A VLAN allows for you to isolate a group of devices into their own separate little network. Much like a virtual machine allows you to isolate an operating system into its own separate little environment. VLANs are helpful when you have client devices that you do not trust, like guest devices, or that are at risk for being hacked and therefore cant be trusted, like public facing internet exposed server devices.
That is my current understanding.
I will edit this document as my understanding evolves
Here are the questions I have at beginning of writing:
Q: How should I properly segment my devices so that I do not face issues with client devices needing to access eachother which no longer can, e.g. when i must remote into my server how do i do that? Do I host a VPN on the vlan and do a port forward type action to get it out of the vlan ?
Q: How do firewall rules with vlans work ? where are they defined ? how built out can they be ? Can I allow, for example, only tcp to port 443 from the guest network to ip 10.10.10.10 on my server vlan ?
Q: I have two vlan aware switches, one at the head of the network attached to my router, and one in my bedroom on my server rack. Which one should I be assigning vlans on ? Should I be assigning vlans on both ? Should I vlan my bedroom into the “Server” vlan and then make sub vlans for each server device ? Can I vlan individually VMs on my proxmox host into different vlans even though the proxmox host connects over just one ethernet cable to just one port ? Do I need to get another NIC for that ?
A: For assigning different vlans to different proxmox vms, look at this thread: https://www.reddit.com/r/Proxmox/comments/1at64yz/proxmox_host_with_1_nic_but_multiple_vlan/
It pretty much just says that proxmox has an option for vlan aware network bridges. A network bridge is how your vm gets access to the internet. It eitehr gets its own “bridge” device, or it uses the host’s internet. The bridge device can be vlan aware, and you can assign it a vlan tag.
Q: How do vlan tags work ? why would I want to specifically use 10 20 and 30 vs 1 2 and 3 ? Why is 1 the default instead of 0 ? Are vlan tags sent with each packet? if so, who handles that ? is that the network interface’s job to throw a vlan tag on each packet, or is that the client’s job ? if it is the client’s job, then it would be really easy to escape a vlan, just by sending a different tag, right? and if it is the network interface’s job, how do i make sure that the client does nto have permissions to change the properties of that network interface so that it CAN edit it’s own tag?
Q: How do IPs work for vlans? can I have 2 different vlans, on the same network, both on the 192.168.1.x subnet ? If so, how would you establish firewall routing rules between those 2 vlans ?
A: You want to do 1 subnet per vlan.
Q: What level of isolation should I do for an IoT vlan? Should they not have any access to the internet ? if they do wind up needing access to the internet, should I manually go in and make firewall rules which allow them to only access domains that their company, e.g. kasa, owns ? Or should they have access to the internet but not my lan ? My assumption is that I want them on my lan but not on the internet, but then again, there are some that have no direct p2p local functionality at all. Should they be on the same vlan as ones that do ? Do i make a IoTIC ( Internet Of Things Internet Connected ) vlan and a IoT ( Internet of Things ) vlan separate? with the internet connected one not able to access my lan, and the lan connected one not able to access my internet?
Q: What is a DMZ in networking? Is a separate guest network with client isolation equivalent to a DMZ ?
A: A DMZ is a demilitarized zone. It is a section of your network that is isolated from the rest of the network. It drops all traffic to anywhere on your local network except for the gateway. So it can only get externally facing internet resources, and cannot access any of your internal stuff. This is what you want for your “IoTIC” network, and what you would want for a “guest” network.
Q: How should I handle the wifi network for my IoT devices ? Can I do that off the same APs that I have already been using? Can one antenna broadcast 2 SSIDs on openwrt ?
Q: I understand that many people say you should have separate infra for your DMZ VMs, but I do not think that applies to me, as a homelab guy, because it is simply too expensive, whats the situation there ? is it legitimately necessary ?