Ramblings of an aging IT geek
← Ramblings of an aging IT geek
networking

carving a flat network into vlans without taking the house down

Splitting a single flat homelab subnet into VLANs for trusted, IoT and lab traffic, and the inter-VLAN routing mistakes that bit me along the way.

John Mylchreest
John Mylchreest
2018-11-14 · 4 min read

Network cables in a patch panel

My home network grew the way most do: everything on one flat /24, because that's what came out of the box and it always worked. Then I counted the devices. Two laptops, a NAS, a fistful of Raspberry Pis, a TV, a couple of smart plugs I don't fully trust, and a lab box I deliberately let myself break. All of them able to talk to all of the others. That's fine until you think about it for more than a second.

So I bought a managed switch that does 802.1Q, and set about cutting the flat network into VLANs: one for trusted kit, one for IoT, one for the lab.

the plan

The shape was simple enough on paper:

  • VLAN 10, trusted: laptops, phones, NAS
  • VLAN 20, IoT: the things that phone home and that I'd rather couldn't reach the NAS
  • VLAN 30, lab: the box I'm allowed to set on fire

The router does inter-VLAN routing, with firewall rules deciding who may talk to whom. IoT can reach the internet and nothing internal. Trusted can reach IoT (so I can actually control the smart plugs) but not the other way round.

A rack of networking equipment

where it actually hurt

The pain wasn't the VLANs. It was the bits I'd forgotten were load-bearing.

First, DHCP. With one flat network I had one scope. Now I needed three, each with its own gateway and resolver, and I'd quietly assumed the old single scope would keep working for the trusted VLAN. It didn't, because the switch port the DHCP box lived on was now an access port on the wrong VLAN. Ten minutes of nothing getting a lease before I spotted that.

Second, the trunk. A trunk port carries tagged traffic for multiple VLANs, and I'd configured the link between switch and router as an access port, so only one VLAN's traffic ever reached the router. Tagged frames went in one end and vanished. The fix was to make it a proper trunk and let the native VLAN be the management one:

interface eth1
  description trunk-to-router
  switchport mode trunk
  switchport trunk allowed vlan 10,20,30
  switchport trunk native vlan 99

Third, and this is the embarrassing one, I locked myself out of the switch's management interface by moving it onto a VLAN my laptop couldn't reach. I had to plug straight into a console port, which I'm glad past me hadn't thrown away.

It took an evening and a half, most of it spent staring at tcpdump wondering why a frame I could see leaving one box never arrived at the other. The answer was nearly always a tag mismatch somewhere. But the segments are real now. The IoT plugs sit in their own little walled garden, the lab box can thrash about without touching anything I care about, and the NAS only answers to kit I trust. Worth the evening, even the half spent on the floor with a console cable.