Router to handle VLANs?

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › Router to handle VLANs?

Stildawn

14 posts

Geek

#322662 9-Sep-2025 21:28

Hi All

Just after some advice / recommendations on redoing my home network.

Not sure if I'm describing this right but here goes. We have a house with an attached granny flat.

Our Fibre comes into the house terminating at ONT in a closet in the main house office.

From ONT it goes into router which provides WiFi for half the main house, then ethernet to a switch, then 5 x ethernet lines through the walls.

3 lines go to the main house including one with a router with DHCP disabled providing wifi for the second half of the main house.

2 lines go into the lounge and office of the granny flat.

Originally we had a friend living in the granny flat and I had another router with DHCP disabled providing him WiFi, and he also plugged his PC directly into the granny flat office ethernet line. With this setup he was on our network, could see my file server etc, and we could even see his Google home devices and control them from our phones.

Issue is, he's moved on and we are now going to rent out the granny flat to randoms, so getting to my actual question, we are including internet in the rent, and I can have the router provide wifi as before, but I don't really want their PC devices on my home network (seeing file server etc etc).

From my research what I think I need to do is replace my current main router (HG659) with one that can handle VLANs then set up two VLANs one for the main house assigned to LAN1 going to the switch (which then goes to the 3 main house ethernet lines). And another VLAN assigned to LAN2 and LAN3 which i connect to the 2 ethernet lines going to the granny flat.

Am I correct in that this would work?

What router would you recommend?

Hopefully that makes sense, tried to include everything to give a complete picture.

Cheers

1 | 2

6319 posts

Uber Geek
+1 received by user: 3581

Trusted

Lifetime subscriber

#3413102 9-Sep-2025 22:39

A Draytek, or a Unifi UCG.

Rural IT and Broadband support.

Broadband troubleshooting and master filter installs.
Starlink installer - one month free: https://www.starlink.com/?referral=RC-32845-88860-71
Wi-Fi and networking
Cel-Fi supply and installer - boost your mobile phone coverage legally

Need help in Auckland, Waikato or BoP? Click my email button, or email me direct: [my user name] at geekzonemail dot com

cddt

2050 posts

Uber Geek
+1 received by user: 1982

#3413176 10-Sep-2025 08:11

There are a lot of options out there.

I have a GWN7003 router (GWN7001 or GWN7002 would also work here) with a couple of GWN7660 APs. VLANs configured on the router, and on the APs there are three SSIDs, each bound to a particular VLAN.

I also have a cheap TP-link PoE switch at one point in my network, the only tricky part I found was understanding which ports you want tagged or untagged.

My referral links: BigPipe | Mercury

ShinyChrome

1603 posts

Uber Geek
+1 received by user: 686

ID Verified

Trusted

#3413275 10-Sep-2025 10:06

To answer the actual question, yes, VLANs would be the best way to handle this level of segration simply.

This will work perfectly fine for flat VLANs as you described i.e. 2 VLANs at the router level with untagged traffic inside each VLAN and the 2 shall never meet; but if at point you want to introduce cross-VLAN routing, it is VLAN capable switches all the way down.

For options, I'd also chuck in Mikrotik; they can be simple (and flexible), or complex (but powerful) if you are not afraid to get your hands dirty. The price of entry isn't too high either and like Grandstream, they are self-managing. Check out Go Wireless NZ

I would advise against buying into eco-systems; once you start, it makes any future growth tough.

richms

29251 posts

Uber Geek
+1 received by user: 10361

Trusted

Lifetime subscriber

#3413286 10-Sep-2025 10:30

Just remember that you are responsible for what the randoms use the connection for.

I would just be stuffing one of the cables to the shed into the onts port 2 and telling them to get their own connection provisioned.

Richard rich.ms

nztim

4069 posts

Uber Geek
+1 received by user: 2782

ID Verified

Trusted

TEAMnetwork

Subscriber

#3413294 10-Sep-2025 11:03

richms:

Just remember that you are responsible for what the randoms use the connection for.

I would just be stuffing one of the cables to the shed into the onts port 2 and telling them to get their own connection provisioned.

Hopefully without churning your connection

Any views expressed on these forums are my own and don't necessarily reflect those of my employer.

Stildawn

14 posts

Geek

#3413782 11-Sep-2025 14:19

cddt:

There are a lot of options out there.

I have a GWN7003 router (GWN7001 or GWN7002 would also work here) with a couple of GWN7660 APs. VLANs configured on the router, and on the APs there are three SSIDs, each bound to a particular VLAN.

I also have a cheap TP-link PoE switch at one point in my network, the only tricky part I found was understanding which ports you want tagged or untagged.

I dont think those have wifi which I need?

HP

Shop now for HP laptops and other devices (affiliate link).

Stildawn

14 posts

Geek

#3413783 11-Sep-2025 14:21

Would this one work: https://www.pbtech.co.nz/product/NETTTK1001/Teltonika-RUTM10-Gigabit-WiFi-Router-with-M2M-Func?srsltid=AfmBOoq9BFFMJQ2YVeVPaSvUAImXcUMW5RAFikZv9RiRW-rupi0Orgob

Spyware

3826 posts

Uber Geek
+1 received by user: 1374

Lifetime subscriber

#3413787 11-Sep-2025 14:35

Stildawn:

Would this one work: https://www.pbtech.co.nz/product/NETTTK1001/Teltonika-RUTM10-Gigabit-WiFi-Router-with-M2M-Func?srsltid=AfmBOoq9BFFMJQ2YVeVPaSvUAImXcUMW5RAFikZv9RiRW-rupi0Orgob

If you like an OpenWRT variant with 200 active bugs. Teltonika firmware is a debauchery.

Spark Max Fibre using Mikrotik CCR1009-8G-1S-1S+, CRS125-24G-1S, Unifi UAP, U6-Pro, UAP-AC-M-Pro, Apple TV 4K (2022), Apple TV 4K (2017), iPad Air 1st gen, iPad Air 4th gen, iPhone 13, SkyNZ3151 (the white box). If it doesn't move then it's data cabled.

Stildawn

14 posts

Geek

#3413792 11-Sep-2025 14:43

Spyware:

Stildawn:

Would this one work: https://www.pbtech.co.nz/product/NETTTK1001/Teltonika-RUTM10-Gigabit-WiFi-Router-with-M2M-Func?srsltid=AfmBOoq9BFFMJQ2YVeVPaSvUAImXcUMW5RAFikZv9RiRW-rupi0Orgob

If you like an OpenWRT variant with 200 active bugs. Teltonika firmware is a debauchery.

Don't know what OpenWRT is but I assume firmware/software of the router.

So whats a similar one I can buy on the weekend? I'm running out of time a bit now to get it all installed.

The ones recommended here so far either didn't have wifi or costs a fortune.

JemS

93 posts

Master Geek
+1 received by user: 46

ID Verified

#3413822 11-Sep-2025 15:46

The unifi express or dream router is a good option if you want it with wifi also, but if you want to ethernet ports to also be vlanned, you will need to buy a managed switch as well. Or you could use the unmanaged switch for the main house and run it off one of the ports on the dream router and vlan the remaining ports on the dream router for the granny flat.

Join Mercury and I’ll get bonus rewards points. Make sure you use my referral link to explore their wonderful offers. https://www.mercury.co.nz/join?m_copc=FGF50&m_rc=100211888685

Router: UXG-Lite

AP's: 2x U6-Pro, 1x U6-Lite, 1x UK-Ultra, 1x AC Mesh Pro

Phone: S26 Ultra

Wearable: Garmin Forerunner 955

toejam316

1524 posts

Uber Geek
+1 received by user: 893

Trusted

Lifetime subscriber

#3413827 11-Sep-2025 15:59

Cheap, Quality, Good, Pick 2.

Your first and in my opinion best option would be to simply do as suggested above, run a Port 2 ONT connection to the room and let them subscribe to their own service provider.

Your second best option, and the way I'd strongly recommend anyone who would be my customer do things if they aren't going to allow their renter the ability to choose their own service provider is to invest a little bit in a couple of Unifi devices, and then you'll have a pretty easily managable setup. I'd recommend some sort of UCG Gateway, 2 Unifi APs, 2 PoE injectors to power those APs, and maybe a Unifi switch if required. You'll need to learn how to run the Unifi devices but they're sort of the Apple of networking, and a bit of googling should get you there.

Your third and likely most difficult option given your current knowledge would be to buy some cheaper Grandstream or Mikrotik equipment and do a lot of learning on how to configure these devices. Again, similarly, a router, 2 APs and 2 PoE injectors, maybe a switch. Grandstream has a management platform of sorts, Mikrotik is more of a do it yourself per device experience.

Probably the most important recommendation I can make - hire someone to set this up professionally, as your posts indicate you're likely a little out of your depth. Depending on where you live, there's likely someone here who might do it for a box of beer, otherwise if you give us a rough idea we can probably point you towards companies that could help setup a solution.

Join Quic Broadband with my referral - no sign up fee and gives me account credit

Anything I say is the ramblings of an ill informed, opinionated so-and-so, and not representative of any of my past, present or future employers, and is also probably best disregarded.

Quic Broadband

Move to New Zealand's best fibre broadband service (affiliate link). Free setup code: R587125ERQ6VE. Note that to use Quic Broadband you must be comfortable with configuring your own router.

Stildawn

14 posts

Geek

#3413870 11-Sep-2025 18:22

toejam316:

Cheap, Quality, Good, Pick 2.

Your first and in my opinion best option would be to simply do as suggested above, run a Port 2 ONT connection to the room and let them subscribe to their own service provider.

Your second best option, and the way I'd strongly recommend anyone who would be my customer do things if they aren't going to allow their renter the ability to choose their own service provider is to invest a little bit in a couple of Unifi devices, and then you'll have a pretty easily managable setup. I'd recommend some sort of UCG Gateway, 2 Unifi APs, 2 PoE injectors to power those APs, and maybe a Unifi switch if required. You'll need to learn how to run the Unifi devices but they're sort of the Apple of networking, and a bit of googling should get you there.

Your third and likely most difficult option given your current knowledge would be to buy some cheaper Grandstream or Mikrotik equipment and do a lot of learning on how to configure these devices. Again, similarly, a router, 2 APs and 2 PoE injectors, maybe a switch. Grandstream has a management platform of sorts, Mikrotik is more of a do it yourself per device experience.

Probably the most important recommendation I can make - hire someone to set this up professionally, as your posts indicate you're likely a little out of your depth. Depending on where you live, there's likely someone here who might do it for a box of beer, otherwise if you give us a rough idea we can probably point you towards companies that could help setup a solution.

So your saying the VLANS way is not the right way? I can't change anything now contracts are signed and the wiring is already hard wired in the house.

The research I've done on VLANs seems to do exactly what I want, but could be missing stuff as networking is by far my weakest tech.

nzkc

1638 posts

Uber Geek
+1 received by user: 1043

#3413876 11-Sep-2025 19:06

Yes, VLANs can work.

You seem to want an all in one solution... which could work sure but I think you want to go a bit more "prosumer". I would go a separate router, and separate access points as others have pointed out. I have a Mikrotik router and Grandstream access points myself (and I use VLANs too). Mikrotik requires a bit of effort/learning. But you get maximum flexibility with it. A grandstream router might be a little more plug/play. The management software mentioned for Grandstream is pretty good and pretty intuitive. I dont have experiences of their routers though.

How much flexibility are you giving your renter around the devices they can use? Can they bring their own router/access points and use those too? Or are you supplying all the networking gear they'll be allowed to use?

Assuming you're supplying it all...

I'd tag a port on the router with the granny flat VLAN (lets say its VLAN100). Plug the network cable that runs to the granny flat into that port. At the other end I'd offer an unmanaged switch. Attach an access point to that switch and set up the SSID. You'll need to configure a DHCP server for that VLAN - use a different IP range to your current one (for a VLAN of 100 I'd make it 192.168.100.0/24).

You're going to need to define firewall and routing rules too - so might need some learning there.

For your network, you can stay completely untagged or you could have a different VLAN. Probably easier to leave untagged.

Stildawn

14 posts

Geek

#3413878 11-Sep-2025 19:13

nzkc:

Yes, VLANs can work.

You seem to want an all in one solution... which could work sure but I think you want to go a bit more "prosumer". I would go a separate router, and separate access points as others have pointed out. I have a Mikrotik router and Grandstream access points myself (and I use VLANs too). Mikrotik requires a bit of effort/learning. But you get maximum flexibility with it. A grandstream router might be a little more plug/play. The management software mentioned for Grandstream is pretty good and pretty intuitive. I dont have experiences of their routers though.

How much flexibility are you giving your renter around the devices they can use? Can they bring their own router/access points and use those too? Or are you supplying all the networking gear they'll be allowed to use?

Assuming you're supplying it all...

I'd tag a port on the router with the granny flat VLAN (lets say its VLAN100). Plug the network cable that runs to the granny flat into that port. At the other end I'd offer an unmanaged switch. Attach an access point to that switch and set up the SSID. You'll need to configure a DHCP server for that VLAN - use a different IP range to your current one (for a VLAN of 100 I'd make it 192.168.100.0/24).

You're going to need to define firewall and routing rules too - so might need some learning there.

For your network, you can stay completely untagged or you could have a different VLAN. Probably easier to leave untagged.

Yes ideally the simpler the better. I literally just want to provide 2 ethernet lines to the flat, that can't access my network in the main house.

On one of those flat lines Ill plug in a old router with DCHP disabled to provide wifi. The other line I assume they'll plug in a PC or just not use.

I THINK VLANs is the way to go from my research but most of the recommendations are like professional type gear from the looks of it.

Maybe what im after isn't simple at all haha, it certainly seems like it should be. Sure some other low tech home users have wanted something similar before.

richms

29251 posts

Uber Geek
+1 received by user: 10361

Trusted

Lifetime subscriber

#3414044 12-Sep-2025 10:28

The reason the recommendations are all professional grade gear is because you are looking for a professional grade solution.

You will still be getting the visit if your guests in the rental start downloading CP or sending threats to people even with all the vlans and blocks with inter-vlan communication.

Richard rich.ms

1 | 2