[mythtv-users] VLANs, HDHomeruns and bears, oh my

[Ian Evans]

On Tue, Apr 7, 2020, 6:20 AM Simon Hobson, <linux at thehobsons.co.uk> wrote:

> Michael <mythtv at blandford.net> wrote:
>
> > Yes, you can absolutely do this, but then you have to have different
> wired or wireless connections for each network.
> >
> > With VLAN aware equipment you could have the router, a switch, and 1
> wireless access point that handles multiple connections to various VLANs
> without duplicating infrastructure.
>
> Exactly.
>
> Ian, one way to think about VLANs is to consider "what if you built
> several separate LANs" - by that I mean, for each separate LAN, you have
> separate switches, separate cables, and somewhere, a router with multiple
> ports to connect them together. As Michael says, you quickly end up with a
> lot of switches and a lot of cables. And since switches come in fixed
> numbers of ports, you would typically end up with unused (wasted) ports on
> many switches while perhaps running out of ports on a different LAN switch
> in the same location.
>
> The "V" in VLAN is a process (and technologies/protocols) to flatten this
> stack of multiple hardware into one set.
>
> As an analogy, consider drawing out a diagram representing your network -
> but crucially, use a stack of tracing paper (or anything else you have to
> hand that allows you to lay several layers on top of each other and see all
> the layers.
> On the bottom, just draw boxes to represent your switches, router, WiFi
> access points etc where you'd put them.
> Above that, have a layer for each separate LAN you are thinking of having
> - so one for your MythTV tuners (HD Homeruns), one for your IoT stuff, one
> for your "general" stuff, one for your guest WiFi, and so on. You can trace
> the boxes off the bottom sheet onto each layer where they will want a
> direct presence - so for example, your WiFi AP should appear on several
> layers. Similarly, draw the cables on the layers where the connections are
> needed.
>
> Now, in theory you could build each layer as a separate network - as
> above, lots of duplicated (and underused) hardware.
>
> When you lay all these sheets in a stack, you'll see that most devices
> only have one connection, while some will have the same connections on
> multiple sheets. In particular, your router and WiFi access point will
> appear connected on multiple sheets.
> Where there are multiple connections, these will use a TRUNK connection -
> one that carries VLAN traffic with the different virtual LANs identified by
> VLAN tags on the packets. Both your router and WiFi AP will have virtual
> LANs for normal stuff (your own devices), IoT devices, guest WiFi - all
> over one wire.
> Where a device appears on only one sheet, then the switch port will be in
> ACCESS mode. Here there are no VLAN tags, and the switch takes care of
> knowing that the port is only used for a single LAN, adding the VLAN tags
> to packets that come in on that port, and removing them from packets sent
> out. The connected device never sees VLAN tags, and works just the same as
> if you have no VLANs in use.
>
> The remaining bit of the jigsaw is that even when running as a trunk port
> (packets tagged with VLAN headers), the port will have a "Native VLAN".
> This is primarily "what to do with inbound packets that don't have a VLAN
> tag" - answer being that they get handled as though they'd been tagged with
> the default (native) VLAN number.
>
> Hopefully this helps you with the conceptual understanding.
>
> When you get to managing a network across multiple buildings, with dozens
> of tenants, I think you can see just how much hardware can be saved by use
> of VLANs :-)
>
>
> Now, about the implementation ...
> You do not have to have just one router. It's quite acceptable to have
> (say) one router for your internet connection, and another that routes
> traffic between your VLANs. The only proviso is that your internet router
> can have routes added - it needs to know where to send packets destined for
> the other networks it is not directly connected to. In my experience, more
> CPE routers have this ability than have VLAN capability. And if your ISP
> forces you to use their proprietary rubbish, then you'd have no choice in
> that.
>
> Linux has very capable VLAN and Routing abilities - any standard distro
> should be able to do it in software. At my last place, I had a virtual
> machine (running Debian but that's not important) handling 3 FTTC (VDSL2)
> connections, another ethernet provided internet connection, and 4 or 5
> LANs. Routing setup and firewall management was done with a package called
> Shorewall which provides a nice abstraction layer over the networking and
> filtering setup. HP switches dealt with splitting everything out from one
> trunk connection. We used Ubiquiti access points which support 4 SSIDs on 4
> VLANs, but some others (Draytek IIRC) can do as many as 16 SSIDs. To add
> another ingredient in the mix, we used policy based routing to determine
> which traffic used which external internet connection.
> My users simply never noticed all this running in the background - they
> just connected to the network and "it worked", reliably :-)
>

Thanks to everyone in this thread. Some amazing information and ideas.

>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mythtv.org/pipermail/mythtv-users/attachments/20200407/49d19287/attachment.htm>