Subnet, routing and gateway: Basic question

[tubs-ffm]

Hello,

I have a basic question to get the right understanding for routing of subnets. Below a simplified scetch of the network. My questions referring to the /22 subnet 192.168.0.0/22 that is split in two /24 subnets LAN_1 (192.168.2.0/24) and LAN_2 (192.168.5.0/24).

When I assign the firewall 192.168.2.1 as gateway to the PC 192.168.2.100, how the traffic from PC (192.168.2.100) in LAN_1 will be routed to the server (192.168.5.10) in LAN_2? Will it remain within the L3 switch on the right side?

Or does this setup only work if I assign the L3 switch 192.168.2.2 as gateway to the PC 192.168.2.100?

 

[itronin]

Hello,

I have a basic question to get the right understanding for routing of subnets. Below a simplified scetch of the network. My questions referring to the /22 subnet 192.168.0.0/22 that is broken up into two /24 subnets LAN_1 (192.168.2.0/24) and LAN_2 (192.168.5.0/24).

Note: I've truncated the rest of your post in my response because there are some basic questions/problems with the first part.

Not sure if you have described things accurately as implemented so let's go through a couple of items first:

(A) If 192.168.0.0 is a /22 supernet then the address range is 192.168.0.1 - 192.168.3.254 with the network number being the first value in the range 192.168.0.0 and the broadcast address being the last value at 192.168.3.255 which can be notated as: 192.168.0.0/22

192.168.5.0/24 does not fall into that range. If you consider an equally sized supernet as you described then it would be in 192.168.4.0/22
To be clear the netmask for a /22 will be 255.255.252.0

(B) You then describe the two subnets as being split into /24... Not sure why we're talking about a /22 in the first place then...
The way you describe it though makes me think you are specifying a /24 address on PC and Hyper-V which implies a /24 netmask on those hosts.

(C) for both your router and switch I don't know what you've specified as netmasks for their VLAN 1 interfaces... is it a /22 or /24 netmask?

Helpful hint, when working with supernets (IMO even classed subnets) it is helpful to specify the network size on an IP address esp for router interfaces .

Consider labeling on your Firewall - Router icon 192.168.2.1 as192.168.2.1/22 if the interfaces has a netmask of 255.255.252.0 and 192.168.2.1/24 if it has a netmask of 255.255.255.0 that way you can convey what its broadcast domain is. Same with the interfaces on your L3 switch if you have routing enabled on it (calling L3 makes me think you do).

FWIW if you define 192.168.0.0 as a /21 split into /24's then 192.168.5.0 would more closely match the scenario you've described (note the netmask on a /21 will be 255.255.248.0)

However there's an underlying question here: why such large subnets (and by extension broadcast domains) ? Are you really expecting to have 1022 (/22) or 2046 (/21) hosts in these ranges or is this purely an academic pursuit to learn how all this addressing stuff works or are you trying to make things a bit more readable by saying the hyper-v box has a different third octet than say the PC?

 

[tubs-ffm]

Note: I've truncated the rest of your post in my response because there are some basic questions/problems with the first part.

Thank you.
- Yes, the IP is not in the subnet. In the first example it either needs to be a /21 subnet or the IP needs to be 192.168.3/22.
- I do not need big subnets. One /24 is sufficient to cover all hosts. The segmentation I wanted to do to get a routing possibility.

My explanation by the previous synthetic example was not good. Let me explain by another example what I want to achieve. Maybe there is a better way:

Situation:

• All devices in the blue box are in one room and all other devices are in another room.
• The network connection between these rooms is slow and therefore I want to keep traffic between devices in the blue box inside the blue box.
• The two access points needs to be in the same subnet (requirement for Ruckus Unleashed)
• The left access point needs to have internet access even the connection between the two switches is not working. (Network robustness)
• PC, server and L3 switch are connected via fast optic fiber. Could be same subnet or different subnets as shown in the example
• I would like to avoid manual routing tables in hosts.

Intention:
Up to here, all you can see of LAN_x is possible to realize by one /24 L2 network. What I want to do as next is to move the intra-subnet routing of DMZ 192.168.10.0/24 from the OPNsense firewall to the L3 switch to benefit from fast fiber connection. But at the same time, I want to keep the LAN subnet span across all rooms to have no separation between the APs.



My idea
My idea is to use one /21 parent subnet for LAN across all rooms and do a segmentation on the L3 switch on the right side. Server and PC are in a /24 child subnet. (Separate or same, I leave it open). If this set-up is working, I could move the DMZ subnet to the L3 switch (not yet shown in the picture).

Any other simpler idea?

 

[kpfleming]

Traffic between devices in the blue box should stay in the blue box by default, with no special configuration required. It won't matter if those devices are using addresses which are part of a subnet which extends (at L2) out of the blue box and into the other areas.

 

[itronin]

@tubs-ffm - love the new drawing! Most excellent! To expand on what @kpfleming said (and also implied) - you aren't really using the L3 switch in the blue box at layer 3 as its really going to act no differently than the managed L2 switch in your drawing - if everything is configured in a sane fashion. And everything can work even if the switch in the blue room was only managed L2!

I'm going to make some suggestions and add some not necessarily well thought through rambling now - kind of food for thought for ya and you can take it or leave it - your playground, your rules.

This is really considered a best practice: Consistently configure your netmasks across all the devices participating in the same subnet. If your subnet is a /21 the netmask should reflect that in *all all the hosts in the subnet*. If you don't then invariably normally well behaved network applications and/or processes will exhibit seemingly inexplicable and odd behaviors at times. There are exceptions to this and certainly can be a fun experiment - but What am I talking about? your Hyper-V and PC in the blue room really should have a netmask of /21 and their default gw should be the firewall outside the room. The unicast traffic between those two hosts in the .0/21 subnet will stay inside the switch in the blue room .

** warning - I don't think this is what you want to do but ... **
If you do want routing to happen in the Blue room and you would like network applications well behaved then you will want to implement a transit vlan between the firewall and the L3 switch PC and Hyper-V will have the L3 switch as the default gateway *and* have a different subnet for your PC and Hyper-V in the blue room.

** but but but - ruckus unleashed **

Have a "management vlan" for your RU. That's what the AP's really want to be in the same subnet. You can create a VLAN just for managing your AP's, plop them all in there so they can figure out who's boss and do their inter-AP voting, confabbing, exchange of ideas, coffee and snacks. Associate your SSID's to the appropriate VLANS for their traffic. NB: your AP interface switch ports will be "dual-mode" in ICX parlance... Untagged traffic for your management VLAN (this makes it easy if you are using DHCP to configure your AP's as well as knowing your AP's should always be able to talk to something even if you had to plug them into a dumb switch to troubleshoot) *and* TAGGED vlans for your SSID's. hence dual-mode.

** default vlan - ie. VLAN 1 **

Before you get too invested in what you are building, consider not using VLAN 1 - at all - for anything. I leave the "why" as an exercise for the reader

** DMZ **

Not sure I want to delve into this before I've had supper. If you want DMZ traffic to come from the Internet and reach Hyper-V *and* you want PC and other guests on Hyper-V to talk to the DMZ guest(s) on Hyper-V without going back to the firewall - well that's something else and we should have discourse on the pros/cons and then how you might do it.

Lastly - even with your first post your title was somewhat of a misnomer - ain't nothing BASIC about what you are doing here. Smaller scale? sure. Basic? not really LOL. and that is TOTALLY okay as your scenario looks like it will cover a lot of networking ground.

 

[tubs-ffm]

Thank you again for all the answers.

Traffic between devices in the blue box should stay in the blue box by default, with no special configuration required. It won't matter if those devices are using addresses which are part of a subnet which extends (at L2) out of the blue box and into the other areas.

@tubs-ffm you aren't really using the L3 switch in the blue box at layer 3 as its really going to act no differently than the managed L2 switch in your drawing - if everything is configured in a sane fashion. And everything can work even if the switch in the blue room was only managed L2!

Absolutely correct. This is my current setup. All L2 incl. a of couple VLAN. And up to this point all is understood.

Lastly - even with your first post your title was somewhat of a misnomer - ain't nothing BASIC about what you are doing here. Smaller scale? sure. Basic? not really LOL. and that is TOTALLY okay as your scenario looks like it will cover a lot of networking ground.

You are right. My set-up is an overdesigned home network with features I want but not need. I called it basic question because I did not expect someone is doing a deep dive into the full complexity of my network. So I reduced everything to the point where I was not sure: Routing of traffic in a split network. But I see the only thing I reached by this is to confuse everybody.

What I will do is sketch my full network. But I need a couple of days for this to find some time.

Have a "management vlan" for your RU. That's what the AP's really want to be in the same subnet. You can create a VLAN just for managing your AP's, plop them all in there so they can figure out who's boss and do their inter-AP voting, confabbing, exchange of ideas, coffee and snacks. Associate your SSID's to the appropriate VLANS for their traffic. NB: your AP interface switch ports will be "dual-mode" in ICX parlance... Untagged traffic for your management VLAN (this makes it easy if you are using DHCP to configure your AP's as well as knowing your AP's should always be able to talk to something even if you had to plug them into a dumb switch to troubleshoot) *and* TAGGED vlans for your SSID's. hence dual-mode.

Here I cannot completely follow. But it looks like going in the right direction. Today I use 3 SSIDs. Two of them are isolated in the VLAN that goes straight to the firewall. There is no interaction to the rest of the network and therefore it is not shown on my sketch. The other SSID is my "LAN" on the default VLAN. This needs to get access to everywhere.

Today in my L2 set-up I benefit from the situation that a device that is connect to the AP on the right side can communicate to the server inside the blue box (no need for traffic between the two rooms). And a device connected to the left side can communicate to the internet even the right-side infrastructure is down (robustness). This I want to keep when changing the setup to achieve what I describe as next below.

If you want DMZ traffic to come from the Internet and reach Hyper-V *and* you want PC and other guests on Hyper-V to talk to the DMZ guest(s) on Hyper-V without going back to the firewall - well that's something else and we should have discourse on the pros/cons and then how you might do it.

Yes, this is what I want to achieve, but without loosing of the points described before. Today all intra-VLAN-traffic goes through the firewall. I do not benefit benefit from 2x10 Gbit fiber connection between L3 switch, PC and Hyper-V host for traffic between LAN and DMZ. How to do this I know: transport VLAN between the two switches, route DMZ and a sub-net for the right side LAN, set-up access rules on the L3 switch for intra-VLAN routing and use the L3 switch as default router. But then I run in the difficulties how to span the WiFi-LAN network across both rooms.

For this reason I got to span a /21 network and use the L3 router to route the subnets. This would enable me to route the DMZ without loosing the possibility to have all AP LAN clients in the same subnet. But looks like my idea does not work.

 

[tubs-ffm]

The picture below shows my current L2 set-up.

• LAN as /24 subnet 192.168.2.0/24 across all wired and WiFi network to connect clients, servers and management of devices.
• Isolated Guest network as WiFi SSID and wired. VLAN 30. /24 subnet 192.168.30.0/24. No inter-VLAN connection.
• Isolated IoT network as WiFi SSID. VLAN 20. /24 subnet 192.168.20.0/24. No inter-VLAN connection.
• Isolated DMZ network for Mail server and Web Server on Hyper-V Host. VLAN 10. /24 subnet 192.168.10.0/24. Limited inter-VLAN connection from LAN, routed and controlled by the firewall

My goal:
- Moving routing between DMZ and LAN from firewall to right side switch to benefit from 10 GBit connection (blue link). Change switch from L2 to L3.
- No manual route entries on clients or server. Only default router setting.
- If possible: Keeping all LAN clients on left and right side in the same subnet
- Left side connected devices should get internet access even right side network is down.

Any elegant way for this?

 

[itronin]

@tubs-ffm

Great Drawing! Very helpful, detailed, and clarifies somethings (like I suspect you have multicast going on in vlan 1 which spans left and right...)

before I start writing up a response esp. related to the DMZ I have a question.

do you mean exactly this:

- Left side connected devices should get internet access even right side network is down.

Or do you mean that if the connection between the left room (red) and right room (blue) goes down?

The significance being that everything in the right room (blue) is still operable (without Internet connectivity).

 

[kpfleming]

My goal:
- Moving routing between DMZ and LAN from firewall to right side switch to benefit from 10 GBit connection (blue link). Change switch from L2 to L3.
- No manual route entries on clients or server. Only default router setting.
- If possible: Keeping all LAN clients on left and right side in the same subnet

I think you're going to find it difficult to achieve all of this. "all clients on the same subnet" and "multiple routers" is a complicated thing to do, if it's even possible at all.

The simplest thing to do is to just have separate left and right subnets, without trying to gather them into a 'supernet'. The right-side router would use the left-side router as its upstream, for access to the left side subnet and to outside networks.

 

[Rttg]

Agreed with @kpfleming.

Tubs - from a route perspective, OSPF makes it easy to propagate routes between your switches (e.g., left room telling right room about its subnets; right room telling left room about its subnets), but that’s assuming you want separate subnets (and either don’t need or have planned workarounds for L2 traffic between subnets)

 

[itronin]

@tubs-ffm

The consensus seems to be growing on splitting the rooms into two (or more) subnets. IP (TCP/IP) is a very survivable network protocol *if* you follow its rules. I think you know this and have ruled out the split into subnets. I can only surmise that you have some use-case(s) requiring all primary use network connected devices to be in vlan 1. (broadcast and/or multicast traffic seems to me to be leading contender - but it doesn't really matter and you don't have to share that information.)

Your configuration conundrum has been an interesting problem to think about.

I *believe* a solution may be constructed. Its not elegant, honestly, its a bit of a hack and will require a higher level of effort to implement than just some network configuration (and that LoE may simply NOT BE WORTH IT) but that's for you to decide how much is too much effort.

Before going into that I do want to speak about the elephant in the room: DMZ hosts. From my perspective I have grave concerns about placing "DMZ" hosts deep in a network. Yes, inbound traffic from the Internet has to pass through your perimeter FW to ultimately reach your DMZ hosts so you have a point of control there. Philosophically though you want to protect yourself internally from DMZ hosts too in the (unlikely) event they are compromised. Typically the DMZ hosts are closely network-coupled with the FW infrastructure. In your case they are not and indeed a design requirement is for internal hosts in the right room to have 10Gbe access to the DMZ hosts. My thought here is to front end your DMZ subnet with a virtual opnsense FW guest implemented on Hyper-V. Your NAT will take place at our perimeter FW and your virtual FW will not use NAT and simply be routing your DMZ subnet with policies/ACL's applied. A point of note here: If you have been planning to (or ARE) using NAT reflection you will won't be able to do that (your requirement for direct 10Gbe access). IMO creating and troubleshooting ACL's/FW policies in opnsense is far and away easier to perform than directly implementing ACL's on a switch (though doing both is a good practice) - there are additional features that the FW provides which may be desirable DPI, log collection and reporting. This design change also creates a very closely coupled DMZ FW and DMZ host(s) infrastructure. There are configuration considerations and tasks within Hyper-V's virtual networks that will be required.

okay back to the task at hand:

Warning - this solution relies on asymmetric routing and honestly you really should not do this and services/applications may not behave rationally.
assumes static routing is in use.

Configure routing on the L3 switch in the right right room.

Create and configure a DMZ vlan interface on the L3 switch in the right room *or* if you are going to configure an opnsense DMZ instance then a transit VLAN between L3 switch in the right room *and* in the opnsense DMZ instance on Hyper-V. If creating a transit vlan you will then need a route on the L3 switch for the DMZ subnet via the transit vlan opnsense interface.

Remove the DMZ interface from your perimeter FW. Create a route on the perimeter FW with the DMZ subnet via the L3 router. Check your NAT rules and make sure they are configured correctly for this change.

Non DMZ Hosts in the right room which desire DMZ 10Gbe connectivity will need to be configured with the L3 switch as their default gateway. Internet originating or return traffic to these hosts will obviously bypass this path (there's that asymmetric business). Implement in either DHCP (reservation required if a scope for vlan 1 exists) or via static configuration on the vlan 1 hosts requiring 10gbe access.

DMZ hosts will need to be configured appropriately: If you choose to front end the DMZ with opensense - then that will be the default gateway on the DMZ hosts if not then the DMZ vlan interface on the L3 switch.


all that said if you don't have a functional requirement (broadcast/multicast or something else) for most of the hosts in both rooms to be in the same subnet then it would be so much more elegant to simply have a subnet in each room for "trusted access" L3 configured on both your switches, use transit vlan from your perimeter firewall to the switch in the left room, and frontend your dmz hosts with opnsense in the right room. You can still span your IOT vlans between the two switches *and* span your guest vlan from the perimeter FW across both switches...

 

[tubs-ffm]

@tubs-ffm
before I start writing up a response esp. related to the DMZ I have a question.

do you mean exactly this:

- Left side connected devices should get internet access even right side network is down.

Or do you mean that if the connection between the left room (red) and right room (blue) goes down?

The significance being that everything in the right room (blue) is still operable (without Internet connectivity).

Let me answer your question with a use case.

This is a home network in a family home. If anything on the right side is down or the right side cannot connect to the internet it only is me who cares. If the TV, the mobile phone, the tablet or the music connected on the left side are losing their internet connection I will receive a high priority ticket to solve the issue immediately.

So, the right-side infrastructure incl. the connection between should not be required that the left side can access internet. Having right side operational without connection between left and right would be nice to have.

 

[tubs-ffm]

Tubs - from a route perspective, OSPF makes it easy to propagate routes between your switches (e.g., left room telling right room about its subnets; right room telling left room about its subnets), but that’s assuming you want separate subnets (and either don’t need or have planned workarounds for L2 traffic between subnets)

The consensus seems to be growing on splitting the rooms into two (or more) subnets. IP (TCP/IP) is a very survivable network protocol *if* you follow its rules. I think you know this and have ruled out the split into subnets. I can only surmise that you have some use-case(s) requiring all primary use network connected devices to be in vlan 1. (broadcast and/or multicast traffic seems to me to be leading contender - but it doesn't really matter and you don't have to share that information.)

Thank you. It looks like everything else than having separate subnets is not possible or at least ends up in a complex and tricky set-up.

But today I cannot answer by hard facts if I really "need" one sub-net. I assume this makes some things easier. I would need to create a small test set-up to confirm. Connection to Yamaha MusicCast from everywhere in the LAN and connection to UPnP Server is what I get in my mind. DHCP for clients on LAN is easier to handle (for servers and infrastructure I use fixed IP).

At the end I need to balance. If all gets to complicate I give up on the idea for 10 GBit routing between LAN and DMZ.


Edit: Quote marks corrected.

 

[tubs-ffm]

@tubs-ffm

Before going into that I do want to speak about the elephant in the room: DMZ hosts. From my perspective I have grave concerns about placing "DMZ" hosts deep in a network. Yes, inbound traffic from the Internet has to pass through your perimeter FW to ultimately reach your DMZ hosts so you have a point of control there. Philosophically though you want to protect yourself internally from DMZ hosts too in the (unlikely) event they are compromised. Typically the DMZ hosts are closely network-coupled with the FW infrastructure. In your case they are not and indeed a design requirement is for internal hosts in the right room to have 10Gbe access to the DMZ hosts. My thought here is to front end your DMZ subnet with a virtual opnsense FW guest implemented on Hyper-V. Your NAT will take place at our perimeter FW and your virtual FW will not use NAT and simply be routing your DMZ subnet with policies/ACL's applied. A point of note here: If you have been planning to (or ARE) using NAT reflection you will won't be able to do that (your requirement for direct 10Gbe access). IMO creating and troubleshooting ACL's/FW policies in opnsense is far and away easier to perform than directly implementing ACL's on a switch (though doing both is a good practice) - there are additional features that the FW provides which may be desirable DPI, log collection and reporting. This design change also creates a very closely coupled DMZ FW and DMZ host(s) infrastructure. There are configuration considerations and tasks within Hyper-V's virtual networks that will be required.

Thank you for advice. I can follow your explanation and it makes sense.

I assume most of users like me will not even use a DMZ and put everything in one LAN. I guess, all of them survived so far. Am I doing it because I have equipment that can do? Or do I use it as en excuse to justify the need of my equipment? I do not know. At least up to a certain point its like playing with expensive toys for grown-up kids. If I seriously would ask myself if I need to run my own webserver, my own mail server, my own matrix chat server, my own files erver, my own backup server and use enterprise network equipment, the answer is clear. Everbody else is doing the same with a single router-WiFi Combi device provided from the internet provider and an USB HDD attached to it.

The idea with a virtual OPNsense firewall I like. Yes, ACL on the switch is difficult. But I am not talking about complex rule sets.

Maybe I should question the need for DMZ.

 

[itronin]

Let me answer your question with a use case.

This is a home network in a family home. If anything on the right side is down or the right side cannot connect to the internet it only is me who cares. If the TV, the mobile phone, the tablet or the music connected on the left side are losing their internet connection I will receive a high priority ticket to solve the issue immediately.

So, the right-side infrastructure incl. the connection between should not be required that the left side can access internet. Having right side operational without connection between left and right would be nice to have.

That's production!!!! I think many of us here have that going on! I actually think that use case is even more suited to split subnets. You have a natural delineation/routing/control point between what we might call "lab" or test and production. Which to me says "split it up".

the challenge I see is as you called it: yammie musiccast, as I call it sonos, multimedia and other bits. That's often implemented with multicast being in a different broadcast domains can cause challenges. ex: sonos really wants to be in the same subnet with all the other sonos bits for their walled garden to behave. Even then esp. on the ruckus gear there are a bunch of settings that need to be tweaked. It would not surprise me if you had to go through some of that with your music-cast system. (???)

if you split the rooms into subnets - still having easy access to your media though while working is desirable. Why not put in wireless on devices that don't have it (desktops for example) and add a second wifi to those laptops that need two network connections. Create an SSID for your right room (blue) and non tethered laptops can connect to both at the same time. that way your devices that need it can span both networks simultaneously. Directly connected networks are well - directly connected. You'll end up with two def gw's but I figure you can find a config that works.

Thank you. It looks like everything else than having separate subnets is not possible or at least ends up in a complex and tricky set-up.

if it worked: complex, tricky, prone to failure.

But today I cannot answer by hard facts if I really "need" one sub-net. I assume this makes some things easier. I would need to create a small test set-up to confirm. Connection to Yamaha MusicCast from everywhere in the LAN and connection to UPnP Server is what I get in my mind. DHCP for clients on LAN is easier to handle (for servers and infrastructure I use fixed IP).

At the end I need to balance. If all gets to complicate I give up on the idea for 10 GBit routing between LAN and DMZ.

If multi-cast becomes sticky with media presentation - it is possible a multicast rendezvous point may help.
However I am by no means an expert on mc and its a concept that tickled my mind more than once whether it might solve some challenges in home environments.

As far as upnp - no experience here with that - i almost always turn it off.

Thank you for advice. I can follow your explanation and it makes sense.

I assume most of users like me will not even use a DMZ and put everything in one LAN. I guess, all of them survived so far. Am I doing it because I have equipment that can do? Or do I use it as en excuse to justify the need of my equipment? I do not know. At least up to a certain point its like playing with expensive toys for grown-up kids. If I seriously would ask myself if I need to run my own webserver, my own mail server, my own matrix chat server, my own files erver, my own backup server and use enterprise network equipment, the answer is clear. Everbody else is doing the same with a single router-WiFi Combi device provided from the internet provider and an USB HDD attached to it.

The idea with a virtual OPNsense firewall I like. Yes, ACL on the switch is difficult. But I am not talking about complex rule sets.

Maybe I should question the need for DMZ.

Using your room analogy I do believe that you should think hard about isolating your DMZ hosts on hyper-v. Call it the orange room, only its virtual. A virtual firewall makes sense to me given your configuration. Look back at your "production" use-case. imagine the ticket hell that would be cause if some malefactor took advantage of a 0 day on your mail or web server and surged back into your production network from the inside...

I ran home email and a small webserver up until about 2013. Watching the attack attempts on the hosts was amusing until they really became a nuisance and I shut it down. But there are times it would be "fun again". I'd definitely do it in a DMZ and I would isolate the heck out of it. do both ACL's on the switch and a virtual firewall!

thank you for sharing! I've enjoyed kibitzing through what you wanted to do! No matter what you decide I hope that you have fun with it (and keep the prod ticket count down)!

edit - grammar and typo.

 

[tubs-ffm]

Thank you again.

Why not put in wireless on devices that don't have it (desktops for example) and add a second wifi to those laptops that need two network connections.

My philosophy is different. I go wired wherever I can: Desktop-PC, Company PC, printer, AppleTV, MusicCast. The Wifi is for portable devices only.

Using your room analogy I do believe that you should think hard about isolating your DMZ hosts on hyper-v. Call it the orange room, only its virtual. A virtual firewall makes sense to me given your configuration.

I see a benefit to be able to realise the 10 Gbit connection. But I cannot see a measurable benefit from safety point of view. Assuming VLAN is a technique that brings a certain level of safety I do not see a difference of having the firewall at the Hyper-V host or tunneling all the traffic via VLAN to the Hyper-V host.

BTW, No VLAN tagging on Hyper-V host. I go with two physical wires, one for LAN and one for DMZ, from an untagged port of the switch to the Hyper-V host. Same on OPNsense. I go with one wire without VLAN for LAN and one wire with tagged VLAN for the other networks DMZ, IoT and Guest. This I do because I believe it is a better balance between safety and performance in comparison to go with ling aggregation + VLAN for all. The benefit regarding safety of having OPNsense on the Hyper-V host is not having the need to put trust in the VLAN implementation of Brockade/Ruckus.[/QUOTE]

 

[itronin]

My philosophy is different. I go wired wherever I can: Desktop-PC, Company PC, printer, AppleTV, MusicCast. The Wifi is for portable devices only.

concur my suggestion was a compromise to get your machines dual homed while maintaining broadcast domain access to vlan 1 - assuming you split the subnets.

I do not see a difference of having the firewall at the Hyper-V host or tunneling all the traffic via VLAN to the Hyper-V host.

I'm missing something then or not understanding your explanation.
By having a ve5 IP'ed interface on the l3 switch (and its in layer 3 mode I presume) says to me that's not tunneled ONLY between opnsense and Hyper-V. You simply have a VLAN that has routing capabilities (l3 switch and opnsense) analogy - there's an on and off ramp. If your 10Gbe PC is not trunked to the L3 switch (vlan 1 and vlan 5) then in order to get L3 connectivity you must be intend to route VLAN 5 at the L3 switch at that on and off/ramp otherwise you traffic has to go all the way back to the FW and doesn't matter what we do you'll lose that 10gbe connection right there.

 

[tubs-ffm]

** default vlan - ie. VLAN 1 **

Before you get too invested in what you are building, consider not using VLAN 1 - at all - for anything. I leave the "why" as an exercise for the reader

Thank you for the advice. I know about, but I never really understood. I never used a tagged VLAN 1. Before I had a cheap switch that drove me cracy because I did not understood the web interface for VLAN configuration. If I wanted to have untagged traffic for LAN, anything different than VLAN 1 was not possible. Meanwhile this switch is retired and I could change.

You think this will make a difference? Changing VLAN 1 to VLAN 2?

Explanation:
1/1/1 --> AP
1/2/1 --> other switch

!
!
vlan 1 name DEFAULT-VLAN by port
spanning-tree
!
vlan 10 name DMZ by port
tagged ethe 1/2/1
untagged ethe 1/1/3 ethe 1/1/5 ethe 1/3/3 to 1/3/4
!
vlan 20 name IoT by port
tagged ethe 1/1/1 ethe 1/2/1
untagged ethe 1/1/11
!
vlan 30 name Guest by port
tagged ethe 1/1/1 ethe 1/2/1 ethe 1/3/3
untagged ethe 1/1/7 ethe 1/1/9
!
!