[mindslight]

To put it in term of your network, I didn't want to deal with having to differentiate between VLAN3/VLAN4 switch ports (and wanted to leave room to grow multiple outgoing VPNs).

Also I don't see the need for hosts on VLAN2 to be able to talk to one another. Which enables me to default to putting decently trustable things in my access zone as well (like say an RPi running Raspbian/Kodi).

> Remember MAC Addresses can be spoofed which means you can get things like VLAN hopping if you're not careful

Oh for sure, which is why I alluded to eventually pushing out per-port mac address config to the switches. But my primary concern is browser/pocketsurveillance traffic not going out my ISP's IP, and this suffices for now.

(Thanks for the dump of Free android apps you find useful. Not really on topic for the thread, but I personally appreciate it)