LAN - VLAN routing

I believe DHCP requests don't cross LAN boundaries and don't get routed.

Why not have a DHCP server on the other LAN? They're two different networks, so will get two different ranges anyhow.

Well, no, In the VLAN there is the same network as in the port6: 192.168.12.0/24
I've enabled the DHCP just to test the routing, it will not be needed. I'll go on and configure the VLAN on the switches to test it more properly.
Thanks

Hello Mario,

you are mixing / confusing Layer 2 and Layer 3 here.

While "Port 1" and "VLAN 40" sit on the same physical Interface, these are complete different Networks, which don't "see each other" in terms of IP-addresses.

The same with "Port 6", the network on Port 1 does not "see" the traffic on "Port 1" or "Port1.40" simply by putting them into the same Firewall-Zone.

You either have to build a bridge (connection on Layer 2), or you have to route between the IP-nets on top of those interfaces (connection on Layer 3).

Like now, the VLAN-Port 1.40 will never get a DHCP address from the server running on Port 6, nor will it get one, if you run that on Port 1.

Please tell us, what you want to achieve, so that we can help you to find a solution for your use case.

PhilippRusch said:

You either have to build a bridge (connection on Layer 2), or you have to route between the IP-nets on top of those interfaces (connection on Layer 3).

Isn't the routing what I've done with the 2 firewall rules?

Routing is Routing.

Firewall rules is packet filter.

These are two different things, you first have to have functional network, either routed or bridged, so that packets can flow from A to B.

Then you allow or deny certain IP-connections or ports with firewall rules.

BTW: I prefer routing over bridging.

Bridging is simple but has serious disadvantages when trying to build a clean, segmented network architecture.

Which I think indicates that the VLAN should not have the same network as the network hanging off of Port 6. Which would indicate two different DHCP servers. I currently have three SSIDs on my AP, for example, and two of them are VLANs (less trusted networks) and one of them is bridged onto the main LAN that the AP is on (more trusted network). The LAN and the two VLANs each have their own DHCP server to serve their distinct networks.

That won't work, as I explained in my other posts.

I'm a bit lost here!
I can reach the network 192.168.12.0/24 on port 6 from the network 192.168.0.0/24 on port 1 just with a firewall rule...how is this possible?
Isn't this the same thing?

Ciao Mario,

no, let us clarify: If you have a network interface, either physical ("Port X") or virtual ("VLAN Y"), you CAN assign a static IP to it.

You did this with "Port 1" and "Port 6". So now you firewall knows about two networks, which are directly connected to it.

Normal mode of a linux kernel is IP-routing between all directly attached interfaces.

NOW comes your packet filter into play, this is what you configure with "firewall rules" and "zones" and so on.

If you have a so called "DENY all" philosophy with your firewall rules (this is the case with XG/XGS default settings), then you have to define which traffic is allowed from one network to the other. If you put two different interface into the same "Zone" definition, you implicitely allow traffic between them.

Why don't you reach your VLAN on "Port1.40" ? Because this his no IP-Address! And hence no network it belongs to, that's all.