PC Access Across Multiple VLAN

[cdikland]

If each router has a WAN IP then you can use 2 routers setup manually to share the internet connection. You can not load balance across these small routers as there is no gateway of last resort so if 1 router fails the other one can take over. You need to explain to me how your DHCP setup works with your 2 routers. Are you using the default DHCP gateway IP address for your clients? Do your routers support VLANs?

I don't think your switch is sharing traffic across VLANs since you have all traffic untagged and there is no way to distinguish traffic. If I am wrong please explain.

I think my use of the term "Load-balancing" may be misleading. If one router fails anything attached to it fails. Devices don't flip from one router to another if the former becomes overworked.

Long before any of the above I setup my AC68U (the DHCP Server) to manually assign static IP to each of my 70+ "permanent resident" devices (pcs, mobiles, NAS, servers, printers, cameras, hubs, etc). Any "casual" or guest device would be assigned an IP outside the range of static ips manually assigned.

Now that I have added a 2nd router (DHCP Server disabled), any devices that I want assigned to this new router, such as the PCs above, are removed from the AC68U static IP list and their default gateway permanently assigned to the R7000 (see below). Current setup, anything on vlan1 can not see/access the R7000 router. Anything on vlan20, however, can see the AC68U router. Once I restrict this access I will enable the DHCP server on the R7000 and no longer will need to permanently assign a default gateway to vlan20 clients.

I suppose I could toss out the GS108T switch all together and just assign gateway to each device I want to assign to the R7000 but I think plugging such device(s) into one of the ports and letting the DHCP server do all this work seems more efficient. Hope that makes sense.

 

[coxhaus]

I think your layer 3 is working better than your layer 2. A couple of questions. Is the WAN side for both routers flowing through your untagged VLAN switch. IF it is you have a security issue as stated above by abailey. You need a separate non-default VLAN with no members of the local LAN side.

If your routers support VLANs why not assign networks to each VLAN. This will fix your DHCP problem. You can create a VLAN network between routers which will allow the routers to route to each other.

IF you can't do the above then I don't see how the LAN VLAN is helping. Just double stack the routers if you need to share access. Otherwise run independent networks. The only thing keeping your current network running is layer 3 the IP layer because of your manipulation of default gateways. Layer 2 is not correct. And please do not blend WAN traffic in. The switch is not the limiting factor, it is your routers.

PS
What I mean by layer 2 is not correct is the VLANs are over complicated. Using the basic VLAN1 will achieve the same thing. VLANs are to segment traffic. It sounds like you need all traffic together since you have all the traffic in untagged VLANs together.

One more thing is all my solutions allow DHCP to work correctly.

 

[cdikland]

I think your layer 3 is working better than your layer 2. A couple of questions. Is the WAN side for both routers flowing through your untagged VLAN switch. IF it is you have a security issue as stated above by abailey. You need a separate non-default VLAN with no members of the local LAN side.

Can you clarify this please? I am confused on how this is a security issue. Specifically, where would potential risks/threat becoming from?? If its across vlans I am not overly concerned as I dont have lan clients on one vlan trying to hack the other vlan. If by security issues you mean from outside my home network, thats all different story

 

[coxhaus]

If you have your WAN traffic outside firewall traffic merged with local LAN traffic in the same VLAN I would be a security concern. There exists a path to the inside of your network without going through your firewall. This is a open door for internet hackers. You always need to separate WAN and LAN traffic and make it pass through a firewall. You can have both in the same switch they just needs to be in a separate VLANs. I am not real concerned about 1 LAN VLAN to another LAN VLAN.

 

[coxhaus]

Somebody has been posting about a new Tomato software version. I believe Tomato will ad VLANs to your R7000 router. You need to check it out. I have not run it since the very first linksys days. It has been out dated for a long time. But it might give you an option if you don't currently have VLANs on your router and providing the security for the kernel is there.