Multi-VLAN Deployment

Scanopy daemons can scan any network they can route to. The key question is whether the daemon's host has a network interface on the subnet you want to scan:

• With interface (Layer 2): Full discovery — MAC addresses, ARP-based host detection, finds hosts even without open ports
• Without interface (Layer 3): Partial discovery — TCP scanning only, finds hosts with open ports

For most setups, a single daemon with routing to all subnets works fine. You only need multiple daemons when VLANs are truly isolated or you need Layer 2 access for accurate MAC collection.

Refer to Layer 2 vs Layer 3 for details.

Scanning Additional Subnets

To scan subnets the daemon doesn't auto-detect, go to Discover > Scheduled, edit the Network Scan, and add them manually.

If the subnet you want to scan doesn't exist yet (ie - it hasn't been reported by a Daemon, either because the subnet isn't interfaced with any daemons or it isn't being detected for some other reason), go to Subnets and manually add it. You can then set it up to be scanned as described above.

VPN Networks

Scanopy works with WireGuard, Tailscale, Headscale, OpenVPN, etc. If the daemon's host is connected to the VPN, it can scan that network.

1. Connect the daemon's host to your VPN
2. Run a Self-Report discovery to detect the new interface (or restart the daemon)
3. If your Network Scan has no specific subnets configured, the VPN will be scanned automatically. If you've configured specific subnets, add the VPN subnet manually via Discover > Scheduled.

When You Need Multiple Daemons

One Daemon is Enough When:

• The daemon's host can route to all target subnets
• You're okay with Layer 3 discovery for remote subnets

You Need Multiple Daemons When:

• Networks are isolated with no routing between them
• You need Layer 2 access (MAC addresses, full host discovery) on multiple segments

Deployment Strategies

Strategy 1: Central Daemon with Routing

Use a single daemon on a host that can route to all VLANs.

Pros: Single daemon to manage, simple setup

Cons: Layer 3 only for remote subnets (no MAC addresses, requires open ports)

Best for: Most networks, quick setup, home labs

Strategy 2: Daemon Per VLAN

Deploy a daemon on each VLAN for full Layer 2 access.

Pros: MAC addresses, ARP-based discovery, finds hosts without open ports

Cons: More daemons to manage, requires a host on each VLAN

Best for: Production environments needing accurate MAC collection, isolated networks

Strategy 3: Hybrid

Central daemon for routable networks, dedicated daemons only for isolated segments or where you need Layer 2.

Step-by-Step Setup

Step 1: Plan Your Deployment

Step 2: Create Daemon in Scanopy UI and Deploy Daemon

Follow the installation instructions in Installing a Daemon.

For Docker container discovery on the daemon host, see Docker Socket Proxy.

Step 3: Observer Discovery Results

The Daemon will automatically begin discovery after it successfully registers with the server. Simply let it do its thing and watch the results come in.

1. Check Manage > Hosts for discovered devices
2. Verify Topology shows hosts from all VLANs

For consolidating hosts that appear on multiple VLANs, see Consolidating Duplicate Hosts.

Network Requirements

Firewall Rules for Pull Mode (Recommended)

Daemon initiates all connections. Minimal firewall changes needed.

Firewall Rules for Push Mode

Server initiates scan requests. Daemon must be reachable.