Not sure if I can do this but my Router is connected to the rest of my Network via a Powerline Adaptor.
What I would like to do is to put an openWRT Router between Powerline Adaptor and Router to create VLANS (one for IoT, one for Personal, on for Guest Network etc) with each VLAN having it's own DHCP Server.
I'm okay with doing the above but what I don't understand is when I plug in a PC or IoT Device how, as it down the other end (of what is effectively a single cable?) does it know which DHCP Server to talk to? - I'm guessing I could possibly hard code IP addresses but I don't really want to do that.
At the moment I have all my Devices connected via one DHCP Server which is from the Router and I would be happy to 'stop' that and use openWRT but to my mind if I am connecting to a single DHCP Server (openWRT or Router) I am just on a single Network?
Hope that makes sense and is not too numpty a question.
It doesn't. Unless the device is vlan aware. When using vlans the ethernet packets are tagged with a vlan id, which renders it unusable for non-vlan aware devices, as it's no longer a valid plain ethernet packet, so it's dropped. Only vlan 1 ('no vlan') is can be used.
Normally you split up the vlans in a vlan-aware switch, where the different vlans are distributed over different ports, or you use a vlan aware AP to distribute different vlans in different SSID's.
Don't know if it's possible to send vlan tagged ethernet over powerline, but if you can, you either need vlan aware devices, or a vlan aware switch on the other end.
I have spoken to Manufacturer (Devolo) and they tell me you can send Tagged Info over Powerline (although I have heard otherwise recently) but I think you had confirmed my worry which is I need a VLAN aware Switch at other end which is not feasible for my set-up.
You confirm my understanding of Tagging and Powerline Switches but sounds like you have VLAN Aware Equipment at the far end (i.e. non-Router) of the Powerline Network? This is something I want to avoid.
I have one OpenWrt router at each end of the powerline, and both of them are explicitly configured to deal with VLANs.
My powerline adapters are not sold as "VLAN-aware", and are not configured in any specific manner. The just act as an ethernet wire, that (luckily) does not mangle with the VLAN stuff.
If you trunk several VLANs on the same cable, at the other end you will need either a smart switch, to untag all the traffic on separate ports, or a device configured to expect traffic on a specific VLAN.
Guess if I want to do VLANS's I'm gonna have to have the same scenario (i.e. openWRT Router at each end) and something I'm actively looking into but still trying to decide if I want to go down that route or not.
Having a router on both ends is a bit overkill. I'm very content with my TP-link TL-SG108E switch, which does all vlan splitting, has 8 ports, and costs only €30.
Thanks Mijzelf but when you turn on a device for the first time (i.e. no IP Address assigned) at the other end of the Powerline how does it know which VLAN to connect to and are you using one DHCP Server for all VLans or individual DHCP Servers (and Ranges) for each?
The switch is configured to have the IoT vlan on ports 1&2, and the guest vlan on ports 3&4. On the OpenWrt router the vlans are virtual interfaces, having each another IP address and DHCP range. (And firewall zone!). So the port you plug in the device defines which subnet it is using.
If you don't use a switch at the other end, you'll have to configure it on the device itself. Which cannot be done before you switch it on for the first time, of course. (And maybe (probably?) cannot be done at all.)
Thanks Mijzelf. I thought if there was no switch at other end you would have to do manual configuration - Something I am trying to avoid since I have 2 HDHomeRun Connect's (which I would like to obviously connect to my IoT Network) which only support DHCP IP Resolution (hence my asking how would a device know which VLAN to connect to).
I might look into whether I can re-configure the IP Address and assign a static one at the other end once the devices have connected and that might provide an alternative solution.
Uhm, you are aware that the use of vlans is fundamentally different from having several subnets on 'the lan'?
When I have 2 vlans, which are splitted out by the switch, there is no way devices on different vlans can see each others network traffic. (Besides bugs in the switch, or misconfiguration of the router on the other side). They are called 'virtual lan', and they behave like separate copper cables. On the other hand, when using several subnets on one lan, the devices can see each others network traffic, at least the broadcasts. Only one DHCP server is possible, although it might be possible to serve addresses in different subnets on base of the MAC address of the client. But it has nothing to do with security, you trust the devices to use the subnet you assigned them, but if they don't, everything mixes up. On the other hand, using a vlan, they can't get out of that.
Yes although I do not claim to be an expert in anyway (quite the opposite in fact) relating to VLANS or Subnetting I am aware of the difference and VLAN is what I want (I think!!) so that the Systems act as 'separate copper cables'.
Perhaps it might help if I explain why I want to do this:
If someone was to break into via an IoT Device (which I think is a strong possibility due to their inherent lack of security) they can only see other IoT Devices on the Network and not my local PC's etc..
Avoid too many Collisions between Devices - I had a situation whereby a particular set of PC's which were in constant communication was slowing down the network by constantly sending messages; A switch between these locally solved that but I think I have similar issues with my HDHomeRun Devices clashing with PC's etc and separate VLANs should help with this (although they are all still going down the same cable at the end of the day).
In case of only different subnets, the broadcasts of local PC's can be seen. And the bad guy only has to add an ip address to be able to communicate with whatever he wants. In case of a vlan (when splitted off by a decent switch) he can only see traffic in and access that vlan.
A switch in this case solves the issue, because a switch sends (MAC-)addressed packets only to the port where that MAC address is located. So two devices on the same switch can have intensive communication without affecting the rest of the network. This is not true for broadcasts, as they are not addressed, and so are send to all ports. But a broadcast in a vlan stays in that vlan. So a port which is not configured to transport that vlan, will not have any load.
Of course, when you have two intensively communicating devices in different sides of your powerline, for the load on the powerline it doesn't matter if you use vlans or not. (Or actually, using vlans gives a bit more load, as each packet has to be extended with the vlan tag.)
Thanks Mijzelf, Well it's certainly VLANS I was talking about then
I think your 2nd Point has made me realise I shouldn't be doing this since the HDHomeRun's Broadcast (rather then speak to a specific Device) and as you have indicated this is all going down the same Cable so I am unlikely to gain any improvement in that using VLAN.
I intend instead to protect my Local PC's by putting a Local openWRT Firewall/Switch between them and the rest of the Network instead (since the rest of it is IoT type devices anyway).
Either the device is configured to use a specific VLAN (and that has to be done before any DHCP happens, because VLANs are one layer lower than DHCP), or there is an intermediate device (like a managed switch) that transforms the tagged packets from the VLAN into untagged packets.
