WLAN / Bridge / Vlan filtering / ARP issue

Hello folks,

I’m trying to setup my new home network since few weeks now and struggle to be able to ping one WLAN host from another WLAN host.

Current setup

• ROOT router : Mikrotik HEX lite / RouterOS 6.44.5
• DHCP Server
• Bridge home
• Bridge infra
• Bridge management
• HOST C connected on ether3
  
  
  
• WAP router : Mikrotik WAP AC / RouterOS 6.45.4
• HOST A connected to WifiTest with VLAN 50
• HOST B connected to WifiTest with VLAN 51
  
  
  
• SWITCH : Cisco SG350-20
• Trunk ports are configured to allow vlan 50,51 and 20 to go from/to WAP router and ROOT router
  
  
  
• SERVER : Raspberry with debian
• FreeRadius
  
  
  
• WAP router and ROOT router are connected through SWITCH
  
  
  
• Each hosts have their own vlan (wired and wireless devices)

What I try to achieve
I want to be able to ping wireless host from another wireless host. More globally, I want to be able to allow/discard communication between wireless hosts and, if possible manage that on ROOT router (in order to be able to have same rules regardless of if device is wired or not)

What is working fine

• Radius authentication and vlan assignation ✓
  
  
  
• DHCP assignation ✓

What I already tried and works as expected

• Ping from wireless host on VLAN 51 to wired host connected to bridge-home (through ether3 on ROOT router) ✓
  
  
  
• Ping from wireless host on VLAN 50 to wireless host on VLAN 50 ✓

Stuff which could help
With my “normal/expected” conf (each wireless hosts on dedicated vlan) :

• When I ping HOST B from HOST A, WireShark on HOST A shows ARP requests for HOST B mapping, but no ARP response (

arp -a

command on HOST B shows

(incomplete)

for host B entry)

• When I ping HOST A from HOST B, WireShark on HOST A shows ARP requests for HOST A mapping as well as the ARP response
  
  
  
• If I connect HOST B to wifi and then HOST A, HOST A is unable to resolve HOST B MAC address through ARP (

arp -a

command on HOST B shows

(incomplete)

for host B entry)

• BUT, If I connect HOST A to wifi and then HOST B, WireShark on HOST A shows ARP Announcement for HOST B (so HOST A become aware of HOST B MAC address)

Based on that, I guess I have something wrong with ARP (or more globally Layer 2) config, but I don’t get what exactly. It seems to be something around vlan, as if wireless hosts are on same vlan, they can ping both each other.

Current config

• WAP router

# jan/03/1970 06:13:36 by RouterOS 6.45.4
# software id = BIFJ-D5SH
#
# model = RBwAPG-5HacT2HnD
# serial number = BED60B961427
/interface bridge
add comment=defconf disabled=yes name=bridge
add admin-mac=C4:AD:34:39:33:7B auto-mac=no name=bridge-test-1 vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX distance=indoors frequency=auto installation=outdoor mode=ap-bridge name=wlan-B_G_N ssid=MikroTik wireless-protocol=802.11
/interface vlan
add interface=ether1 name=vlan-management-ether1 vlan-id=200
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-eap management-protection=allowed mode=dynamic-keys name=profile1 radius-eap-accounting=yes supplicant-identity=WapIdent tls-mode=verify-certificate
/interface wireless
set [ find default-name=wlan2 ] antenna-gain=2 band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto frequency-mode=regulatory-domain mode=ap-bridge multicast-helper=full name=wlan-A_N_AC security-profile=profile1 ssid=WifiTest \
    vlan-mode=use-tag wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/routing bgp instance
set default as=101
/interface bridge port
add bridge=bridge comment=defconf disabled=yes interface=wlan-B_G_N
add bridge=bridge-test-1 interface=wlan-A_N_AC
add bridge=bridge-test-1 hw=no interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=none
/interface bridge vlan
add bridge=bridge-test-1 tagged=ether1,wlan-A_N_AC,bridge-test-1 vlan-ids=50
add bridge=bridge-test-1 tagged=wlan-A_N_AC,ether1,bridge-test-1 vlan-ids=51
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf disabled=yes interface=ether1 list=WAN
add interface=wlan-A_N_AC list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
add dhcp-options=hostname,clientid disabled=no interface=vlan-management-ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="Accept from vlan-management" in-interface=vlan-management-ether1
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN log=yes log-prefix=IN_DROP
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes ipsec-policy=out,none out-interface-list=WAN
/radius
add address=10.30.0.50 service=wireless src-address=10.20.0.251
/routing filter
add action=accept chain=BGP-from-rootRouter prefix=10.50.0.0/24 set-distance=1 set-in-nexthop-direct=*6
add action=accept chain=BGP-from-rootRouter distance=1 prefix=10.30.0.0/24 set-distance=1 set-in-nexthop-direct=bridge
/system logging
add disabled=yes prefix=DHCP topics=dhcp
add disabled=yes prefix=RADIUS topics=radius
add prefix=WIRELESS topics=wireless
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

• ROOT router

# jan/03/1970 12:55:42 by RouterOS 6.44.5
# software id = 6XA4-2QFY
#
# model = RB750r2
# serial number = AA840B20DD35
/interface ethernet
set [ find default-name=ether1 ] name=ether1-slave-LAN
set [ find default-name=ether2 ] name=ether2-slave-bridge-management
/interface bridge
add admin-mac=7E:65:D1:28:12:5B auto-mac=no comment=defconf name=bridge
add admin-mac=FA:CB:4D:78:52:CE auto-mac=no name=bridge-home
add admin-mac=EE:BB:AD:D3:33:B5 arp=reply-only auto-mac=no name=bridge-infra
add admin-mac=C4:AD:34:B8:9D:28 arp=reply-only auto-mac=no name=bridge-management
/interface vlan
add interface=ether1-slave-LAN name=vlan-home-1-ether1 vlan-id=51
add interface=ether3 name=vlan-home-1-ether3 vlan-id=51
add interface=ether1-slave-LAN name=vlan-home-general-ether1 vlan-id=50
add interface=ether5 name=vlan-infra-router-security vlan-id=30
add interface=ether1-slave-LAN name=vlan-management-ether1 vlan-id=20
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=management-interface-list
add comment="Add all interfaces which requires to call this router for DNS" name=dns-client-interface-list
add name=bridge-interface-ist
/ip dhcp-server option
add code=43 name=microsoft-disable-netbios-option value=0x010400000002
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=black-hole ranges=172.16.0.1-172.16.100.250
add name=_Infra next-pool=black-hole ranges=10.30.0.10
add name=Home next-pool=black-hole ranges=10.50.0.10-10.50.0.20
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
add add-arp=yes address-pool=_Infra disabled=no interface=bridge-infra name=Infra
add add-arp=yes address-pool=Home disabled=no interface=bridge-home name=Home
/ip pool
add name=Management next-pool=black-hole ranges=10.20.0.10
/ip dhcp-server
add add-arp=yes address-pool=Management disabled=no interface=bridge-management name=Management
/routing bgp instance
set default as=100 redistribute-connected=yes
/interface bridge filter
add action=accept chain=forward comment="[FORWARD][*] - * - {bridge-management}->{bridge-management} - Allow management to management traffic" in-bridge=bridge-management out-bridge=bridge-management
add action=accept chain=forward comment="HOME - ARP" in-bridge=bridge-home mac-protocol=arp out-bridge=bridge-home
add action=accept chain=forward comment="HOME - RARP" in-bridge=bridge-home mac-protocol=rarp out-bridge=bridge-home
add action=drop chain=forward disabled=yes in-bridge=bridge-home log=yes log-prefix=DROP_INTER_PORT out-bridge=bridge-home
/interface bridge port
add bridge=bridge comment=defconf disabled=yes interface=ether3
add bridge=bridge-infra hw=no interface=ether4
add bridge=bridge-infra interface=vlan-infra-router-security
add bridge=bridge-management interface=vlan-management-ether1
add bridge=bridge-management interface=ether2-slave-bridge-management
add bridge=bridge-infra hw=no interface=ether5
add bridge=bridge-home interface=vlan-home-1-ether1
add bridge=bridge-home interface=vlan-home-general-ether1
add bridge=bridge-home interface=ether3
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface ethernet switch vlan
add disabled=yes ports=ether3,switch1-cpu switch=switch1 vlan-id=51
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=ether1-slave-LAN list=LAN
add interface=ether2-slave-bridge-management list=management-interface-list
add interface=vlan-management-ether1 list=management-interface-list
add interface=bridge-management list=dns-client-interface-list
add interface=bridge-infra list=dns-client-interface-list
add interface=bridge list=dns-client-interface-list
add interface=bridge-infra list=bridge-interface-ist
add interface=bridge-management list=bridge-interface-ist
add interface=bridge list=bridge-interface-ist
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=10.20.0.254/24 interface=bridge-management network=10.20.0.0
add address=10.30.0.254/24 interface=bridge-infra network=10.30.0.0
add address=10.50.0.254/24 interface=bridge-home network=10.50.0.0
add address=10.60.0.254/24 network=10.60.0.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1-slave-LAN
/ip dhcp-server lease
add address=10.20.0.200 client-id=1:d0:ec:35:1d:73:58 comment="Management - MainSwitch" mac-address=XX:XX:XX:XX:XX:XX server=Management
add address=10.20.0.51 client-id=1:78:7b:8a:d3:9a:c6 comment="Management - EtherAdapter1" mac-address=XX:XX:XX:XX:XX:XX server=Management
add address=10.20.0.50 client-id=1:c:4d:e9:c7:e8:20 comment="Management - EtherAdapter2" mac-address=XX:XX:XX:XX:XX:XX server=Management
add address=10.20.0.252 client-id=1:c4:ad:34:f3:c:d9 comment="Management - InternalRouter" mac-address=XX:XX:XX:XX:XX:XX server=Management
add address=10.20.0.253 client-id=1:62:fc:c5:b0:a0:8e comment="Management - EdgeRouter" mac-address=XX:XX:XX:XX:XX:XX server=Management
add address=10.30.0.50 client-id=ff:44:cb:3c:df:0:2:0:0:ab:11:40:f5:fa:4c:ca:3c:c6:df comment="Infra - SecurityServer" mac-address=XX:XX:XX:XX:XX:XX server=Infra
add address=10.20.0.251 client-id=1:c4:ad:34:39:33:7a comment="Management - WapRouter" mac-address=XX:XX:XX:XX:XX:XX server=Management
add address=10.50.0.14 client-id=1:f0:18:98:39:98:62 mac-address=XX:XX:XX:XX:XX:XX server=Home
add address=10.50.0.16 client-id=1:34:a8:eb:92:c0:73 mac-address=XX:XX:XX:XX:XX:XX server=Home
/ip dhcp-server network
add address=10.20.0.0/24 dhcp-option=microsoft-disable-netbios-option dns-server=10.20.0.254 domain=management.local.domain.fr gateway=10.20.0.254 ntp-server=10.20.0.254
add address=10.30.0.0/24 dhcp-option=microsoft-disable-netbios-option dns-server=10.30.0.254 domain=infra.local.domain.fr gateway=10.30.0.254
add address=10.50.0.0/24 dhcp-option=microsoft-disable-netbios-option dns-server=10.50.0.254 domain=home.local.domain.fr gateway=10.50.0.254 ntp-server=10.50.0.254
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="[INPUT][TCP] - HTTP(S)/SSH - {management-interface-list}->{* : 443,22,80}" dst-port=443,22,80 in-interface-list=management-interface-list protocol=tcp
add action=accept chain=input comment="[INPUT][TCP] - HTTP(S)/SSH - {bridge-management}->{* : 443,22,80}" dst-port=443,22,80 in-interface=bridge-management protocol=tcp
add action=accept chain=input comment="[INPUT][UDP] - DNS - {dns-client-interface-list}->{* : 53}" dst-port=53 in-interface-list=dns-client-interface-list protocol=udp
add action=accept chain=input comment="[INPUT][UDP] - DHCP - {bridge-interface-list(* : 68)}->{255.255.255.255 : 67}" dst-address=255.255.255.255 dst-port=67 in-interface-list=bridge-interface-ist protocol=udp src-port=68
add action=accept chain=input comment="[INPUT][UDP] - NETBIOS - {bridge-interface-list(*)}->{* : 137,138,139} Netbios from bridges" dst-port=137,138,139 in-interface-list=bridge-interface-ist protocol=udp
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN log=yes log-prefix=IN_DROP
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="[FORWARD][*] - * - {bridge-management}->{bridge-management} - Allow management to management traffic" in-interface=bridge-management out-interface=bridge-management
add action=accept chain=forward comment="[FORWARD][*] - * - {bridge-management}->{bridge-infra} - Allow management to infra traffic" in-interface=bridge-management log=yes log-prefix=TEST out-interface=bridge-infra
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new disabled=yes in-interface-list=WAN log=yes log-prefix=FW_DROP_WAN
add action=passthrough chain=forward log=yes log-prefix=TO_CHECK
add action=passthrough chain=input disabled=yes log=yes log-prefix=INPUT
add action=passthrough chain=output disabled=yes log=yes log-prefix=OUT
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes ipsec-policy=out,none out-interface-list=WAN
/routing filter
add action=accept chain=BGP-to-wapRouter prefix=10.50.0.0/24
add action=accept chain=BGP-to-wapRouter prefix=10.30.0.0/24
add action=discard chain=BGP-to-wapRouter
/system identity
set name=RootRouter
/system leds
add interface=bridge-management leds=user-led type=interface-activity
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

N.B. : For security purpose, MAC addresses have been obfuscated, vlan IDs and IPs have been slightly updated.
N.B.2 : You can find some remaining BGP configuration added for another test I made before, but peers have been removed so it should not have any impact
Don’t hesitate to ask for additional information if needed

Thanks in advance for your reading/help

Some additional infos :

• HOST A and B are able to ping
• the gateway (10.50.0.254)
• the server (10.30.0.50)
• others gateways as well (10.30.0.254 and 10.20.0.254)
  
  
  
• On HOST A, I added a static ARP entry for HOST B, disconnected HOST A from wifi and re-connect to it (at this point I assumed that HOST B received the ARP announcement of HOST A, so both devices are aware of the MAC addresses).
  But ping is still not working
• from HOST A to HOST B : WireShark on HOST A shows ICMP request with “no response found !”
• from HOST B to HOST A : WireShark on HOST A shows some ICMP “Destination unreachable (Network Unreachable)” (but not sure it’s directly linked)
  
  
  
• I updated both WAP and ROOT router to last LTS version (v 6.46.7), after having disable Hardware offloading on ether2-slave-bridge-management port on ROOT router (else management PC does not get an IP) and set "country=france for wlan-A_N_AC (else wifi was not detected by devices), I still have issue (even by adding static arp entry on host A)

Issue seems really restricted to ping between devices connected to wifi only

First is update firmware to latest long term version.
The would remove all the extra bridges and use ONLY one bridge.
I would use Vlans to separate subnets.
I would add vlans to the one single bridge.
I would assign brigde port interfaces appropriately (ingress trunk or access ports)
I would assign bridge vlans appropriately (egress rules)
All laid out on this thread (what you have seems all over the map)
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

Not sure what your attempting but see some emphasis on black hole entries?? Would remove all of it and focus on needed functionality first and get it working.
FW rules need to be cleaned up…

Thanks for your quick reply !

Done (see previous post), but issue is still there unfortunately.

I guess you speak about bridge-management, bridge-infra and bridge-home on ROOT router, actually, they are there in order to be able to have dedicated DHCP server by “group” of hosts (management, infra, home, iot, guest, security cameras, etc).
Without them, I need to setup one DHCP server by vlan, which is not really convenient (especially when you have dedicated vlan by host).
Those bridges come from my current setup where everything is managed by only one router and one switch (and it’s working with that way).

Not sure to get that point, it’s already what I do no ? I have one vlan by host.

yep, again, it comes from my current (getting old) setup where I tried several stuff, some of them are still there (and I used my current configuration as base for the new one). I can remove that.

Yep, I can remove most of them, but all “drop” rules should be disabled and so should not have any impact.

For the rest of you post, I will take a look during the week, I already seen the topic you mentioned, what I want to achieve at end is probably a mix of configurations => one switch with vlan assignation provided by radius + WAP router for wireless access (with each host on dedicated vlan provided by radius too) + EDGE router for WAN access (at end it should totally replace my ISP router) + ROOT router for DHCP/inter host rules/etc

I will try to start with a fresh install on both WAP and ROOT routers, put everything on the same bridge like you said, and see later for stuffs like multi DHCP servers, management vlan etc.

Thats what I am saying. you vlan by groups, not by bridge.
You only need one bridge, no dhcp just bridge.
Rest is vlans.
If you need to group anything, then it makes sense from a firewall rules point of view.
and simply group the vlans as such VIA INTERFACE LIST.
(you can use vlans 2-9 for one group and 10-19 for another group if you really want to seem organized lol_

add interface vlan2 list=mgntmt
add interface vlan3 list= mgntmt
add intefvace=vlanNth list=mgntmt

add interface= vlan10 list=guests
add interface=vlan11 list=guests

That way you can set firewall rules appropriately and easily.

Then on top you still have ip firewall address lists that you can use
For individual IPs, or subsets of IPs that you want to include in firewall rules.
Lets say you have 5 printers on the network and they need to be accessed differentl.

so
add chain=forward action=accept in-interface-list=guests dst-address-list=guestavailableprinters
add chain=forward action=accept in-interface-list=mgntmt dst-address-list=allprinters

(no matter where this group of printers are located (any vlan), they will be reachable. Lots of flexibility.

@yoanm: VLANs in your config are not the way VLANs should be done in post 6.42-days. Have a look at this tutorial: http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

RB750r2 has a switch chip built in and if device was switching traffic between ethernet interfaces it woukd benefit from configuring VLANs on switch chip. Since your hAP lite seems to be used mostly for routing, the software configuration should be fine.

MKX… ur slippen! Plus you are fined for duplicating Linked URLs to the same article. Not very green of you wasting 1s and 0s.
As this is an informational, educational and punitive post, I will not be fined.

Seems like @OP did not hear ya as well … so I had to repeat it, perhaps @OP will go read the article and hopefully start over again. This time properly.

After having made some tests, I think I found what is my issue. It seems a pure technical network problem rather than a configuration problem.

TLDR;
Two vlans may share the same network subnet, it’s fine.
But in order to have two vlan communicating each other, they must be on two different subnets

Lonely way to “bypass” this, is to plug the two vlan interfaces as bridge port to a bridge without vlan filtering. It works, as bridge don’t know about vlan and so it’s like a “normal” network for it.
And this tricks must be on each router involved all along the communication path.
But, not sure it’s the best configuration we can have, if doable, it’s probably better to have different subnets.

Explanation
From what I have read on internet, it seems that a router can’t manage communication between two vlan within the same subnet (from what I found, in that configuration, it seems that a router is not able to know where to send packets)
Source https://community.spiceworks.com/topic/1116440-do-vlans-require-different-subnets (more globally, look for “2 vlan on same subnet” on google) :

No, your second example is fine, > just don’t ever expect 192.168.40.0/24 on LAN 10 to talk to a different 192.168.40.0/24 on VLAN 20 as a router won’t know which one you are talking about> , to a layer 3 router they are the same network

It works with my current setup only because lonely one router is involved and all my VLANs are plugged inside bridges without VLAN filtering.
As in my new setup there is two routers involved, ROOT router and WAP router, it doesn’t work because WAP router have a bridge with VLAN filtering enabled.

All of this explain why with the configuration posted above :

• Wireless hosts are able to ping server => server and wireless hosts are on two different subnets
  
  
  
• Wireless hosts are able to ping each other when they are on the same vlan but not when they are on different vlan

To sum up, I heard you folks but I maybe not fully understood what you were saying (or you were maybe not enough understandable for a network noob like me, just a matter of point of view).
Anyway, it seems that even with the right configuration, what I want to achieve is not a doable as is and requires some tricks.

You said for instance that I should have only one bridge with all vlan plugged to it. So it means only one DHCP server (plugged to the bridge), so only one subnet. But I still end to the same issue, two vlans on the same subnet can’t talk to each other.

From the documentation you pointed out, the lonely thing I found regarding my issue is :

Since every VLAN you create should have a different IP Addressing scheme, you’ll use something different for each VLAN

But it is actually more confusing than helping, as it don’t explain the reason behind that and it doesn’t say it’s a strong requirement for inter-vlan communication

Conclusion/Current solution
So based on that, and bearing in minds that my biggest need is to have all hosts where I can’t manage firewall (phones, tablets, AppleTvs, IOT devices, NAS hosts, etc) to be on dedicated VLAN (so on any cases, all the traffic will go through routers and be validated/discarded based on my needs), I just refined my network, check where I need to have communication between hosts allowed.

• Management group : hosts need to communicate to each other, but it’s fine as they are all on the same vlan ✓
  
  
  
• Infra group : servers need to communicate to each other (DNS for instance, but also network monitoring through zabbix, rsyslog, etc). And some of them need also to access NAS hosts.
  So,
• for server I will put them into the same vlan and assign them the same subnet. Then I will manage security directly on servers by using firewall ✓
• for NAS hosts, they will be on a dedicated VLAN for each, and I will put them inside a different subnet than the one for servers, so servers and NAS will be able to speak together. And as NAS hosts are on the same subnet, they will not be able to communicate each others ✓
  
  
  
• Guest/Home/IOT/Camera group : hosts don’t need to communicate each other, so I cant put them on different vlan sharing the same subnet, it’s OK (one subnet by group anyway to keep things separated) ✓

Then, if one day I need to have two hosts on different VLANs sharing the same subnet to communicate each other, I will put one of them inside a different subnet, problem will be solved.

From a practical perspective : I will keep bridges by group without vlan filtering in order to be able to have only one DHCP server by group (like it is on my old config). I will just rename and split “bridge infra” to “bridge infra servers” and “bridge infra NAS”.
With that configuration, every hosts not requiring to communicate to others will be isolated, while every hosts will be anyway able to perform DNS queries for instance (DNS server is on one of the servers on infra group).
Technically speaking, I could have only 4 subnets :

• one for management where I put routers and switch, all of them on the same vlan
  
  
  
• one for infra where I put servers, all of them on the same vlan : required in order to allow DNS query to be sent from other subnet. If I put servers on management subnet, routers and switch will not be able to perform DNS queries to server, I will not be able to monitor all the network with zabbix.
  
  
  
• one for Nas hosts, each of them on dedicated vlan : required in order to allow servers and others hosts to have access to them
  
  
  
• one for all other hosts not requiring to communicate to others, each of them on a dedicated vlan

But it’s actually easier to separate Guest/Home/IOT/cameras group to a different subnet. You just need to check the assigned IP directly on the device to know if it is on the right group.
Also, having different subnet will block broadcast to unnecessary hosts (without requiring to put in place some dedicated filters).



Again, thanks for your reading / help, it made my networking knowledge better than before.
Feel free to point out the bad things I said / understood if so.

N.B. : If you, as network experts, agree on the fact that in order to have two vlans communicating to each other, they must be on a different subnet, I will probably post a comment on that topic asking for tiny updates, one to better explain that requirement and another one asking to post configurations as text and not as attachments, so that people who are not logged in can see them anyway (which was my case until recently)