 I really like these NetGate SG-1100s. Some people say I'm paid to say it. NetGate does not pay me to say it. By the way, if you notice, I don't even have an affiliate link for NetGate because they don't, I'm not a reseller and they don't really, there's not much commission to be made on these. I do PF-sense ideas because we use PF-sense a lot and people do hire us to integrate PF-sense into a greater part of their network. That's kind of my back end nefarious reason why I like these routers. Oh, and they work really good. But I will admit, when you're configuring VLANs on models like the SG-1100, it can be a little bit confusing because if you've compared this, let's say if you built the PF-sense system yourself or you choose a model that doesn't have this particular chip in it, it's really simple. You configure VLANs and tag them to the port. I've done videos on this. But when you're doing it on a NetGate SG-1100 or the XG-7100, they're basically taking one system on a chip that's breaking these out into three logical ports and using kind of like a back end switch port management VLAN tag option. That can be a little bit confusing. They have some tutorials on this. They have a long video that goes in depth on how to configure these. They have documentation on their site. But I figured I'd walk you through just a quick steps of how to create the VLAN and what you have to do. Trying to do it as quick as possible. So the fewest number of steps. So we have our NetGate SG-1100 plugged in. We have the WAN being fed from a rack in the back over there. We got this little orange cable right here that's just plugged into port one on a Edge Switch 10X. This is pretty much a default config. Nothing, I changed the password on it and made sure it's up to date. And then port two right now is going to this cable right here that goes to my laptop. So that's pretty just quick overview of the physical layer and we're gonna move to other ports once we create the VLANs and show how that works. But first to get started, we're gonna log in here and take a look at the settings. So this is all default. I'll then once again change the password so I don't have the stupid error that bugs me to change it. It's an up to date running version 244 release P3 on this little SG-1100. I've done nothing else other than set the IP address and to 192.168.11. And here is the 172 address it gets in our lab here. And here is that LAN uplink. And this is the first thing we'll just talk about real quick here, this is the switch port management where you can change these. And there's a couple of different ways to do it. We're gonna just gonna cover one method, kind of the basics of getting VLANs set up. They have some more advanced videos and more advanced ways you can do things and reprogram different ports. We're just gonna use the LAN port to a managed switch for this particular video topic. Now, this is the part that gets a little bit confusing. Member zero is that chip. So member zero has to be tagged and then we break out logically three, two and one being off to LAN and WAN. So the back end is 4090, 4091, 4092. And you tie these ports 4090, 1492 and 4090 right here to those respective ports. So it's a little bit confusing, like I said at first when you're looking at it but it's the way the Marvel chip works. So let's create the VLAN and walk through the steps though. So we're gonna go over here to interface assignments because that was under interface switches. And by the way, if you're running APF Sense that is like you just downloaded and loaded it, they don't automatically, I don't know if this shows up anywhere else but inside of NetGate boxes that have these chips. I don't know if there's any way to do this with other chips in case anyone's wondering, but the NetGate ones, this switch option shows up automatically. And we're gonna go to VLANs. So here's the ones that are already done. Let's create another VLAN. And we're gonna call this our guest network. And you notice there's only one to choose from here. If you're using the XG7100, there's actually a couple of different ways. I covered that in my XG7100 review. So let's call it great VLAN tag 50. VLAN parties, let's leave it alone. We'll call it guest network. So we want a separate guest network that is not on the same VLAN. So not much to choose in the parent interface, VLAN tag 50. Save, all right. We've added one more VLAN tag and it's gonna be tied to the same interface. Then we're gonna go over here. We can go to assignments. There's our VLAN. So we're gonna go ahead and add it. And then call it op2. Now we're gonna rename it. We'll call it enable. Static IPv4. 192.168.50.1. Make it a slash 24 network. Save, apply. All right, next step. Firewall rules. And I have plenty of videos on rules and someone's gonna point out, but you should be restricting and setting up. I know, we're just opening it up. The first thing I do when I test things is you just open it up, save. So we open it up and then I work it out later. First, make sure it works. Then worry about the other details. We'll also go ahead and go to services, DHCP server from 10 to 200. And we go all the way to 250. Why not? Lots of people on the guest network. Save. All right, now you have a DHCP server. Now here is the part that people miss. That is the normal process. So if you watch my other VLAN videos, you may have stopped there and go, that would make it work, right? No, this is where now we have to go over to the switch port, VLANs. And we have to tie this to the LAN. So we're gonna add a tag to this. VLAN tag is 50, guest network. And we wanna tag all the ports. Zero, add member. And this is which member we're adding. So it's two is assigned to LAN. So we wanna make this tied to two and we want that tagged as well. So zero and two, save. Now, what you can see here is LAN is zero tagged. We have to always tag that member zero because that's that system on a chip. And then two is tied to LAN physical. So that's your native. You're just gonna get the standard LAN address. But now the guest network running off the same LAN. Zero tagged, two tagged. Tagged with what? Tagged with port 50. That is the final piece I think a lot of people miss when they get stuck on these going, well, the VLAN wasn't working and I can't get an address, et cetera, et cetera, et cetera. So that should be working, but now how do we test it? So we gotta go over here to our edge switch. I gotta go over here to the VLAN configuration of the edge switch. New VLAN ID, we called it 50. So we're gonna make VLAN ID 50 plus. Now this is already set, port one is set to be a trunk port. So now we have to tag this right here. Then we're going to exclude this port but tag or untagged this port. This is the way the edge switches work. I did it on the edge switch because it's popular for people who don't wanna deal with the holes setting up a unify interface. I do really like the simplicity of the unify versus the edge switch. But what essentially you're doing here, your trunk comes in here, untagged, untagged because we want it to be a native VLAN excluded and then untagged here, but tagged here because this is where the tags are coming in. Now it's been successfully applied. So what we should be able to do here, we can see the IP address of my computer is 192.168.105. I should get a .50 address if I did all of this correct by moving it over to this port and it works. So just so you know, I'm now in port three as opposed to port two which brought me the different IP address. So this has been tagged out. So this is now the guest network and that's it. Those are the steps you need to take to make the guest network work. And this is where a lot of people either, A, they don't turn an ECB server. Yes, I know the rules are wide open right now that's not ideal, but it is important to know that yes, the steps work done here. Now it's a whole different thing if you want, for example, and I'll just bring this up because I know this question will come up. You do this differently. You do not want, if this is your guest network you don't plug your wifi in here or it would only get the guest network. You wanna do the VLANs inside of the wifi device such as the Unify access points. I have a lot of other videos where I break that down in more detail. Go through the channel, go through the Unify setup tutorials for any of those. But you do have to have a wifi device that supports VLAN tagging if you want it to be the guest network. But that was all I had to do to do this and we'll just run over the configuration. So you have, this is what it did look like. Let me refresh the page and we tagged this. Now if we wanted to move this to opt we would have tagged one instead of two. So that's another option if you wanted the opt to be the guest network. But it, you know, this just comes down to preferences and some of the configuration for you wanna do it. I just wanted to cover this part very quickly to show that it's not too difficult but it does require that extra step in order to tag these ports to make them work versus a normal one, you just tie it to the port and away you go. The switch ports just make, I'm not gonna call it a challenge but I'm gonna say an extra step to doing it. And if you're not familiar with it that would obviously be a point of confusion. So if you watch any of my other VLAN videos you're like, Hey, I missed something because of switch ports. If you want more in depth, I'll leave links to the net gate explainer to have a real in depth video where they talk about this, which I have watched in depth about how the chips work inside of here. I think it's really cool design, the way they take these and the common non PF sense term for this is gonna be like router on a stick where you take one port and divide it up. This is something you can do with a lot of pieces of high end equipment. Do offer that as a feature. It's pretty cool. But that's it to doing SG 1100 VLANs. Just those couple steps to get it going. And from there, you treat it like anything else. All your standard firewall rules apply. Everything else is there. You're just taking it and breaking out a logical network on this VLAN. Thanks. Thanks for watching. If you liked this video, give it a thumbs up. If you want to subscribe to this channel to see more content, hit that subscribe button and the bell icon and maybe YouTube will send you a notice when we post. If you want to hire us for a project that you've seen or discussed in this video, head over to laurancesystems.com where we offer both business IT services and consulting services and are excited to help you with whatever project you want to throw at us. Also, if you want to carry on the discussion further, head over to forums.laurancesystems.com where we can keep the conversation going. And if you want to help the channel out in other ways, we offer affiliate links below which offer discounts for you and a small cut for us that does help fund this channel. And once again, thanks again for watching this video and see you next time.