<div dir="ltr"><div>I run multiple VLANs in my home the way you described it.</div><div><br></div><div>My router is OPNSense in a VM on my hypervisor (Xen in my case). It has two virtual interfaces: WAN and LAN</div><div>Those interfaces are virtual, but they each belong to a bridge on my hypervisor: br0 and br1 for lack of a better naming scheme (I actually name my internet-facing bridge WAN0)</div><div>Each of those two bridges has a separate physical ethernet card as a member. One connected to my ISP, the other connected to a trunk port on my managed switch.</div><div>I use OPNSense to be DNS and DHCP on the VLANs other than my admin VLAN and VoIP VLAN. I use isc-dhcpd for those, which runs on my hypervisor. If you don't want to do this, you simply enable DHCP-Relay on the VLANs that need DHCP services, and those requests get forwarded to your DHCP server on another VLAN where you've added the additional scope. OPNSense can handle this.</div><div>I also have an additional bridge that has no physical ethernet interfaces. This bridge is for VM-to-VM backend communications, such as for webservers to talk to database servers. Since there is no physical ethernet card, the bandwidth is the full capability of the network driver.</div><div><br></div><div>My WAP is a Ubiquity that handles VLANs very well.</div><div><br></div><div>I have a SSID for Guest. This is mapped to a VLAN on its own subnet, and the firewall ONLY allows Internet access. I also have the option of bandwidth throttles, schedules, and captive portals if I choose.</div><div>I have a SSID for Admin. This has a full-length WPA2 key that no one ever types into anything. This is on a VLAN that can go through my firewall to access my Admin VLAN. When I setup FreeRadius, this will move to a Radius-based auth.</div><div>I have a SSID for IoT. Roku, Google Home, Chromecasts, etc., go here. They can all talk to each other without issue, and they have Internet access. If I need an app on my phone to talk to one of these devices, I join this SSID with my phone.</div><div>I have a SSID for generic Internet. This is where my family's laptops and desktops go. This VLAN is allowed to access my file server, and it uses a dedicated DNS for filtering.</div><div><br></div><div>Each SSID is on its own VLAN.</div><div>There is also a VLAN for VoIP. I have 2 VoIP phones. No big deal. OPNSense has a sip proxy these phones connect to, where the SIP connections are proxied to my sip server on the Internet.</div><div><br></div><div>The OPNSense VM, running under Xen, can add VLANs to the LAN virtual interface. There's nothing I need to do on the hypervisor. pfSense can't do this (this is why I upgraded from pfSense to OPNSense).</div><div><br></div><div>My hardware:</div><div>A hypervisor with two NICs.</div><div>A managed switch (Ubiquity UniFi 8-port PoE)</div><div>Ubiquity UniFy AP AC Pro</div><div><br></div><div>The only thing that is multi-homed is the OPNSense VM, but it's not really. It just has a VLAN virtual interface added for each VLAN it needs to route, and each of those has a subnet assigned with the VLAN IP set as the gateway IP.</div><div><br></div><div>I arrived at this solution after trying many others.</div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Apr 18, 2019 at 11:18 AM Derek Atkins via Ale <<a href="mailto:ale@ale.org">ale@ale.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">DNS does not need to be on a multi-homed server -- you can have your<br>
router perform layer-3 routing between your VLANs to your DNS server.<br>
<br>
DHCP, however, does need to be multi-homed, or at least your router (which<br>
needs to be multi-homed) needs to know to forward DHCP broadcast packets.<br>
<br>
All other "A must be able to talk to B" issues can be handled by IP-based<br>
routing between your VLANs.<br>
<br>
-derek<br>
<br>
On Thu, April 18, 2019 11:10 am, Alex Carver via Ale wrote:<br>
> Right, I know that they would normally be on untagged ports. That's the<br>
> basics which I understand. It was my hope that there was a different<br>
> method of implementing VLANs that I didn't know about that didn't have<br>
> to involve a multihomed router and possibly multihomed devices. My hope<br>
> did not materialize and the only way I knew how is the only way available.<br>
><br>
> As for DHCP I don't want the DHCP/DNS on the router because the router I<br>
> would likely get would not do those functions anyway (being a pure<br>
> router).<br>
><br>
> On 2019-04-18 06:46, Phil Turmel via Ale wrote:<br>
>> Only the router and the DHCP server need to be on trunk lines. (Consider<br>
>> having the router perform DHCP, too.) All other devices would be on<br>
>> untagged ports for the VLAN you wish them to be a part of.<br>
>><br>
>> On 4/17/19 11:53 PM, Alex Carver via Ale wrote:<br>
>>> Not the router, the multihomed devices that are on trunk lines from the<br>
>>> switch.<br>
>>><br>
>>> On 2019-04-17 14:59, Phil Turmel via Ale wrote:<br>
>>>> It's a pretty basic premise of routing that the router has to have an<br>
>>>> address in the subnets it is going to route between, as it must offer<br>
>>>> a<br>
>>>> gateway address *in the subnet* to the leaf nodes.<br>
>>>><br>
>>>> On 4/17/19 2:50 PM, Alex Carver via Ale wrote:<br>
>>>>> I was hoping to avoid having multiple IPs on them but looks like I<br>
>>>>> can't<br>
>>>>> since each VLAN virtual interface will have to have its own IP.<br>
>>>>><br>
>>>>> On 2019-04-17 08:47, Phil Turmel via Ale wrote:<br>
>>>>>> A trunk port w/ tagged VLANs for your router and DHCP server is all<br>
>>>>>> you<br>
>>>>>> need. These devices are then virtually multihomed (in addition to<br>
>>>>>> your<br>
>>>>>> router's uplink).<br>
> _______________________________________________<br>
> Ale mailing list<br>
> <a href="mailto:Ale@ale.org" target="_blank">Ale@ale.org</a><br>
> <a href="https://mail.ale.org/mailman/listinfo/ale" rel="noreferrer" target="_blank">https://mail.ale.org/mailman/listinfo/ale</a><br>
> See JOBS, ANNOUNCE and SCHOOLS lists at<br>
> <a href="http://mail.ale.org/mailman/listinfo" rel="noreferrer" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
><br>
<br>
<br>
-- <br>
Derek Atkins 617-623-3745<br>
<a href="mailto:derek@ihtfp.com" target="_blank">derek@ihtfp.com</a> <a href="http://www.ihtfp.com" rel="noreferrer" target="_blank">www.ihtfp.com</a><br>
Computer and Internet Security Consultant<br>
<br>
_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org" target="_blank">Ale@ale.org</a><br>
<a href="https://mail.ale.org/mailman/listinfo/ale" rel="noreferrer" target="_blank">https://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" rel="noreferrer" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
</blockquote></div></div>