I would like to create four VLANs, one for my regular LAN, one for my server's security stack (a pseudo-DMZ with a stricter firewall), one for the server's web-facing services, and one for some game servers hosted on the server. This is intended to isolate them from each other and my LAN, as well as just being a learning opportunity.
I have an OpenWrt One behind my ISPs ONT as my router, and an old Archer A7 running OpenWrt upstairs intended to be used as a managed switch between my LAN and my Proxmox server as well as serving as a WiFi extender once my server is squared away.
I'll refer to the OpenWrt One as the router, and the Archer A7 as the switch from now on.
What I'm struggling with is how to set up my VLANs. I've been at this for a while and I've broken my network enough times to realize I need help.
The Theory
I believe I understand the theory behind what I'm doing. The VLANs should be defined on the router, sent to the switch as tagged VLANs on a trunk port, where they will be passed tagged over Port 2 to Proxmox, interpreted by a VLAN-aware virtual bridge and given to their respective VMs. Port 3 on the switch is for the management interface of the server will be kept on the regular LAN for now.
Every time I try to implement this following guides and substituting for my network, I break the network and have to revert the changes.
My main question is whether this understanding is correct and/or optimal, then how to implement it. Should I be physically separating the VLANs (I have unused ports on the switch and on the servers NIC)?
You have 4 infrastructure devices in the diagram... please verify that the two intermediate switches (between the One and the A7) are both managed switches.
Regarding the Proxmox virtual NIC being VLAN aware -- specifics of this configuration are out of scope for this forum, but yes, it sounds reasonable.
The way to start this process is really just to build out a single additional network, starting with the router and then working your way through the other devices. This way you prove out the 'recipe' that you can then repeat for the others (and you avoid mistakes that need to be fixed across all 4 networks).
Where specifically are you getting stuck and/or breaking things?
You have 4 infrastructure devices in the diagram... please verify that the two intermediate switches (between the One and the A7) are both managed switches.
They are not. Must each intermediate device be managed? I thought that they would "blindly" pass the relevant data.
Where specifically are you getting stuck and/or breaking things?
On the latest attempt, I defined the VLANs on the bridge device of the router, all tagged. I edited my LAN interface accordingly and defined the other interfaces for my VLANs. Once applied, the router became inaccessible via the browser and my network went down for the 90s before the automated reversion. Screenshots below:
Some do, some don't, some cause massive network problems.
It is generally bad practice to use unmanaged switches, even if they actually work. But you're best served by doing this properly with real managed switches because it will be difficult to discern if those switches are the cause of the problem or not.
One of the issues with unmanaged switches is that there is no way to set access ports vs trunks and the like. From the picture, it looks like you made a trunk with all ports tagged... that's generally good practice, but the unmanaged switch means you can set individual ports as untagged on a given VLAN for connections to regular devices.
Therefore... stop for now. Get some managed switches. Only then can you ensure success with your configuration.
So must ALL devices on the network be managed or just the ones on the direct path to the server? I have a spare Netgear GS305E laying around that I can put on the direct path if that's sufficient.
You need a managed switch for any place where it will be expected to carry more than one network.
Per your diagram, that means both the 5-port and the 16-port switches will need it if you expect that the VLANs extend through the entire path from the One to the A7.
That said, you may be able to restructure the topology such that you only need one managed switch, but that entirely depends on the equipment you have available, the physical location of cables and client devices, and your general requirements.
