One-armed home router with cheap smart managed switch and cable modem?

Question

My question is if such a setup would work:

A cable modem, several LAN machines as well as the router/server (Linux box, with just 1 port) connect to a cheap smart managed switch such as the TP-Link TL-SG108E. The LAN machines should be able to connect to the Internet through the router.

Can such a switch be configured such that the LAN machines receive untagged traffic, but the router will receive their traffic e.g. with VLAN ID 1, and that the modem will also receive untagged traffic, but the router will receive its traffic e.g. with VLAN ID 2?

Additionally, are there any security or performance considerations*?

*) I am aware that since the router uses just 1 port the bandwidth would split between LAN and WAN traffic. For that I'd do shaping on eth0 in both directions according to my needs.

Answer 1

I found your question because I was researching a VLAN broadcast issue with the specific router you happen to mention (TL-SG108E). Setting that issue aside for the moment, what you are asking should be possible with VLANs on that device or any other VLAN-capable "smart switch".

You would define the port the cable modem plugs into as 'untagged' for a given VLAN and set the PVID to match. In this mode, the switch will automatically insert and remove VLAN headers for all traffic to the port, such that the device has no idea it's on a VLAN, but other devices in the network (other switches, or your router for example) will receive the VLAN tags. And of course, as is their purpose, devices on different VLANs will not see each other's network traffic.

You would do the same for all the other local LAN devices, setting them as untagged on a different VLAN.

Then for the port going to the Linux router, you would define it as a tagged port with both VLANs, which tells the switch to pass the VLAN-tagged packets directly to the device. Linux is capable of setting up VLAN interfaces that will process the VLAN tags and deliver the packets to the appropriate interface.

At that point, you can use iptables to route packets between them as you please using the FORWARD chains, just as if you had two physical interfaces on the Linux box that you wanted to route between.