Pursuant to advice in my thread about outbound remote access, I am going to redo the setup for an hEX-S and associated networking hardware (2x wAP-AC and a Netgear switch). The previous setup uses multiple bridges and no VLANs and is apparently not a "best practices" approach.
To better solicit advice I have prepared a network map (attached at the bottom of this post).
I also have a few immediate questions for starters:
- Does it make more sense to jettison the previous setup (not super complex: a couple CAPsMAN setups, 10 NAT firewall rules or so and dynamic DNS) and start anew?
- If so (i.e. System / Reset_Configuration) will I lose the SSLs I established to access webfig via https? [ Not a "problem" but I would like to know upfront so there are no surprises! ]
- I am brand new to VLANs. Are these always numbered? I like how MikroTik allows custom naming of so much; mnemonics are good! Reading a bit so far about VLANs (including with my new switch), however, it seems that VLANs are always numbered . . .
- Now that I am redoing everything, is there a good way to use a dynamic DNS service OTHER than the one MikroTik provides (while quite simple to implement, I am not a fan of using their service with their hardware)? Basically, I would like to use my existing 3rd party dynamic DNS account; this will help me consolidate my services . . .
- What special VLAN "magic" will I need to invoke so that "security" devices (i.e. 192.168.2.x) and "entertainment" devices (192.168.4.x) can communication with 192.168.1.x (various locations for media content and storage for security cameras)
- Finally, from the attached network map, can anyone see any obvious places I am not thinking things through in an optimal way? As I said, VLANs are new to me; usually I would have everything (except the guest network) in such a small network in a single IP range like 192.168.1.x I actually really like the idea of further segmenting (according to type of use, for example) and can foresee huge potential benefits.
Thanks to anyone for input!