Need advice for my home LAN
-
After running pfsense for 11 years, its time for some LAN "reinforcement" due to increasing family size and devices.
My dream setup has always been like this:
-VLAN for sonos (because sonos is totally unsecure)
-VLAN for guests (Ubiquiti UAP fixes this)
-VLAN for IOT (because I dont necessarily trust laundry machines and all the equipment that HAVE to be online...)
-VLAN for trusted devices (primary home lan)
-VLAN for servers
-managed switchIdeally, I would like to bridge all these VLANS together on pfsense. Then I have a sentral DHCP managing it all, everything is on the same subnet, everything shares the same broadcast domain, which is a MUST for alot of the pesky IOT-devices (hey, I'm talking to you Sonos!), and I have total firewall-control for everything that traverses the VLANS.
This sounds absolutely perfect in my ears.
But I know people say its not... Please help me, explain and make me understsand, why should I avoid bridges that bad? If its correctly configured, does it still not work reliably?Do you advice me to set up multiple subnets on all the vlans instead?
The problem is the mulicast/unicast thing. I would have to set up IGMP proxy / pimd ( https://forum.netgate.com/topic/149909/new-package-pimd ) to allow sonos and alot of other IOT to work. I NEED to have broadcasting work... -
@Sqvirrel said in Need advice for my home LAN:
because I dont necessarily trust laundry machines
Yeah, you wouldn't want them to know all your dirty laundry secrets!
Ideally, I would like to bridge all these VLANS together on pfsense.
You don't bridge VLANs. That would be defeating the purpose of them. Give them their own subnets and let pfSense do the routing and filtering as required.
-
You don't bridge VLANs. That would be defeating the purpose of them. Give them their own subnets and let pfSense do the routing and filtering as required.
Well, there will be a firewall between the vlans, with block/deny by default, and in that way seperate them. But the real reason why Im talking about bridging vlans, is because it is absolutely essential to have multicast/unicast traverse the vlans. (sonos and alot of iot depends on that protocoll...)
But if the community give me good reasons to strongly evade from that idea, I need to come up with something else, like seperate subnets with igmp proxy or pimd, if any of those is known to work.