Here what I have. Let me know what you did different.
1.
Dynamic DNS/Dynamic DNS1 configuration for OpenDNS
OpenDNS
OpenDNS: username
OpenDNS: password

Basic
->Network
--> Static DNS
208.67.222.222
208.67.220.220

2.
Advanced
->DHCP / DNS

Use Internal Caching DNS Forwarder: yes
Use Received DNS With Static DNS: yes
Intercept DNS Port (UDP 53): yes
Use Internal Caching DNS Forwarder:
Dnsmasq Custom Configuration:

Enter the following options into the text box:
Code:

cache-size=2048
log-async=5
#strict-order

cache-size: 250
log-async: Enable
extra: (commented out with a #)
strict-order: yes

Updated Picture.

Guessing that all of the above is now working fine and we can move on to creating VLANs.

Here is a page #2 of your new set up.

[ATTACH]58808[/ATTACH]

You can do VLANs on your new Tomato router and/or managed switch. BTW what is the mfg and model number of your switch?

Just a quickie post relating to why create VLANs for home use and if it right for you.

Best to proceed here baby step fashion as mentioned earlier.

BTW you mentioned that you have one 24 port managed switch and many devices on your network. Do you have unmanaged switches on your network?


Using isolated VLANs for wired and wireless clients:

1 - Put untrusted internet-connected devices and appliances on their own isolated network so they can’t sniff, attack, poke, prod or wreak havoc on your private, trusted network.
2 - Access devices on the isolated network from your private network but not vice-versa.
Example: Put your Android Smart TV on an isolated network – you can still control it from your smartphone, laptop, etc by connecting to the isolated WIFI network but when the manufacturer stops releasing security patches two months after you bought it or that sweet NSA sleeper cell backdoor decides to activate it can’t become an attack vector into your private network.
3 - Provide a separate, virtual guest WiFi network or wired connection that allows internet access but no access to the rest of your network.
4 - Optionally whitelist and restrict all outbound traffic per VLAN/network.

Comments and what folks utilize VLANs for.

• Give guests wireless internet access, without access to your network
• iSCSI traffic over a different VLAN, because why not?
• Different home-lab networks

• Home Network
• Guest Network
• Lab Environment [I have Frontend and Backend zone so this is 2 separate VLANs This changes as I require it to]
• Storage
• Server Build zone [I have a VM that deploys OS over Boot from Network]

• I think I have 6 running.

10 - Server-related stuff. ESXi Host, 2x QNAP NAS
11 - Server VMs
20 - User devices (phones, tablets, PCs, roku, etc)
200 - Voice
254 - Gateways
900 - Internet

• I primarily use them for an easy way to limit access to subnets, for example I might not want anyone else in the house accessing my management network.
  
• I also use them as a way to prioritize WAN traffic. Something coming from/to the servers subnet would have priority over the rest of the network.

• Off the top of my head I have the following:

-PXE
-Workstations
-Servers
-Management
-General traffic (eg TVs)
-iSCSI
-Guest
-VoIP
-Testing
-Sonos

HI Pete,
This is impressive, you are keeping me busy this weekend :-)

I have the following switches.
TP-Link 24-Port Gigabit Ethernet Easy Smart Switch (TL-SG1024DE)
This is the primary switch and is connected directly to the router.

TP-Link 8-Port Gigabit Ethernet Easy Smart Switch (TL-SG108E)
This is located in my studio and has the Unifi access points connected to it. Of course one of this port is connected to the primary one above.

TP-Link 8-Port Gigabit Ethernet PoE Desktop Switch with 4-PoE Ports (TL-SG1008P)
Not a managed switch, it is connected to the main switch and used for POE cameras.


WD My Net Switch - 8 Port Gigabit Ethernet Network Switch - HD Media Switch
Not a manage switch and has all the entertainment devices on it, ie. Kodi, smart TV, blue ray. Connected to the Main switch.

NETGEAR ProSAFE GS108E 8-Port Gigabit Plus Switch
Connected few other devices.

D-Link 5-Port 10/100 Unmanaged Desktop Switch (DES-1005E)
Outside Cameras. Connected to the main switch.

As you noted, I also have Vsphere and Qnap. These are connected to the main switch.

Few questions that come in mind:
I think it make sense to use two access points, one from the router and unifi. Should I use the same SSID and different channels?
Unifi seems to me that uses one SSID for both 2G and 5GB while the router uses two different SSID. I think I know how to Vlan the router but not the Unifi. In regard of Unifi, should I use port base VLAN and if this is the case, would I need to create a VLAN like ID 2 for the Port connected to Unifi in the studio switch but no VLAN configuration in the main switch, am I correct? Then I would need to configure the router for VLan as well if I m not mistaken. Should I use another subnet like 192.168.2.x?

Thanks.

Thank you Aldo...

So the switches are not centrally located eh?

Can you name the switches you mentioned above by the way you know them (location?). Same list above with names.

I think it make sense to use two access points, one from the router and unifi.

yes and/or even add the primary Verizon AP #1 for unfettered guest access in your home.

Should I use the same SSID and different channels?

That would work. Do a channel check on each device for noise and pick your channels or look for a couple of channels that you see no use in your space. Turn the wireless option "zero handoff" on each of the two AP's.

So we are going to start with a wireless VLAN and it will be port based on your new Tomato router and you want to connect it to the Ubiquti AP eh?

What is the studio switch? Is the following correct?

router ethernet port #1 ==> main (TP-Link 24 port easyswitch) ==> Studio switch (??) ===> Ubiquiti AP

Thank you Aldo...

So the switches are not centrally located eh?
Correct Pete, this is an old house.

Can you name the switches you mentioned above by the way you know them (location?). Same list above with names.

Main Switch Basement connected to router - TP-Link 24-Port Gigabit Ethernet Easy Smart Switch (TL-SG1024DE)
This is the primary switch and is connected directly to the router.

Switch located in the studio room - TP-Link 8-Port Gigabit Ethernet Easy Smart Switch (TL-SG108E)
This is located in my studio and has the Unifi access points connected to it. Of course one of this port is connected to the primary one above. This weekend, will let you know which ports the Unifi and the two switches are connected with.

I think it make sense to use two access points, one from the router and unifi.
I agree, although unifi access point is very strong, it is hard to get a signal in the basement. The router would do just great

yes and/or even add the primary Verizon AP #1 for unfettered guest access in your home.
Good idea Pete.

Should I use the same SSID and different channels?

That would work. Do a channel check on each device for noise and pick your channels or look for a couple of channels that you see no use in your space. Turn the wireless option "zero handoff" on each of the two AP's.

So we are going to start with a wireless VLAN and it will be port based on your new Tomato router and you want to connect it to the Ubiquti AP eh?
Correct Pete.
What is the studio switch? Is the following correct?

router ethernet port #1 ==> main (TP-Link 24 port easyswitch) ==> Studio switch (??) ===> Ubiquiti AP
Will need to check this weekend, will provide that info to you on Saturday morning.

Thanks,
Aldo

Rewind a bit and pause Aldo; just thought that we can document some more stuff before proceeding with the VLANs. Doc update will take 10 minutes.

I am going to make another drawing page #2 (page #3 may be only VLANs).

Page #2 will show each switch you mentioned. I will not draw lines between the switches.

I will name the ones I know of. Please take the drawing, draw connectivity lines between the switches and give the ones you do not have names for names (even unmanaged).

I want to get a visual of all of your switches documented.

Here originally built a printing closet out of a walk in closet and put electrical, more lighting, phone and network. I put three network printers there, storage shelves and made it a bit of an office center with paper supplies (yes I am mostly paperless but still use paperclips, staples et al). I put one small Gb unmanaged switch in there.

Pete,

What are you using for your images? They are clear and make perfect sense

--Dan

@Dan,

Thank you.
Using Visio stencils and JPG images. Typically have made a drawing, copy all then paste it to Polybytes imaging software program then print that to PDF or print direct from Visio to a PDF.

Here is Picture #3

Pete, perfect rappresentation of my network, man you are good[emoji1] I will send you the port numbers soon. I'm looking forward to an with it this weekend.
Aldo

Sent from my SM-G935V using Tapatalk

Thank you Aldo.

Please name the above switches. Give them a location name if you want.

How many Unifi AP's are you using?

Can you see the UniFi wireless network every place in the house?

How many devices or what devices are you going to. We can put unmanaged switches in the list just to inventory it.



1 - use static IP addressing - let us document these
2 - use DHCP
3 - use assigned IP's via DHCP
4 - static devices using wireless

Going to post a MS spreadsheet template which will help us with the VLAN configuration stuff.

The top of the spreadsheet will include:
- name
- description including OS (Linux, Win, iOS or Android)
- IP, subnet, gw
- static or DHCP (or static IP using DHCP)
- VLAN

I have attached a quickie snapshot using Linux office spreadsheet.

If you have an RPi around use nmap on your current subnet to get IPs and MAC addresses. Thinking that nmap might already be installed on the rpi2

1 - apt-get install nmap
2 - example of use: sudo nmap -sn 192.168.1.0/24

Here is what nmap shows for my KVM

Nmap scan report for 192.168.244.XXX
Host is up (-0.100s latency).
MAC Address: 00:0D:5D:03:B8:XX (Raritan Computer)

Pete, While I was trying to provide with the info below, I ran in some fun. I did not realize that the firewall in Tomato set as the default respond to ICMP ping. So I could not ping my own entire network :-( I lost half day troubleshooting. I love this field of networking :-) I need to set the DNS yet, it should come next and then inventory the network.

@Aldo,

Use Microsoft Excel. I just experimented here as I never used the Linux version of the spreadsheet program. Keep it and don't post the MAC addresses on the forum. We will use it to organize your networks. For the Tomato router the mac addressing is also on the status of the interfaces. I did customized mac addressing here for my Homeseer touchscreens running wintel embedded and managed by Jon00's application. IE: names, mac address and IPs are all in order here. When you do assigned DHCP for devices you will need to know the MAC addresses. Here do that with my HDHomerun devices. Here too lump up my hardware devices in to groups of static IP addressing and names. IE: I have four NAS boxes and they are in a range of IPs of 10 set up for just NAS boxes. Routers and switches are on the low end of the IP range. (have three of the managed TP-Link 24 port Gb switches - same ones you have). I keep a narrow DHCP scope and keep laptops and desktops on the high end of the subnet. Printers on another group. I used to keep a few Wintel Server boxes running and lately now it has been more Linux and using the last bits of Wintel servers these days running on Virtual boxes (on Linux servers).

Baby steps Aldo...you are getting there...