I've got my home network up-and-running to an extent, but I'm trying to improve the setup. On top of this, I'm using it as an exercise to try and learn the ins-and-outs of slightly more complicated networking set ups.

Current Setup

Here's a quick rundown of the equipment I have, and how I've set them up:

1. Draytek Vigor 2920
   • Accepts two incoming internet connections (WAN1 & WAN2)
   • Deals with DHCP assignment (and static IP binding)
   • Does DynamicDNS and local DNS
2. HP (3Com) V2920 24-port switch
   • Connects all network devices
3. Ubiquiti UAP AP-Pro
   • Two of these for wireless access running 1 SSID
4. Netgear Unmanaged POE Switch
   • Utilised to connect network cameras & power them
   • Plugged into 3Com switch
5. Server gear
   • 1x QNAP TS410U for Timemachine backups
   • 1x Dell 2950 for Unifi Controller and web server

Desired setup

I have it in my head that the best way to split up the network is as follows:

VLAN10 - Wired/wireless (known) devices VLAN20 - Servers VLAN30 - CCTV VLAN40 - Guest wireless

As far as I can see what I need to do is:

1. On the Draytek Vigor 2920
   1. Set up 4x LANs
      • LAN1 - 172.16.10.0/24, gateway: 172.16.10.254, DHCP: 172.16.10.1
      • LAN2 - 172.16.20.0/24, gateway: 172.16.20.254, DHCP: 172.16.20.1
      • LAN3 - 172.16.30.0/24, gateway: 172.16.30.254, DHCP: 172.16.30.1
      • LAN4 - 172.16.40.0/24, gateway: 172.16.40.254, DHCP: 172.16.40.1
   2. Set up 4x VLANs
      • VLAN1 - tagged VID 10
      • VLAN2 - tagged VID 20
      • VLAN3 - tagged VID 30
      • VLAN4 - tagged VID 40
   3. Assign all each LAN to respective VLAN (i.e. LAN 1 - VLAN1 etc...)
   4. Assign all VLANs to port 1 and connect port 1 to port 1 of the switch
2. On the HP v2920
   1. Set up ports
      • Port 1 - tagged trunk port with VLAN10, 20, 30, 40
      • Device ports - access port with untagged membership of 10
      • Server ports - access port with untagged membership of 20
      • CCTV Ports - access port with untagged membership of 30
      • WAP Ports - hybrid port with tagged VLAN 10, 40
   2. Set up 4x VLAN interfaces
      • VLAN1 - 172.16.10.254
      • VLAN2 - 172.16.20.254
      • VLAN3 - 172.16.30.254
      • VLAN4 - 172.16.40.254
   3. Set up DHCP relay for each VLAN pointing to 172.16.xx.1 (i.e. the router)

Now comes my confusion/questions:

1. What exactly is the PVID? For a port that deals with multiple VLANs what would you set it to?
2. With this setup, providing "inter-VLAN routing" is turned off in the router, should the different VLANs be able to communicate?
3. If not, how would I go about restricting access so that only certain devices on VLAN10 can connect to VLAN20. For instance a file server or web server.
4. Is it necessary to set up the VLAN interfaces and is setting the gateway IP address to those interfaces correct?
5. Is the DHCP relay even required?
6. What should the routing table in the switch look like?

If this isn't at all the correct way of setting it up, my desire is to have the following:

VLANs split as above, with the ability to access certain devices on certain VLANs. For instance, on the CCTV VLAN there is a controller and 4 cameras. There's no need to allow access to the cameras however access to the controller is required.