[mythtv-users] VLANs, HDHomeruns and bears, oh my

[Simon Hobson]

Michael <mythtv at blandford.net> wrote:

> Yes, you can absolutely do this, but then you have to have different wired or wireless connections for each network.
> 
> With VLAN aware equipment you could have the router, a switch, and 1 wireless access point that handles multiple connections to various VLANs without duplicating infrastructure.

Exactly.

Ian, one way to think about VLANs is to consider "what if you built several separate LANs" - by that I mean, for each separate LAN, you have separate switches, separate cables, and somewhere, a router with multiple ports to connect them together. As Michael says, you quickly end up with a lot of switches and a lot of cables. And since switches come in fixed numbers of ports, you would typically end up with unused (wasted) ports on many switches while perhaps running out of ports on a different LAN switch in the same location.

The "V" in VLAN is a process (and technologies/protocols) to flatten this stack of multiple hardware into one set.

As an analogy, consider drawing out a diagram representing your network - but crucially, use a stack of tracing paper (or anything else you have to hand that allows you to lay several layers on top of each other and see all the layers.
On the bottom, just draw boxes to represent your switches, router, WiFi access points etc where you'd put them.
Above that, have a layer for each separate LAN you are thinking of having - so one for your MythTV tuners (HD Homeruns), one for your IoT stuff, one for your "general" stuff, one for your guest WiFi, and so on. You can trace the boxes off the bottom sheet onto each layer where they will want a direct presence - so for example, your WiFi AP should appear on several layers. Similarly, draw the cables on the layers where the connections are needed.

Now, in theory you could build each layer as a separate network - as above, lots of duplicated (and underused) hardware.

When you lay all these sheets in a stack, you'll see that most devices only have one connection, while some will have the same connections on multiple sheets. In particular, your router and WiFi access point will appear connected on multiple sheets.
Where there are multiple connections, these will use a TRUNK connection - one that carries VLAN traffic with the different virtual LANs identified by VLAN tags on the packets. Both your router and WiFi AP will have virtual LANs for normal stuff (your own devices), IoT devices, guest WiFi - all over one wire.
Where a device appears on only one sheet, then the switch port will be in ACCESS mode. Here there are no VLAN tags, and the switch takes care of knowing that the port is only used for a single LAN, adding the VLAN tags to packets that come in on that port, and removing them from packets sent out. The connected device never sees VLAN tags, and works just the same as if you have no VLANs in use.

The remaining bit of the jigsaw is that even when running as a trunk port (packets tagged with VLAN headers), the port will have a "Native VLAN". This is primarily "what to do with inbound packets that don't have a VLAN tag" - answer being that they get handled as though they'd been tagged with the default (native) VLAN number.

Hopefully this helps you with the conceptual understanding.

When you get to managing a network across multiple buildings, with dozens of tenants, I think you can see just how much hardware can be saved by use of VLANs :-)


Now, about the implementation ...
You do not have to have just one router. It's quite acceptable to have (say) one router for your internet connection, and another that routes traffic between your VLANs. The only proviso is that your internet router can have routes added - it needs to know where to send packets destined for the other networks it is not directly connected to. In my experience, more CPE routers have this ability than have VLAN capability. And if your ISP forces you to use their proprietary rubbish, then you'd have no choice in that.

Linux has very capable VLAN and Routing abilities - any standard distro should be able to do it in software. At my last place, I had a virtual machine (running Debian but that's not important) handling 3 FTTC (VDSL2) connections, another ethernet provided internet connection, and 4 or 5 LANs. Routing setup and firewall management was done with a package called Shorewall which provides a nice abstraction layer over the networking and filtering setup. HP switches dealt with splitting everything out from one trunk connection. We used Ubiquiti access points which support 4 SSIDs on 4 VLANs, but some others (Draytek IIRC) can do as many as 16 SSIDs. To add another ingredient in the mix, we used policy based routing to determine which traffic used which external internet connection.
My users simply never noticed all this running in the background - they just connected to the network and "it worked", reliably :-)

Simon