My Starlink VLAN Setup 

Why doesn't Chris have a mil in subs yet? 2 years ago he taught me Free PBX and it now handles 600 calls into our dispatch center per day and then convinced me to switch to Unifi equipment saving hundreds a year in Meraki license fees.

Will you be making a video, where you combine Comcast and Starlink together via Pfsense or even with a USG/USG-Pro/UDM/UDM-Pro? I currently am using Comcast (PTP Nanobeam) into my USG-Pro WAN 1. WAN2 is coming from a Peplink Max HD2 (with Comcast WIFI WAN, Starlink and Cellular). Because I am in a rural location my options are limited, unless I want to spend a fortune for Comcast directly to my home. Thank you for the videos

This has been the best explination of VLANs I've heard in a long time. Thank you so much!!!!

Carrying any traffic on the Native VLAN of a trunk is a security issue. Do not do this. Also, bringing "outside" traffic into your interior network equipment is also not a good idea. Lot's of bad information here. Yes... It might work, but you're doing this wrong and suggesting other people do the same. Stop it.

OMG! Thank you so much! I've struggled to understand VLANs thinking I had it many times. The way you explained this setup finally made the lightbulb go on for me!!!!!

Given the two ISP's, is it possible to avoid load balancing and create a seperae WiFi network for each indivuadal ISP?

Just wanted to say a quick Thank You! Ever since I’ve stumbled across your channel years ago, I’ve learnt so much about networking in general and UniFi in particular! Keep up the GREAT work 👍

LOL, No USG/UDM..... Need to be mindful of UniFi that will bridge VLAN's at the USG's by default, pretty certain the same on UDM. Chris, your description for tagging is confusing, the port on the switch when assigned will Tag/Untag, the rm untagged is incorrect. On managed switches, All inbound traffic will be tagged, all outbound will have tags removed. You did touch on this but for others, If you leave a port as default on UniFi, all tags will be intact and presented to every device on the network. This means you have to set ALL ports on the network switches to the correct VLAN or VLAN's (switch-port profiles) of switches as all are "Trunk" as default.

Good video! Question: Did you have to put Starlink in bypass mode to turn off its DHCP?

I just did the same thing but 1st try was in the new user interface. I didn't see a way to do VLAN only so had to switch to classic view. Is there a way to do VLAN only in the new user interface?

Well from watching this video I was able to get my WAN connection over a Vlan. Works lovely now I have a switch next to my ISP modem. Looks funny having a short cable coming from my UDM Pro switch into its own WAN Port.

Very imformative video, enjoyed this one, learnt a lot, thanks Chris, VLANS are something i want to bring into my unifi home network.

Does running it this way with the untagged port connecting to the Starlink WAN leave you open to a VLAN Hopping attack allowing access to the rest of your network VLANs? Do you have to do any additional configuration inside the switch to mitigate the risk? Also what's the reason you didn't put the edge router with the PoE injector and then trunk the Starlink LAN back down to your office?

Ya know, It hadn't dawned on me to create a VLAN on my switches, for the WAN. I saw part of this video, before I ran into my office, and reconfigured 2 Edgeswitches, for the WAN connection between my cable modem, and my pfSense box, which are across the room from each other. Now, I have 1 less 30 foot cable in the mix. Great idea!!!

Very timely video! When I get my Starlink system (sometime this year I hope -- I live in southeast Texas), I will have to mount the dish on my barn to get a clear sky view. I was thinking about using a new Nanostation AC bridge from my barn to my house to use as the separate internet source as WAN 2 on my USG. Maybe that isn't necessary if I interpret your information correctly! I already have a NS5 AC Loco RF bridge from the barn to support a couple of switches, an AP, and some security cameras out there with the cameras all on their own VLAN. Do you think I can piggyback on that system to bring my Starlink source back to my USG basically as you described?

Any worries about having essentially public internet touching your switches? (Yes I know it's a completely isolated vLAN)? However it still resides on a Unifi switch and I've had experience with Unifi and traffic affecting separate, and completely isolated vLANs, but living on the same switch (absolutely no routing between vLANs, no router setup on either vLAN) Edit to add: I know you say that the devices shouldn't know anything about the other vLANS, but as I mentioned, I've found this not to be the case in Unifi. I've shown Unifi the issues and they've confirmed, but didn't have a resolution.

I do something similar. I have my WAN coming in on a VLAN, but my firewall is a VM in a vSphere cluster. I can migrate the VM to any host server in the cluster, and if the host running the VM fails, it automatically starts up the VM on another host. Pretty overkill for a homelab, but I make a point to have redundancy in everything I do.

Hello, question, did you manage to make a Site-2-Site VPN connection with this Starlink setup? Thx.

Question: Consider the case for a UniFi camera / UNVR setup where you don't want someone to be able to disconnect an outside camera and "jack into your network" and see internal traffic. You still want to be able to access the UNVR, suitably authenticated, even when you are offsite. How would VLAN's play a role in protecting your LAN from a potential intrusion should someone "jack into a camera ethernet plug"? Perhaps you might even consider making a video on how to secure/isolate a camera network while still allowing the UNVR content to be accessed.

I finally understand tagged vs untagged, 👍

I was working at a local WISP and we had an Unifi city-wide network with private fiber links to towers and we used something similar. There was a Mikrotik router and a set of VLANs that were set for different IP blocks and we would set ports of Unifi switches to connect customers in office buildings, and CPE radios we would just set the VLAN for the customer side Ethernet port to give them internet. This setup was really easy to work on because it was an Unifi network underneath and I could pull up a phone or tablet and make changes, the IPs for the Internet were controlled by the Mikrotik and Sonar. VLANs are hard at first to get your head around butt once you realize they are just virtual network cables from one thing to another its not bad.

How come you use the seperate er-x for starlink and not to a wan2 interface on the sg-1100?

I am trying to set up starlink without using their modem, can I just plug the white ethernet cable into a tp link switch because I tried that and reset the switch by unplugging it and plugging it back in and i'm getting nothing.. do i have to wait like 5 to ten minutes maybe? Or do i need to buy a tp link router er605? i've asked a few youtubers, i've emailed starlink. no one will help me.. pls help. i'm sure this is a simple answer for a tech. i'm not good with network stuff. IT looks like you are plugging direct into your switch at the first of the video?

I have kinda the same setup minus the Starlink. But as soon as I add the first VLAN to pfSense my 1000mbit symmetrical fiber internet speed drops to about 250/50mbit. Any ideas?

I actually don't think it was that complicated the way you explained it. Very helpful and informative.

NOT super confusing. QUITE cogent.

Great detail and explanation.👍👍 BUT, this solution doesn't seem to help me with my problem. I have a remote location that is connected by StarLink which has a LAN of IoT devices (home automation, solar power system, generator etc.) and I need to remotely monitor and reset system setpoints etc. In essence, I have a remote StarLink LAN that I want to connect to from my home network/pc or my smartphone to make these changes. I believe I will need to establish a VPN connection but there's not enough geek in me to design the solution. Help required.

VLANs need separate IP subnets, right? Do we need routing between them, like let say I have a camera and want to connect to it from my phone which is in different VLAN (camera port would have untagged VLAN)?

Thank you so much!! It really made things easier for me. How'd you recommend getting rid of all the unknown devices within the segregated Vlan? I have made sure to block all internal Vlans on Vlan only ports

It’s working all over the the world or it’s s US Only ? Am interested but i am in South Sudan.

I like my current wifi router, Synology RT2600ac, and its software and location in my house, is it possible to setup Starlink>managed switch>Synology Router and be able to retain all the functionality of my Synology router as a router instead of making it an AP? Is that where I setup a VLAN in some way. I realize this question probably makes it clear I should not do this, but I want to learn and figure out if I can use my current router as a replacement for the Starlink router, but run through a managed switch first before getting to the router due to wifi placement for the router in the house.

I just order today Starling and i got a Smart tv. I like to know what i need for register m'y best program on tv like i use to Do with m'y explonet box.thank you.

Reminds me on how I use pfSense with a single NIC laptop and a Managed Switch. WAN on separate VLAN and that VLAN untagged as Access port on the Managed Switch.

I’ll review this and others again. Still confused but I’m new at all this.

It’s working all over the world or it’s only US region ?

Very interesting use of vLANs. I'd never thought of doing that. My default solution/thought of aggregating different ISPs would be on gateway/firewall level and then split it up into VLANs.

Hi Chris, did you test Starlink with VoIP already?

I followed your video and I was able to mount my Starlink on my pole barn, connect to the US-8 (Starlink VLAN Port 5) to my UDM Pro (Port 5) to the Peplink Router. Thank you

Man, last time I was this early, I still had a job!

Unless your first switch is a layer 3 switch it is not the best setup. The first switch should be a layer 3 then you should use lay 2 switches behind it

I do the same thing on my unifi network as VLAN only so i can carry wan and lan traffic with single airMax link

Chris, since the UDM Pro still doesn't implement IGMP-Proxy I had to do this same setup on my AT&T fiber with U-Verse TV in our Unifi environment. I have 2 uplinks coming out of AT&T's Arris BGW210-700 gateway: one in IP-Passthrough mode to the UDMP, and the other to SFP25 on the USW-24-POE switch. That port is setup as VLAN-Only VLAN10. From the USW I have "All" uplinks to the 2 devices that need it: a US-8 in the media room for the DVR (the DVR's port profile is set to that VLAN10 which feeds a set-top box), and a UAP-AC-IW in the in-law apartment, with one of the uplink ports on that AP profiled to VLAN10. The AT&T gateway does all the DHCP, routing and IGMP spoofing for that VLAN10 so the DVR and set-top box get IPs and clean, uninterrupted signal on AT&T's bizarre unicast to multicast IPTV implementation. I have no IGMP snooping on any of my LAN (VLAN1) or IoT VLANs, and the rest of the uplink trunk profiles are set to only deliver those 2 VLANs.

Hello sir, what if I buy starlink for a US address through a collecting company and then export it via DHL to my country, knowing that my country is not supported by astarlink company, will there be problems? I hope I didn't bother you and that there are no spelling mistakes I use Google Translate.

Why did you choose to set up Starlink as it’s own LAN? Couldn’t you use a Starlink1 VLAN to ‘trunk’ to your USG/UDM and connect a Starlink port to the WAN 2 port? Does UniFi allow for load balancing to assign the a WAN connection to a specific VLAN? In that case a Starlink2. VLAN would have firewall rules applied. It would require two VLANs, if it is even possible with UniFi gateways, but would allow access to Starlink using your existing network. It could also serve as a failover in the case of a Comcast outage.

QUESTION: I have a printer on VLAN 10 that I want to share with Guest network that is on VLAN 120. I want Guest clients to discover and utilize printer but nothing else on the VLAN 10 network. What is best way to do this - reserve printer address in DHCP and write rules for firewall to only pass traffic to reserved IP address across VLANs?

I do the excat same thing from my Barn that has a clear view of the sky. Then I run that VLAN.574 via the Uniifi trunk into my office and then tag it into my PFSense. I created a tagged VLAN.574 in PFSense and set it up as a backup internet connection so if/when my primary fails, it automaticaly switches over to Starlink.

I work for an AV company in the mountains of Idaho and just setup StarLink into a ubiquiti USGPro and a NanoBeam PTP shooting to a barn over 500’ away. The barn was getting 300gbps down 🤯

I confess that I choose Unifi because of you. What you teach here is very well paid in other places. I have 2 UAP6 and 1 UDR, and I configured everything without any major problems.

perfect explanation of vlans

Right so that Netgate firewall is doing naff all in this scenario

Chris, thank you… I’ve always only half ‘got’ VLANs but this has just made the other ‘half’ make more sense!!

Please answer my question as soon as possible❤️

I need to set up a unifi test lab at home. I've tried several times, but I keep on selling the hardware I've put aside to clients. There are often supply issues with Ubiquiti products, and having some pieces on hand has helped a lot. I've sold the G3 Domes I bought for my house at least 4 times. By the time I actually get to pull some cable through the roof and install them, they will have paid for themselves

PVID VLAN does all this but easier also mstp does a similar thing but don't know if it's avealible on unifi products

What is the software that you use to create system diagrams?

With other manufacturers, the default VLAN is say VLAN 1. All ports are set to this by default, and it is not trunked to other switches. You then create VLANS for specific purposes, and set ports for client devices to one specific VLAN port. The only normal exception I see to this is if you want to use a single port port for a VOIP phone with a pass through port to connect your computer. This normally limits the connection speed of the PC to 100 megs, so its not the best. Hopefully these days in any business, you will have 2-3 Cat 6 sockets at each desk.

One note for people new to VLANs that wasn't explicitly called out in the video: never expose tagged frames to end-user devices. In other words, all trunk traffic should be at the infrastructure level, between switches or APs, not on any access ports on your switches. Also, Chris -- I assume there is a physical limitation that prevents you from doing this, but it seems you could benefit from a hierarchical architecture by running your USW-24-PoE as a distribution switch and trunking to your garage. That way all inter-switch traffic would pass through the USW-24-PoE and you can centralize inspection and services there.

Great video Chris, a little off topic but, a few videos ago you said you might cover an upgrade from Cloud Key Gen2 to UDMpro, this is something I am about to do and your help and knowledge would be great?

Man, I've been doing the same thing with both Starlink AND T-Mobile ISP. I just thought it was more convenient to run the WAN through the switch first in case I ever needed to bypass my firewall with my computer.

Love your vids~! Also, where did you get that T568B wall art? That thing is awesome~!

Funny I did the same thing, but it’s vlan5 for me.

I'm not too familiar with vlans (as I haven't been in the field with hands on experience) but everything made sense except for the last part but, I'm only on 3 hours of sleep right now

Now I finally understand the difference between tagged and untagged VLANs - thanks Chris

Hi Chris I did a similar set up to what you did a few years ago using unifi switches. passing an ISP modem ethernet connection through on a separate VLan to the wan port of my router to a different part of the building.I found that if you click on clients in the unifi controller you could see devises on the ISP network that were not on the site where I was located at the time.

How many meters is the stretch of Starlink modem?

Hey Chris - Why didn't you just present Vlan 574 to PfSense as an additional WAN, and create a gateway group for automatic failover incase your primary comcast link dies. You could create another Starlink LAN, and use policy based routing to ensure that network uses the Starlink WAN as the default egress point. More importantly, you could have put the Unifi Edge router on ebay and make it somebody else's problem :-)

Excellent explanation on VLANs! Still confused but getting closer to understanding fully? By the way it seems you need atleast 3 switches to implement VLANs properly?

Thank you! This video was tremendously helpful and understandable. This explains how you can route 2 ISPs through your network to the edge router for testing Starlink. I would love a video comparing "VLAN Only" to "Corporate LAN" with VLAN ID and how to segment or wall off each or perhaps allow cross-talk. (IOW: a use case where there's only one ISP but you want a certain VLAN not to be visible to the rest of the network and vice-versa, perhaps only accessible through VPN)

This is a neat idea, but it results in additional traffic on your trunk lines

Hi Chris quick question do you know if there is any way to configure the UDM Pro to have load balancing of the two WAN connections rather than failover. I want to be able to have both Starlink and my other connection both active at the same time. The only option I have now is failover. Thanks Regards Paul

I'm not a network engineer and have only lightly dabbled in VLANs... usually enough to be confused. I followed what you did. Excellent job explaining it!

im just a beginner and I love learning about setting up a network in my home. Thanks for this!

Will definitely have to watch this several times to gain full benefit from it! Thanks...

Great video, Chris! As a tech hobbyist, but nowhere close to a professional, I love watching your stuff to get ideas for my own home UniFi network!

I have been thinking about doing this for a long time thanks for the video on how you would do it

Excellent video great explanation thanks

You made it seem easy! Thank you!

This is a neat way of routing WAN traffic through an internal network, while still keeping separation. In principle you could even replace SL with a competitor product down the road (if one ever materialises) with minimum effort.

Unifi helps a lot by not usung taged/untaged/trunck nomeclature

Fantastic video update... thank you 🇭🇲

It makes perfect sense to me

Great video Chris

Great explanation. Thanks

Great explanation! Well done!

Great explanation and breakdown. Wish I had the patience to sit down and write up how my network is setup. I work in IT so I try to replicate what I have to work with day in and out. Ended up setting up an external PfSense firewall, and then an internal one. Took some time to do so I could get VLANs, static routes, and DNS to work how I wanted but it's videos like this that either sparks someone's interest to give it a shot, or are an Ah Ha! moment for someone that's been hitting road blocks. Great video.

Nice explanation Chris!

You are using a edge router on the end of the line. Is it possible to just use a (standard) switch instead to connect to the dish or do you explicit need to use a router (Starlinks or own router)? Have you tried it or can give it a try? Would be happy to hear from you.

VLANS are far from “complicated”. But anything can be complicated when you lack the basic understanding of things.

As always, thank you, Chris.

Since the StarLink dish is plugged into a POE switch, can you eliminate the POE injector (i.e. power the dish from the switch)?

I have a small project do you think you can guide me pls ?

Hey Chris, just a question: is there any special reason to have a LAN dedicated to Starlink with the Edgerouter (or another one) and everything? Or is it just to have a separate infrastructure for the secondary WAN? And do I understand correctly that you are bypassing the firewall?

Thanks & Well done. What is the benefit of segregating it on VLAN 574 other than security? Honestly I don't understand what the benefit would be in home environment?

Any reason the pfsense firewall isn't handling both ISPs? I'm aware there are some port forwarding issues with multi wan with 2.5.x but that really shouldn't be an issue long as Starlink isn't the primary.

I grew up a few miles from where you got that shirt.

¿Why not use the pfsence for the starlink and use it as a back up for the whole house, or testing on a vlan back to the us24 to play with? Not sure why the two routers

can i use starlink in Ghana ?

What diagram software is that?

How are oddball RU-vid reviewers able to get it when they are now saying availability is not until LATE 2022?

I would love a run-through if your pfSense setup/how to setup a pfSense network like yours. Or since I heard you arn’t %100 confident on pfSense yourself, a video from one of your pfSense guys would be greatly appreciated!