Here again I'm curious, how is this connected physically back to the pfSense box? Would the pfSense box need to be connected into a separate VLAN created on the switch, or just a port on the switch that is not part of a VLAN? Also, since now routing and DHCP is done at the switch level, would static routes have be assigned on the pFsense box to each of the VLAN's? Is there ever any advantage to have multiple physical connections from the pfSense box back to switch, i.e. one for each VLAN (assuming the pfSense box has multiple LAN interfaces)?

    Thanks again for all your help.
     
  13. reggie14

    reggie14

    Joined:
    Feb 1, 2015
    Messages:
    896
    So, I agree that most home uses for VLANs generally focus on isolating subnets from each other for security reasons. But, there potentially other uses and advantages with using VLANs in very large networks, including around issues related to performance and network management.

    But, more generally, Layer 3 switches are useful even when VLANs aren't being used. They're useful anytime you have a network with multiple subnets.

    As far as filtering traffic on the switch, yes, you often can do some pretty basic filtering. I'm pretty sure the Ubiquiti supports some basic filtering based on source/destination IP address, ports, etc. In general, though, if you want to isolate things for security reasons, I'd do the filtering on the firewall, not the switch. You get more control and visibility that way.

    One thing I'll initially say is don't overthink what VLANs are. There's a fair bit complexity involved with setting them up, but what you get in the end is logical isolation and separation of networks. Take a very simple example of a port-based VLAN, where you assign ports 0-3 to VLAN 10, and ports 4-7 to VLAN 20. In that case, you logically end up with two distinct 4-port switches. Devices attached to ports 0-3 will talk to each other, and devices attached to 4-7 can talk to each other, but devices in one set can't talk to devices in the other. From their perspective, they're not on the same network.

    In this very simple example, if you wanted all of your devices to be able to reach out to the Internet, you'd need to connect two ethernet cables to your pfSense box; one of the ports between 0-3, and one of the ports between 4-7. Obviously you'd need to have two physical network interfaces on the pfSense box to do this (in addition to the interface used for the WAN).

    This is where VLAN tagging comes in. The simple example above just had each port part of one- and only one- VLAN. It doesn't need to work that way. You can create trunks that carry traffic from multiple VLANs over a single port. How is traffic on VLAN 10 distinguished from traffic in VLAN 20? It's tagged as such within the header in the ethernet frame.

    So, coming back to my example, suppose you only had one available physical network interface on your pfSense box for both VLANs. In that case, you could tag port 0 on your switch as belonging to VLAN 10 and VLAN 20, and connect the single LAN interface on your pfSense box to that port. Traffic coming in on ports 4-7 would get tagged as VLAN 20 traffic. It would retain that VLAN 20 tag when passed through port 0 on the switch. Upon receiving data on the (physical) LAN interface, pfSense would look at the VLAN tag. And it's going to treat it differently depending on the tag.

    Typically (probably always), you'd create "virtual interfaces" in pfSense based on the VLAN tag. You'd create a virtual interface for VLAN 10 traffic, and a different one for VLAN 20 traffic. In my case, I call one the "LAN" interface, because it's basically my primary home network. And I call the other the "Guest" interface, since it's my isolated guest network. Once you set up these virtual interfaces, you treat them exactly the same way you would treat different physical interfaces.

    I should caveat this with a statement saying I've never set up a Layer 3 switch. But yes, my understanding is that if you want a Layer 3 switch to route between subnets, you need to configure static routes on the switch.

    But, I think you're thinking that a Layer 3 switch does more than it really does. Your pfSense box would still be your NAT router, and your gateway to the Internet. It would still (typically) function as your DHCP server and local DNS server. Basically, the functionality of your pfSense box doesn't change at all. The primary difference is simply that the switch- on it's own- is smart enough to route traffic between local subnets without having to pass it back to your pfSense router.

    Is there an advantage to using multiple physical connections back to the pfSense box (instead of VLAN trunking over a single physical connection)? Mostly it's an easier configuration process. Port-based VLANs are easier to set up than VLAN trunks.
     
  14. Floppyman

    Floppyman PCMech Owner Staff Member

    Joined:
    Mar 10, 1999
    Messages:
    7,691
    Location:
    Northeast U.S.A.
    Thanks @reggie14 - that makes a lot more sense! It was the concept of VLAN tagging that was missing in my understanding. Based on what you wrote, I have a couple follow up questions:

    1) Why would you not want the Layer 3 switch to act as DHCP server, leaving just DNS, NAT, and Firewall duties to pfSense box? If the switch ends up acting as a DHCP server, does one have to setup static routes on the pFsense box or does the NAT take care of that (i.e. mapping the traffic to the respective LAN interface that's connected to one ore more VLAN's, depending if it's trunked or not).
    2) This question is regarding inter-VLAN routing: If the whole idea is of VLAN's is to separate network devices into separate subnets and prodvide some level of isolation, can you give me an example when inter-VLAN routing between those subnets would actually be useful/desired? If strict isolation is not required, why not put all devices on the same VLAN? Or, is this one of those things that really doesn't matter until networks become very large? For example let's say a network had 200 devices - in that case is it better to put 100 in two separate VLAN's and allow routing between them, but still limiting broadcast traffic to inside the respective VLAN? Maybe another way to ask this question is, why would you isolate into separate VLAN's if the reason is NOT for security (in which case you would want traffic to be routed through the firewall)?

    Thanks again for all your help.
     
  15. reggie14

    reggie14

    Joined:
    Feb 1, 2015
    Messages:
    896
    Honestly, I said that thinking that the Ubiquiti wouldn't have a DHCP server. It apparently does, which is interesting. But, I still think that's better suited for the pfSense box, not the switch. You (might) set up firewall and NAT-forwarding rules on the pfSense box that would be based on IP. For that reason, I think it makes sense to handle IP address assignment on the same box that is going to rely on those assignments. Could you do it on the switch and simply align your firewall/NAT rules with the addresses configured on the switch? Sure, but that sounds more error-prone to me.

    The pfSense box shouldn't care from a routing perspective whether you run the DHCP server on the switch or under pfSense. You shouldn't need to set up static routes. If you set up VLANs, you'd presumably create a virtual interface on the pfSense box for each VLAN, assign that interface an IP address on the subnet for the VLAN, and configure that IP address as the default gateway for the devices on that subnet. That should be enough for routing. (Again, I'll caveat that with the statement that I've never set up a Layer 3 switch, but what I described should work. That's what I do on my network, and I don't think the inclusion of the Layer 3 switch changes that.)

    First, even if security is the motivating reason, you might want to allow limited communication between VLANs. For example, I'm running my Sonos system off my main network, but I want to be able to control it from wireless devices attached to my guest network. So, I've set up firewall rules and proxies that allow devices on my guest network to talk to my Sonos components, but nothing else.

    As for non-security reasons, you hit on the big one. Suppose you have hundreds or thousands of devices on your network. You want to create separate broadcast domains for performance reasons. You could do that with careful placement of physical network devices and ethernet cables, but that might be hard to do after-the-fact without pulling new wires or placing new equipment.

    For instance, suppose you need to set up a new subnet for a couple hundred devices on the opposite end of a building from your organization's core routers, but you don't want to have to pull new wires to that area. If you have VLAN trunks running throughout the building (as you probably do, if you planned for this), then you just need to create a new VLAN associated with the new subnet, and use the existing VLAN trunks to connect back to the core routers.
     
  16. Floppyman

    Floppyman PCMech Owner Staff Member

    Joined:
    Mar 10, 1999
    Messages:
    7,691
    Location:
    Northeast U.S.A.
    Thanks @reggie14. I think I understand, but let's walk through an illustrative example:

    Let's assume 3 VLAN's: V1, V2, and V3. For equipment, let's assume a firewall/router (pfSense) and a Layer 3 capable switch.

    If I wanted to allow V1 to talk with V2 with little to no service/traffic limitations, this could happen directly through the switch because of Layer 3 routing support (assuming the route from V1 to V2 has been setup properly)
    However, if I wanted to limit the traffic between V3 and V1/V2 only specific services, I'd have to setup specific firewall rules (assuming the Layer 3 switch doesn't support any type of filtering), and then traffic would flow through the pFsense box between V3 and V1/V2.

    Traffic flow would then look like this:

    V1 <---> Switch <--> V2
    V1 <--> Switch <--> pfSense Firewall <--> Switch <--> V3
    V2<--> Switch <--> pfSense Firewall <--> Switch <--> V3

    It seems to me that Layer 3 routing is really beneficial then to split a large network into two or more smaller networks (subnets/VLAN's) to prevent performance degradation from broadcast traffic, but still allow traffic to flow between them without having to go back to the core router each time (potentially overwhelming it as it now as route both a lot of LAN and WAN traffic among two more subnets/VLAN's). In that case one should setup a route between the two (or more) subnets/VLAN's at the switch level, to let the switch handle the LAN routing and the router/firewall worry about WAN routing (i.e. NAT).

    If security or traffic/services limitation is a top concern, then it's important to setup specific firewall rules at the router/firewall level where traffic must pass through first before possibly being forwarded to another subnet/VLAN. In that case, one should not setup a route between the two subnets at the switch level, otherwise I would think that the firewall rules between the two or more subnets/VLAN's would then be bypassed. In this case the router would handle LAN and WAN (NAT) routing, as there are specific firewall rules setup between the VLAN's/subnets.

    To go back to my example above:
    For V1 and V2 LAN traffic, the switch acts as a Layer 3 switch (i.e. uses Layer 3 routing capabilities for LAN traffic and bypasses the pfSense box)
    For V3 and V1/V2 LAN the switch acts as a Layer 2 switch (i.e. no Layer 3 routing capabilities on the LAN side), passing the routing responsibilities instead to the pfSense box who will examine traffic against a set of firewall rules and either block or forward it on.

    Does all that make sense to you or am I still missing something? :)
     
  17. Floppyman

    Floppyman PCMech Owner Staff Member

    Joined:
    Mar 10, 1999
    Messages:
    7,691
    Location:
    Northeast U.S.A.
    Actually @reggie14, I have one more quick question this time when it comes to wireless and guest networks.

    For this example, let's assume the following setup:
    pfSense Box with 1 WAN Port and 2 LAN ports
    4 VLAN's: Let's call them Wired 1, Wired 2, Wireless, and Wireless_G (for guest wireless access).
    24 port network switch (Layer 2 or Layer 3, doesn't matter in this example)

    The way I imagine this could be setup:
    Wired 1 and Wired 2 VLAN's mapped LAN 1 port on pfSense Box
    Wireless and Wireless_G VLAN's mapped to LAN 2 port on the pfSense Box
    Port 1 on switch tagged to Wired 1 and Wired 2 VLAN (pfSense connection from LAN 1)
    Ports 2 - 22 split between Wired 1 and Wired 2 VLAN's
    Port 23 tagged to Wireless and Wireless_G VLAN's (pFsense connection from LAN 2)
    Port 24 goes to Wireless Access Point

    Here's my question: When turning a standard Asus Wireless Router (e.g. say a RT-AC66U or a RT-N66U) into an AP, is is possible to setup a guest network on a completely different subnet? In this case, is it possible to setup regular wireless on Wireless VLAN and the Wireless Guest network on Wireless_G VLAN inside the wireless router in AP mode? Do Asus consumer grade routers support this or would one have to look into other equipment?

    Thanks again for all your help.
     
  18. reggie14

    reggie14

    Joined:
    Feb 1, 2015
    Messages:
    896
    Yep, I think you've got it.

    Come back when you set up your firewall rules. The main quirk is that the firewall rules are processed when traffic first hits the pfSense. So, if you want to block a machine on V3 from talking to V1, you need to set a reject/block rule on the V3 interface (oddly, not on the V1 interface, although you'll likely want the blocking going both ways, so then you would). If that doesn't make sense now, it probably will once you see the pfSense GUI.

    First, one thing I'd recommend is to use one NIC on your pfSense box without VLANs. The reason for this is in case your smart switch goes down. If you instead map both of your NICs to virtual interfaces using tagged VLANs, then traffic coming into your pfSense box from your internal network needs to be VLAN tagged. If you're like me, you probably have a handful of dumb gigabit switches laying around. But, those don't work with tagged VLANs.

    Let's say your smart switch dies, and you want to temporarily set up your old gigabit switches as you wait for a replacement. Using your config, you'd have to first hope you can go deep into your PCs NIC settings, and tag the traffic as belonging to, e.g., the Wired-1 VLAN. Then you'd directly connect that machine to the pfSense box just so you can get back into the web interface to disable VLANs until your new switch arrives. It would be a bit of a pain. I think you're better off dedicating one physical port for your "main" network, and use the other port with VLANs. (There is an alternative to this if you don't have spare NICs, but you have to break best practices.)

    Second, let me address your question. I've been a little loose with my terminology. When using VLANs, you mainly configure two things on each port. First is membership. If a port is a member of a given VLAN, traffic that is on that VLAN is allowed to flow into that port (typically from another port within the switch). Second is tagging. If a port is a tagged member of a VLAN, then when the switch sends traffic out from that port to another device (as opposed to forwarding from one port to another within the switch), it will tag the traffic as belonging to that VLAN.

    I glossed over this before, but not all traffic is tagged when you're using VLANs. The main time you need to tag ports is when you have traffic from multiple VLANs going through the same port. This isn't always the case. Looking at your example, Port 1 on the switch would carry traffic from the Wired-1 and Wired-2 VLANs. When it forwards packets to the pfSense LAN1 port, the pfSense box needs to know whether a given packet is part of Wired-1 or Wired-2. So, it has to be tagged, otherwise there would be ambiguity. So, in that case, Port 1 would be a tagged member of Wired-1 and Wired-2.

    You don't have the same problem, in general, with edge devices. Let's say Port 2 on the switch goes to your PC. As described before, different VLANs logically look like different networks. You (likely) only want your PC on a single network (Windows, in general, doesn't play nicely with VLANs and virtual interfaces), which we'll say is Wired-1. All traffic on Port 2 will be on the Wired-1 VLAN. There's no ambiguity. And, depending on your NIC driver, your PC may not be VLAN-aware, meaning it might get confused if it sees VLAN tags. So, in this case, you want Port 2 to be an untagged member of Wired-1. The switch will know that it should only forward Wired-1 traffic to that port, and that any traffic coming into that Port from your PC will become part of Wired-1 (and will get tagged as such when it's sent to pfSense over Port 1).

    So, what does this mean for wireless APs? There are two situations- wireless APs that are VLAN aware and APs that are VLAN unaware. Some fancy wireless APs, like most/all Ubiquiti APs, are VLAN-aware and allow you to set up multiple SSIDs tied to different VLANs. Asus APs, however, are not VLAN-aware, as far as I can tell. You can't tell it to put it's guest network (or the 2.4/5Ghz networks) on different VLANs. If you're using an Asus router in a VLAN environment, you should use it on an untagged port like I described above. All the traffic from wifi devices attached to that AP would be on the VLAN assigned to the switch port wired to the AP.

    How did I setup my guest wifi network then? I use two different Asus routers.

    I've heard that DD-WRT is VLAN-aware, but I have no direct knowledge of this. I haven't used DD-WRT in over a decade.
     
  19. Floppyman

    Floppyman PCMech Owner Staff Member

    Joined:
    Mar 10, 1999
    Messages:
    7,691
    Location:
    Northeast U.S.A.
    Thanks @reggie14 - I really appreciate all your advice.

    You raise a great point about setting up VLAN trunking on all of the pfSense box's ports. That would require the switch to be smart and support VLAN tagging, if it goes down and the only thing a available is a non-smart switch, it could be a pain to set things back up again as the non-smart switch would forward all traffic on to the PC NIC which then faces the asks of splitting it apart (which it may or may not be able to do).

    It seems to me that in an ideal scenario (i.e. the most uncomplicated one), each VLAN on the switch would have dedicated connection back to the pfSense box. So for example, assuming there are three VLAN's, V1, V2, V3 each of them would connect into a LAN port on the pfSense box (i.e. V1 connects to LAN 1, V2 to LAN 2, and so on). This also requires the pfSense box to have 3 LAN interfaces, however, and takes up 3 ports on the switch dedicated to connecting back to the gateway. In the case where there are more VLAN's desired than physical LAN (gateway) ports available on the pfSense box,one would have to start trunking VLAN connections on one more pfSense LAN interfaces and VLAN tagging one or more ports on the switch. However, as you mentioned it's important to have a least one untrunked/untagged VLAN connection, just in case the smart switch goes down so that connectivity can be restored quickly with a non-smart switch. Is my understanding of all that generally correct?

    Now given the above, is there a limit as to how many LAN interface pfSense supports? Suppose I have pFSense firewall with with a total of 4+ ethernet ports. One would be dedicated to the WAN, but could the rest be used to as LAN (gateway) ports for the VLAN's without any issues?

    Also, I have one more question regarding wireless routers/AP's: If the Asus routers are not VLAN aware, how exactly does their guest network function work then? Is this a feature that only works when the Asus router is in router/firewall mode, but is disabled when it acts in AP mode? If that's the case, then one would probably need to use more than one router (as AP's) to setup separate wireless and wireless guest networks (as you have done). Generally speaking, how much more expensive are Ubiquity VLAN aware AP's relative to a consumer grade routers/AP's such as the Asus RT-N66U or RT-AC66U?

    Thanks again for all your help.
     
  20. reggie14

    reggie14

    Joined:
    Feb 1, 2015
    Messages:
    896
    Yes, I think you understand the issues.

    If you were setting up a very large, very busy network, you'd probably get different recommendations. As discussed earlier, there are performance advantages to routing on a Layer 3 switch, which you probably wouldn't end up doing if you wired different subnets back to different physical NICs. But, in your case, I think ease-of-use considerations point you in the direction of using one or more untagged ports on the pfSense box.


    Not really. I mean, I'm sure there is a limit, but I'm sure it's higher than you'd run into. It's going to get hard to support more than 4-8 ports, though. It's rare for motherboards to support more than 4 ports, and good quad-port gigabit NIC cards are pretty expensive and require a fast PCIe slot. I think the box you're looking at has 6 ports, which should be plenty.

    Because pfSense isn't as fast as a switch for forwarding traffic that says internal to your network, you generally shouldn't connect edge devices directly into pfSense. Connect switches to pfSense, and connect your devices to switches. 4-6 ports should be plenty on the pfSense box.

    Remember, VLANs fundamentally are mostly just tags added to the header of ethernet frames that allows you to distinguish packets traveling over the same wire.

    A router doesn't need to use VLANs to distinguish traffic from different interfaces. If the pfSense example above, where you're using different physical NIC ports, you don't need to use VLANs at all. It knows where the traffic is coming from just by looking at the interface that it came in on.

    While wifi routers don't have different "physical" wifi radios for the primary and guest networks, the design treats them as different physical interfaces. When traffic comes in on the guest network, it's easy for the router to see it came in from the guest network, and simply don't route traffic to the primary network. No VLANs needed. I think the routing rules are just implemented in iptables.

    You hit on the implication of this: guest networks don't work in AP mode. Consumer-grade wifi routers/APs need to be functioning as routers for guest networks to work. The Asus firmware won't even let you set up a guest network SSID when the router is in AP mode (at least, not on my AC66Us).

    Ubiquity has some fairly inexpensive wifi APs. In general, their performance and range isn't as good as the Asus routers, in part because the expectation is that you'll set up several.