I'm looking to set up a DMZ on my home network to expose a VM or VMs on a server to the internet but maintain isolation from the rest of my home network. My questions are around how to set up VLANs to achieve this with my current network and what I might need to add.
I use a powerline system to get connections to various parts of my house which is where the complications come in. My router is a Pi4 running OpenWRT and internet access is through a USB 4G dongle. The rest of the network is connected through powerline adaptors. What I'm not sure of is when I will need seperate physical ethernet interfaces and where to allow me to set up VLANs? The diagram attached is roughly what I want to achieve and mostly shows the physical network setup as it is now minus the switch as the server is currently connected directly to the powerline adaptor. I will configure the server so that services I want exposed internally and externally are on different ethernet ports.
I have a single 4 port managed switch available and can get hold of another one, also if a different "physical" connection is needed for the VLANs I could get hold of more powerline adaptors.
I can find tutorials for setting up the DMZ.VLANs so am happy with doing that but can anyone explain how I should configure this physically and locigally to make it work?
Are you certain that the powerlines will support the trunk links?
You'd need another switch at the lower part of the image, unless the other devices and the powerline work with vlans. If it doesn't, I am not sure the powerline wifi will work.
My powerline adapters act just as a long wire, and are transparent with VLANs.
The upper part of your diagram calls for trunking / VLANs, but the lower part needs untagged traffic, and not all routers / interfaces support mixing them in the same interface.
Thanks for the replies guys. So from what you have said I'm thinking I might be able to make this work with an extra switch and a couple more powering adaptors.
The second switch would go between the router and the first powerline adaptor. I can then add a second separate powerline network with two adaptors which runs to the server switch only. In that case I would then have untagged traffic going to the home network with WiFi etc and tagged traffic directed to the server network.
Two questions: does this sound viable? And could I actually miss out the switch at the server end as it will effectively just be two separate "wires" with traffic already split by the switch at the router?
Before buying any new equipment, I would try to work with your current hardware: mixing tagged/untagged packets on the same interface is not guaranteed to work, but perhaps it works for you.
Thanks, yeah I realised last night I have a spare Pi so why not just clone the SD card in the one running as a router and much about with the spare one to start with. Bonus being that I'm not cutting the family off the Internet while I experiment
