Actually, the whole point of VLan’s is to seperate TCP traffic between them; adding routes, NAT, firewall tables to it undoes the whole isolation part
Keep living the dream, my friend.
The opposite is true. “The whole point” of a VLAN is to add routes, NAT and/or firewall tables, to allow the network administrator to control what communication is permitted between devices, network segments, and WAN uplinks. If you’re not going to do any of that, you might as well just air-gap a completely separate network.
Exactly. So why would you “permit” your other vlans to be exposed to mDNS flooding/DDOS attacks by creating “proxies”? You kinda lose the “control” aspect, don’t you
This is such a networking-engineer-cosplay response. Your concerns might make sense if the proposal was for Hilton to enable mDNS reflection between their corporate offices and guest suite wifi. But that’s not what we’re talking about.
Who the heck is on the other side of your home network’s VLAN to justfy legitimate concerns for distributed denial of service attacks between two trusted network segments? And even if you did have something like this, the correct response is to deal with it in the physical realm by identifying the sociopath and physically air-gapping them.
Patricio Suarez asked for advice with home network where he has thoughtfully considered use of VLANs to isolate devices from his home network. This is good idea. Unfortunately the poor advice provided in this thread has resulted in Patricio abandoning the benefits of VLAN security entirely, rather than making a configuration change on his router to support his requirements.
This is unfortunate.
Then why bother with VLAN’s?
There are only 2 kind of people implementing VLAN’s on their home network:
- The paranoids: All those nasty IoT device phoning home sending information like … their IP address? The last time the fridge was opened? They might DDOS me? …
- … No actually, there is only one kind. The second group is the people who read papers from the 1st group and implemented their suggestions
No idea who you are, but I’ve been an IT engineer for 35+ years now. I even knew the world before Ethernet and TCP/IP, mind you
Hahaha… I was so sure of that kind of response
What is experience vs. certitude!
Same here…sure my network can be more safe, but why? There is no need to have 39 vlan’s like in the worldwide corporate network we have at my work