After having made some tests, I think I found what is my issue. It seems a pure technical network problem rather than a configuration problem.
TLDR;
Two vlans may share the same network subnet, it’s fine.
But in order to have two vlan communicating each other, they must be on two different subnets
Lonely way to “bypass” this, is to plug the two vlan interfaces as bridge port to a bridge without vlan filtering. It works, as bridge don’t know about vlan and so it’s like a “normal” network for it.
And this tricks must be on each router involved all along the communication path.
But, not sure it’s the best configuration we can have, if doable, it’s probably better to have different subnets.
Explanation
From what I have read on internet, it seems that a router can’t manage communication between two vlan within the same subnet (from what I found, in that configuration, it seems that a router is not able to know where to send packets)
Source https://community.spiceworks.com/topic/1116440-do-vlans-require-different-subnets (more globally, look for “2 vlan on same subnet” on google) :
No, your second example is fine, > just don’t ever expect 192.168.40.0/24 on LAN 10 to talk to a different 192.168.40.0/24 on VLAN 20 as a router won’t know which one you are talking about> , to a layer 3 router they are the same network
It works with my current setup only because lonely one router is involved and all my VLANs are plugged inside bridges without VLAN filtering.
As in my new setup there is two routers involved, ROOT router and WAP router, it doesn’t work because WAP router have a bridge with VLAN filtering enabled.
All of this explain why with the configuration posted above :
- Wireless hosts are able to ping server => server and wireless hosts are on two different subnets
- Wireless hosts are able to ping each other when they are on the same vlan but not when they are on different vlan
To sum up, I heard you folks but I maybe not fully understood what you were saying (or you were maybe not enough understandable for a network noob like me, just a matter of point of view).
Anyway, it seems that even with the right configuration, what I want to achieve is not a doable as is and requires some tricks.
You said for instance that I should have only one bridge with all vlan plugged to it. So it means only one DHCP server (plugged to the bridge), so only one subnet. But I still end to the same issue, two vlans on the same subnet can’t talk to each other.
From the documentation you pointed out, the lonely thing I found regarding my issue is :
Since every VLAN you create should have a different IP Addressing scheme, you’ll use something different for each VLAN
But it is actually more confusing than helping, as it don’t explain the reason behind that and it doesn’t say it’s a strong requirement for inter-vlan communication
Conclusion/Current solution
So based on that, and bearing in minds that my biggest need is to have all hosts where I can’t manage firewall (phones, tablets, AppleTvs, IOT devices, NAS hosts, etc) to be on dedicated VLAN (so on any cases, all the traffic will go through routers and be validated/discarded based on my needs), I just refined my network, check where I need to have communication between hosts allowed.
- Management group : hosts need to communicate to each other, but it’s fine as they are all on the same vlan ✓
- Infra group : servers need to communicate to each other (DNS for instance, but also network monitoring through zabbix, rsyslog, etc). And some of them need also to access NAS hosts.
So, - for server I will put them into the same vlan and assign them the same subnet. Then I will manage security directly on servers by using firewall ✓
- for NAS hosts, they will be on a dedicated VLAN for each, and I will put them inside a different subnet than the one for servers, so servers and NAS will be able to speak together. And as NAS hosts are on the same subnet, they will not be able to communicate each others ✓
- Guest/Home/IOT/Camera group : hosts don’t need to communicate each other, so I cant put them on different vlan sharing the same subnet, it’s OK (one subnet by group anyway to keep things separated) ✓
Then, if one day I need to have two hosts on different VLANs sharing the same subnet to communicate each other, I will put one of them inside a different subnet, problem will be solved.
From a practical perspective : I will keep bridges by group without vlan filtering in order to be able to have only one DHCP server by group (like it is on my old config). I will just rename and split “bridge infra” to “bridge infra servers” and “bridge infra NAS”.
With that configuration, every hosts not requiring to communicate to others will be isolated, while every hosts will be anyway able to perform DNS queries for instance (DNS server is on one of the servers on infra group).
Technically speaking, I could have only 4 subnets :
- one for management where I put routers and switch, all of them on the same vlan
- one for infra where I put servers, all of them on the same vlan : required in order to allow DNS query to be sent from other subnet. If I put servers on management subnet, routers and switch will not be able to perform DNS queries to server, I will not be able to monitor all the network with zabbix.
- one for Nas hosts, each of them on dedicated vlan : required in order to allow servers and others hosts to have access to them
- one for all other hosts not requiring to communicate to others, each of them on a dedicated vlan
But it’s actually easier to separate Guest/Home/IOT/cameras group to a different subnet. You just need to check the assigned IP directly on the device to know if it is on the right group.
Also, having different subnet will block broadcast to unnecessary hosts (without requiring to put in place some dedicated filters).
Again, thanks for your reading / help, it made my networking knowledge better than before.
Feel free to point out the bad things I said / understood if so.
N.B. : If you, as network experts, agree on the fact that in order to have two vlans communicating to each other, they must be on a different subnet, I will probably post a comment on that topic asking for tiny updates, one to better explain that requirement and another one asking to post configurations as text and not as attachments, so that people who are not logged in can see them anyway (which was my case until recently)