First Homelab in the making and it’s been an wonderful process learning everything. I am using a Protectli 4 port device running pfSense, an 8 port UniFi managed switch and a Raspberry Pi Cluster for now. I have an IoT VLAN created for these devices on a singular port on top of my already configured LAN setup by default. If I decide to create more VLANs, which I’m sure I will, what interfaces should I assign them too. I am having a hard time finding literature on when to create a VLAN and if you do should you put multiple on one interface or create them on separate interfaces. Like igc0 has my IoT VLAN and LAN should my other VLANs go there or like igc2 for example. Sorry for the long message just curious about industry standards and best practices.
I use 1 port for management net without vlan, one for WAN and four as a LAG group for all my vlans to go to my switch.
In the business world, and good practice, vlans should only exist on ports where that vlan’s traffic needs to pass.
Example: say my cameras are on vlan 3, and my default vlan is 1. I’ve also got IoT on vlan 9. IoT does not need access to the internet. Neither do the cameras (they’re viewed from a vm running blueiris)… The port going to the modem only needs vlan 1 on it, all others excluded.
IoT needs to talk to the cams sometimes, so the cams have both 3 and 9, and IoT has 3 and 9. (this could also be done with some l3-fu on the switches, but I configured the routes in opnsense so I could log peculiarities).
I’ve only got two machines that are allowed access to the management vlan (13), which has all my IDRAC/ilo/bmc/nm configured on their ports, and no other vlans.
Those two machines are firewalled on machine and the management access is only allowed when necessary (manually).
Hope that’s clearer than mud.
depends on the amount of expected inter vlan traffic. If the Vlans don‘t talk much to each other you can all put them tagged on the same port on your firewall. If you expect a lot of traffic between the vlans put them on a separate interface on the firewall. then connect them to your switch on ports that are configured as untagged and have the correct vlan assigned.
Router -> all vlans (trunked / tagged) into managed switch, then you do the routing there. Thats how its done usually.
You can then assign ports of a switch to only accept/output a single vlan directly (untagged), so the devices dont need to be vlan aware. Or you output only needed vlans as tagged, for example for an accespoint or server.
You can do the same in virtual nerworks like inside proxmox, all vlans on one bridge and then set the VMs to single vlan
In ethernet a Trunk Port is a port that supports multiple vlans. if you have layer 2 devices connected which need access to multiple vlans then you would trunk what you need.
Question: What’s your intention in utilizing clans here at all?
What’s the purpose?
For learning sake and to understand the best way to increase home security from an ever growing technological perspective. Splitting out networks/devices, logically, that have no business talking to the internet.