Small Network Diagram for review. I have a few questions

Here is a network diagram that shows what I am thinking would be the best way to go about building a small network with the shown requirements.

Due to the small size of the network. What is the best practice regarding using a different subnet addresses for each Vlan?

If all the network devices can fit in a 192.168.100.0/24 space, what benefit would be gained by making each vlan its own subnet address?

I think it may be best to put the Guest Wifi 2.4 & 5.0 (Vlan 500) on their own subnet 192.168.500.0/24, so that I don’t have to worry about having to many guest on my primary subnet and accidentally using up all the addresses.

Looking over how I plan to build this out, do you see any problems or have any recommendations?

The router that I will be going with will be a pro router running edgeos, or routeros. The switch will be a full featured layer 3 switch.

Each VLAN has to be it’s own subnet and the reason for separating devices is to limit potential lateral movement in the event of a security breach. Also you cant use 192.168.500.X valid ranges for the third octet is 0-254.

Thanks! I used through the 500 number in there to make it easy to match the vlan number, and didn’t even think about the 254 limit.

Is there any reason that with a small network like this I couldn’t forgo using a dedicated router, and instead use the Mikrotik all in one router switch CRS328-24P-4S+RM in RouterOs mode?

I don’t need fast OpenVpn throughput becuase the phones that will be using Openvpn only need maybe 192kbits up and down. The other features I will need to use is Vlan, DHCP, QOS, Traffic Shaping queues, and basic firewalls rules.

I see that the CRS328-24P-4S+RM uses an 800mhz single core 98DX3236 processor. In my use case would this be enough to run routing and switching?

I’d think about a pfsense firewall to handle the internet gateway and openvpn, just build it from something fairly stout and you should be fine. An old i5 processor should be plenty, an old server that you retired, etc. Can be spendy and buy new stuff, can be frugal and use older stuff, up to you.

I didn’t look at all of it, but you do have a lot of trunked ports in use. Might be a different term, Cisco uses trunk to “define” ports with multiple vlans.

Also I might drop down to a class B range of addresses, everyone uses class A and C. Plenty of room to break up a single full range /16 into 254 subnets at /24