Have I finally exceeded the limits of Tomato?

I have a home network that was running DD-WRT, until I ran across a reason to switch to Tomato:

VLAN'd Guest wireless that I was able to set off of my home network, limit the bandwidth to 2Mbps, and require a disclaimer to be signed before use.

VLAN'd wireless that has full bandwidth, but I can use it for guest systems that I'm working on, but can't touch my internal network (client malware infected machines)

and my home lan for everything else (plus a 2.4 for mobile and TV, and a 5GHz band for my stuff that matters)



That worked fine. Probably to the point where if I wanted to go more complex, I probably would need to look into something along the lines of Ubiquity for WAP and route with a PFSense based setup, or see if there are any Fortigates at work, that way I'm working on something relevant to my day job.


Well, related to that, I've got a new ESXi server, and it's powerful enough for me to feel like I can run a full time home lab. With that, I'd like to set up a domain controller.

I don't necessarily want everything on the domain controller though. I've not quite figured out how to VLAN off any of the wireless stuff while another device does DNS and DHCP.

Would it be possible to still let Tomato do all the heavy lifting, and set up my home 2016 domain controller to run internal DNS? I feel like it should be, but it's been so long since I've had to do this, and when I did, it was always "server takes care of DNS, DHCP, etc." with no VLANs in place. I'm already complicating everything beyond my initial comfort zone, but I feel like I'm missing an easy setting that could make this all easier. After all, at work, DHCP is being handled by a different server, and the 3 AD servers are off doing their own thing.



Ideally, I would like for the router to be able to handle DHCP for everything, DNS for the guest wireless networks, and I'll set up my AD server to run DNS on the inside network.

You run AD at home? Any particular reason why?

Dump tomato definitely.
Go with a Ubiquiti WAP and pfsense and you won't look back, I rock that same setup. (unifi ac pro, custom built low noise/power high performance pfsense router).

Well, I plan on it once I ditch my Netgear R7000 and get 2 or so Unifi AC units. But, so far my R7000's been able to handle the new house just fine, and thanks to Tomato, took on more than I intended.


As it is, I've found that if I set BR0 to not do DHCP, and set my home server up to run DHCP and forward and non .local traffic to the router, it does what I need it to for my home network and I can keep BR1 and BR2 set up to do DHCP for the guest networks.


And, I've always been into virtualization stuff for person use and for work. It's just that now I have a beefy enough server now to run multiple systems at home, so a VM lab w/ AD should prove rather useful. It's just being a pain in the ass, as I've not had to do this part of network setup in 4 years. I've lucked into my sysadmin role focusing more on the systems and less on the network, and what little I do have to do is typically just copying what configurations are already configured, and adapting them for new locations, rather than doing it all from scratch.

Right now I'm recreating all the group policy things I'll need...mostly by forgetting that I already set them up at work to do things like allow Windows Hello biometric login that gets turned off on AD by default.

I would keep AD and MS' DNS all virtualized and/or at least separated from your main home network. No need to introduce all that complexity into the rest of your home network (IMO).

I generally agree. But, there are a few things where it would be convenient. And, certain things that are decidedly less convenient. I'm not sure if I'm screwing something up somehow, or if the fact that I've moved my system to 1703 and the server is still 1607 is causing the issues...

curse my desire to be a guinea pig!

Let's try to simplify things a bit.

Realistically, you have/want 3 networks:

1. Home Network
2. Guest Network
3. Lab Network

Your lab network should always be separate from your home network, as colinstu pointed out. With that said, you could create a local DNS server standalone (virtualized) on your home network, and still have a lab domain controller/DNS. Again, keep them completely separate. I would recommend having your guest network DHCP server hand out public DNS, such as 8.8.8.8 and 8.8.4.4 (Google).

For the other configuration type stuff, it would depend on your switch. You have quite a lot of options, but I've drawn up what I believe to be a solid recommendation to get you started with a plan. A lot of this will depend on the APs you use, and your switch(es).



With this setup, you can continue DHCP services on your home network from your home router, then provide DHCP services on your lab with one of the VMs there. Alternatively, if your switch supports it, you can configure DHCP helpers.

May I ask why you are using bridge interfaces on the router?