A home renovation provides an opportunity to re-think my network.
- an apu2d2 with OpenWRT installed.
- A TP-Link Smart Switch
- A Wireless AP (Ubiquiti)
I want to achieve:
- Guest and LAN wifi
- Two separate wired subnets: one for IOT and one for my LAN
- Wireguard server and client
My current thinking is:
- Run the wireguard server and client on the router. This will allow Policy-Based Routing to allow some traffic bound for the internet to go over a VPN connection.
- Using dnsmasq on the router for DNS forwarding (possibly with Stubby or Unbound for DoT)
- Run the DHCP server on the switch
- A trunk from the switch to the Wireless AP
- A trunk from the switch back to the router
Does ths sound sensible/achievable or would I be better off, for e.g., running the DHCP server on the router?
I prefer to run services where I can manage them better and have a choice of implementations. Even with Cisco switches, I run my DHCP servers on their own hosts. Of your choices, I'd trunk the VLANs to the OpenWrt box and run your choice of DHCP servers there. For me, switches are switches -- set and forget (other than firmware upgrades).
Thanks, Jeff: that sounds like sage advice. I shall do just that.
Just to make sure I've understood correctly: are you advocating trunking the VLANs from the router to the AP, too? I've got two LAN ports on the router, so trunking to both the switch and the AP is no problem at all.
That's how I do it -- Everything plugs into a managed switch, everything as tagged on the trunks (no untagged packets, PVID is the "black hole"), switch config determines which VLANs a given device has access to.
Which TP-Link Smart Switch do you have, does it really have a built in DHCP server?
If it's a L2+ switch and you let it do routing then you may need to use it as a DHCP relay.
Good question, well-asked.
I've got the T1600G-28PS (TL-SG2424P). You're quite right: a cursory check suggests it does not have a build in DHCP server.
With IPv6 and dynamic prefixes involved, the situation is a lot easier to let your router (OpenWrt && dnsmasq && odhcpd) handle DHCP and (caching) DNS, because it knows best when to invalidate an expired prefix.
I'd be inclined to keep my core network service (DNS, DHCP, NTP, etc.) all on the same platform in a home environment a) to make it easier to administer and b) because of the interactions between DHCP and DNS (being able to resolve local hostnames, for example). It'll also be easier to route between vlans and multihome those services if they're on the router.
Keep the switch switching, it's what they're good at.
Thanks, everybody. I'll follow your collective wisdom: all core networking services on the router with trunks out to the switch and AP.
Will let you know if I run into any tricky spots; I don't envisage any, though.
All the very best.