Every home network starts with a physical constraint. In my house, the Spectrum coax enters in a closet, so the modem has to live there. But WiFi does not. My goal was to keep the main router upstairs in an open spot for the strongest signal, then use a wired backhaul to feed access points so coverage stays solid across the whole house.
The catch is wiring. I only have two Cat5e runs that terminate back at the closet cabinet: one from the family room downstairs and one from the game room upstairs. The “easy” approach is to plug the modem, the upstairs run, and the downstairs gear into an unmanaged switch and hope it sorts itself out. It doesn’t, because an access point is basically a Layer 2 bridge and it must live on the router’s LAN side. The router needs to be at the top of the topology: its WAN port should be the only thing talking to the modem so it can pull the ISP DHCP lease and get a public IP, then it hands out private IPs on the LAN (DHCP) and does NAT and firewalling. When you put an unmanaged switch in between, WAN and LAN become the same Layer 2 segment, so DHCP and ARP broadcasts leak everywhere. That is when clients get weird IPs (or no IP), the wrong DHCP server answers, and the whole network starts acting haunted.
This post is the clean fix: I used VLAN trunking to carry both WAN and LAN over a single in-wall cable, while keeping a real routing boundary between them.
What I’m running
- Main router (upstairs): Asus BE92U
- Downstairs WiFi: Netgear R7450 in AP mode
- Two managed switches: Netgear GS305E smart managed switches
- Switch placement: Left switch is downstairs/closet cabinet, right switch is upstairs near the router
The managed switches are the key. GS305E supports 802.1Q VLAN tagging, which means one physical cable can carry multiple isolated networks safely.
Switch photos
Photos of the two Netgear GS305E switches that make this VLAN trunk setup possible.
The real problem (one cable had to do two jobs)
I needed two paths, but I only had one good path between floors:
- Path #1: carry the modem’s internet handoff up to the router’s WAN port
- Path #2: bring the router’s LAN back down so the rest of the house can connect normally
In a typical install, those are two separate cables. In my house, they had to share.
Why one Ethernet cable can carry both paths
The important detail is that modern Ethernet links are full-duplex. Full-duplex means the link can transmit and receive at the same time, so upload and download are happening simultaneously over the same cable.
When I say “WAN and LAN share one cable,” I am not splitting the cable into two half-speed networks. I am using a single gigabit link between the two switches, and both VLANs ride across it as tagged traffic. The switches decide which frames belong to VLAN 10 (WAN transport) and which frames belong to VLAN 20 (LAN), but electrically it is still just one full-duplex Ethernet link.
The tradeoff is simply that it is still one physical uplink, so WAN and LAN traffic share the same total bandwidth available on that trunk. In a home network, that is usually fine because internet speeds are typically far below 1 Gbps, and most local LAN traffic does not need to cross floors all the time.
An option I considered (a dedicated router in the closet)
There is a simpler way to solve this in many homes: put a wired router (or small firewall appliance) in the closet next to the modem, then use the in-wall Ethernet runs as regular LAN drops, and place WiFi access points where coverage is best.
That approach works well if you already own a router with multiple Ethernet interfaces, or you are willing to buy one. In practice it usually looks like this:
- Modem connects to the closet router WAN
- Closet router LAN ports feed the downstairs and upstairs Ethernet runs
- WiFi is handled by separate APs (or you repurpose an old router as an AP)
The reason I did not go that route is simple: I already had a strong WiFi router I wanted to use as my main edge device. I wanted the Asus BE92U to remain the router doing DHCP, firewalling, NAT, and WiFi, instead of downgrading it into a basic access point and buying extra hardware just to work around the closet location.
VLAN trunking let me keep the best part of the setup, the router placement for WiFi, while still building a clean WAN and LAN separation like a real network.
The solution: VLAN 10 for WAN transport, VLAN 20 for LAN
I built the network around two VLANs:
- VLAN 10 = WAN transport (modem side traffic only)
- VLAN 20 = LAN (everything inside my home network)
The goal is simple: WAN and LAN never share the same Layer 2 segment. The only place they meet is inside the router, where firewalling, NAT, and routing are supposed to happen.
Clean ASCII diagram of the setup
Here is the layout. This is the diagram I keep in my head when troubleshooting.
(Upstairs, Game Room)
+--------------------------------+
| Asus BE92U |
Internet from ISP | |
(coax) | WAN port LAN port |
| +-----+--------------+------------+
| | |
| | |
| (VLAN 10 access) (VLAN 20 access)
| | |
| +-----+--------------+-----+
| | GS305E Switch (Upstairs)|
| | “Right” switch |
| +-----+----------------------+
| |
| | Cat5e in-wall run (Game Room <-> Closet)
| | TRUNK: VLAN 10 tagged, VLAN 20 tagged
| |
+--+----------------------+-------------------------------+
| (Closet Cabinet / Downstairs) |
| Spectrum Modem |
| (Ethernet handoff) |
| | |
| | (VLAN 10 access) |
| +----+---------------------+ |
| | GS305E Switch (Downstairs) | |
| | “Left” switch | |
| +----+-------------------------+ |
| | |
| | (VLAN 20 access) |
| +------------------> Netgear E7450 (AP mode) |
| WiFi for downstairs clients |
| |
| | (Optional Cat5e run to Family Room) |
| +------------------> Family Room wall jack (VLAN 20)|
+----------------------------------------------------------+What makes this work (access ports vs trunk ports)
The entire design comes down to two port behaviors:
Access ports are “normal ports”
Access ports carry one VLAN only. Traffic is untagged on the wire. The switch places it into the correct VLAN internally using the port’s PVID.
In my setup, access ports are used for endpoints that don’t need VLAN tags:
- Modem ethernet handoff (VLAN 10)
- Router WAN port (VLAN 10)
- Router LAN port (VLAN 20)
- Downstairs AP uplink (VLAN 20)
- Any normal client / room jack (VLAN 20)
The trunk is the “one cable that carries both networks”
The trunk port carries multiple VLANs using 802.1Q tags. Between the two GS305E switches, the trunk carries:
- VLAN 10 tagged (WAN transport)
- VLAN 20 tagged (LAN)
That means the same in-wall Cat5e run carries both paths at once, without mixing them.
Why this design is actually good
1) It enforces a real WAN to LAN boundary
WAN stays isolated in VLAN 10 all the way until it hits the Asus router’s WAN interface. LAN stays isolated in VLAN 20. The router is the only device that routes between them, which is the correct model.
2) It solves physical constraints with standards, not hacks
I did not pull new cable. I used a real standard (802.1Q) and a trunk link to make one cable do the job of two. This is the same idea you use in real network closets when you’re limited by risers, drops, or conduit.
3) It keeps WiFi where it belongs
The Asus BE92U stays upstairs in a good WiFi location. The Netgear E7450 runs as a true access point downstairs, so I get coverage without a second routing domain or double NAT.
4) Troubleshooting becomes predictable
When something breaks, I can isolate it fast:
- If internet drops, trace VLAN 10 (modem → switch → trunk → switch → router WAN)
- If clients have issues, trace VLAN 20 (router LAN → switch → trunk → switch → AP / room jacks)
What I learned (and why it matters for network engineering)
This project taught me that a home network doesn’t need to be “simple” to be reliable. It needs to be clear.
- Layer 2 design matters. Switches define adjacency and broadcast domains.
- VLANs are practical. They solve real wiring and topology constraints.
- Access vs trunk behavior is everything. A single wrong port mode can make a network feel haunted.
- Documentation pays off. Once you define the zones and the traffic paths, changes stop being scary.
This is the same mindset I use professionally: separate zones, control Layer 2, keep routing boundaries clean, and design so troubleshooting is fast.