As my home network grows and I tinker around, I'm learning some new concepts but some of them confuse me
Here is my current network map:
I want to setup VLANs for:
-Segregating bandwidth usage
-Security
-Ease of firewall usage in pfsense through specifying VLAN range instead of individual IPs
My router/modem is a netgear combo and is currently the DHCP server for the network. Wired to port 1 on that combo box is the pfsense firewall, and then that's going into the input port on a Netgear JGS516PE managed switched which has another Netgear 16-port switch trunked to it using LAG on a specific port.
So help me understand VLANs. I've been doing lots of article reading but still can't quite grasp the concept.
With my current understanding;
My router/modem combo is still serving up IP's and the subnet mask VIA DHCP to everything on the network behind it - I should login to the management software on my Netgear JGS516PE and create VLAN for whichever devices that's connected to it? Or do I do that in the netgear router/modem combo? Or do I do this within the pfsense firewall?
Do I specify IP's to put inside the 'VLAN'? Does creating a VLAN assign new IPs or something? Should I be changing my standard 192.168.0.X IP designation for each VLAN to something new? This is where I'm confused.
ETA: Do I just follow this guide and use my managed switch to create the VLANs?
https://kb.netgear.com/29997/How-to-Create-Layer-2-VLANs-on-NETGEAR-ProSAFE-Switches?cid=wmt_netgear_organic
If I setup VLANs on the netgear managed 16-port, can I also specify which ports on the trunked second 16-port are part of the VLANs?
Network Security:
Pick apart me security setup here and let me know if I'm missing anything:
The modem/router combo above has non-standard admin pass, WPS/UPNP disabled, all guest wifi disabled, WPA-PSK security of a strong key, 2.4ghz network is disabled completely, 5GHZ network is enabled but not-broadcasting, has some port-forwarding but on non-standard random ports
The IP cam software is using sTunnel for incoming external connections, also is using IP rules on the 'server' to block all connections besides IP ranges I specify
NAS on a non-standard port, using pfsense to block NAS from the internet, also WAN connections are blocked (LAN on same subnet only)
The pfsense box is using various firewall rules/bogon rules to block traffic to anything past the firewall (internal LAN for home devices/media devices above)