Gateway with multiple VLAN IPs on one NIC
I would like to separate several hosts from the local network and put them behind a firewall. I would like to use VLANs to "physically" separate them instead of using just different subnets. My idea is to use a switch that supports VLANs, and build up the network like this:
P1 and P2, P3 and P4 are four different hosts that belong to two separate, "physical" networks (VLAN 1 and 2). They should be protected by firewall/gateway on P5.
P5 should act as firewall/gateway that controls the data between the separated hosts and the existing network. It only has one NIC that needs to connect to the existing network (no VLAN) and the two VLANs.
P6 is the uplink to the existing network.
My questions now are:
- Can this idea work as expected (given a correct configuration) - i.e., that the host on P5 can have multiple IPs/be part of multiple networks with just a single NIC, that it acts as gateway/firewall between the separated hosts and the existing network, and if there are no pitfalls/flaws that I didn't consider which might allow data flow between networks bypassing the firewall?
- I guess the switch needs to be able to support tagged VLAN (instead of just port-based VLAN) because of P5?
Yes and yes.
This is the setup I have at home. P5 is connected to small factor PC running Linux and doing the routing, firewalling and serving as DHCP and DNS server.
Yes, that'll work. Make sure that you create a VLAN for the 192.168.10.0/24 subnet as well - on a VLAN-capable switch everything's a VLAN.
On the P5 trunk you need to either tag all VLANs or keep a single VLAN untagged. Do match the switch's config on your firewall, either with VLANs and SVIs or "routed" L3 (sub)interfaces.
As @NiKiZe has noted, VLAN 1 has a special meaning on some switches (esp. as the management VLAN), so make sure you know about that before using it productively.