VLANs, Bridges, Routing, oh my...


Nov 19, 2015
There didn't seem to be a general networking forum anywhere, so hopefully this is not too far off topic.

I'm attempting to construct a segregated network that's hopefully very secure, and looking for some guidance, as this isn't my field of expertise, though I'm trying to learn this as I go. Router setup makes my head hurt.

Hardware overview:
-Tomato-Shibby on an R7000
-older Netgear WNR3500l for some extra LAN ports (I need to dumb this one down to just be a switch)
-10/100 switch for all the non-gigabit speed devices around the house
-AIO file-server dual ethernet ports (napp-it VM, and CentOS running Plex and Logitech Media Server)
-PC with dual gigabit ports

-VLAN with only access between PC and server -ESXi administration, BMC port on server, basically so I'm the only one that can screw with anything as far as configuring things
-VLAN for all the devices that I trust
-VLAN for all the devices that I don't really trust (smart TV fits into that category)
-Virtual Wireless for trusted devices
-Guest Wireless with just internet access (this I've done before)

-with all the VLANs, do I need to tie them to certain physical ports? Can this be done with static IPs? Mostly because there's a number of devices going through the 10/100 switch that I do trust, and a number that I don't. The TV should have gigabit access, so it ends up using one of the router ports, but I feel like I'm going to screw myself down the road with certain ports having certain functions, and keeping it all straight.
-how many / what do I need bridges for?
-if the VLANs are segregated, should I expect problems with things like PLEX? I can probably set it up so that certain VLANs can access others, but not vice-versa, but does PLEX and its client need bi-directional access? Seems like a security loophole with the TV being the client.

Any and all advice is really appreciated.