TP-LINK TL-SG108E VLAN configuration issue

mcury

@mitch-rapp Taking a look at it, give me a few minutes..
But will you be connecting a cable from the switch (TL-SG108E) to each deco?
Or these decos will be connected to each other by WIFI ?

mcury

@mitch-rapp Ok, try to add the other decos to see what happens

Mitch Rapp

@mcury

Connecting the second one now!

Mitch Rapp

@mcury

They will all be connected to the SG108E switch by Ethernet.

mcury

@mitch-rapp said in TP-LINK TL-SG108E VLAN configuration issue:

They will all be connected to the SG108E switch by Ethernet.

Perfect, so, you should just turn them on, and after two minutes, they should be working already.
Confirm if that is working, then move through the ambient and confirm if the mesh is working the way you want to

Mitch Rapp

@mcury

2nd one is online and working. Moving to third

“Ambient?”

mcury

@mitch-rapp said in TP-LINK TL-SG108E VLAN configuration issue:

“Ambient?”

Place wherever you are, sorry, sometimes my English fails on me.. :)

mcury

If you are going to use the homeshield pro features, we will have to change a few things..

Mitch Rapp

@mcury

Ok, I did get that before I bought the pfsense router with firewall.
What do I need to change?

mcury

@mitch-rapp said in TP-LINK TL-SG108E VLAN configuration issue:

@mcury

Ok, I did get that before I bought the pfsense router with firewall.
What do I need to change?

Few things to consider:

• Change the operation mode to router mode, instead of ap mode.
• New network behind the Decos
• Create a new NAT entry in pfsense.
• Change the firewall rule in pfsense.
• Create a static route in pfsense.
• Disable DHCP in pfsense.

I can't find where to disable NAT in these Decos, which means that you wouldn't be able to filter users IPs in pfsense, all IPs would natted before they reach pfsense...
So, pfsense would see only the Deco IP

Mitch Rapp

@mcury

Ok, let’s tackle those items tomorrow. My family is mad right now because they’re not getting any attention today. I’ve been battling this (along side you) for two solid days nonstop.

I’m worried if I change it back to Router mode, it will stop working again. Will test tomorrow.

All decos online!

I cannot thank you enough for getting me to this point. You are the most patient person I’ve come across in IT. I am deeply in your debt.

David.

mcury

You are welcome =)

Mitch Rapp

@mcury

Are you ready to tackle these items? :-)

Few things to consider:

Change the operation mode to router mode, instead of ap mode.
New network behind the Decos
Create a new NAT entry in pfsense.
Change the firewall rule in pfsense.
Create a static route in pfsense.
Disable DHCP in pfsense.

I can't find where to disable NAT in these Decos, which means that you wouldn't be able to filter users IPs in pfsense, all IPs would natted before they reach pfsense...
So, pfsense would see only the Deco IP

mcury

Sure, but the question is, do you really want to?
I didn't find anything in the Deco documentation saying how to disable the NAT.

If we really can't disable NAT in the Deco, keep in mind that pfsense rules, pfsense logs, pfsense filters like pfblocker and etc, would only see the Deco IP..
Also, portforward and things like that, you would have to create them twice, once in pfsense, then create that same rule in the Deco..

Can you tackle around the device options to see if you can find a NAT disable option?

Mitch Rapp

@mcury
Sure, let me do some checking.

Mitch Rapp

@mcury
I don't think you can disable NAT in this particular Deco model. :-(

Would there by any advantage to changing it from the way it is now? I don't think I will need Port forwarding on any of my wireless devices.

I am still curious what the VLAN feature is on the Deco, in Router mode only. You can set a VLAN ID and a priority (0-7) . Is that even useful to me?

One question I do have is about QoS for my Wifi network. It has always confused me. Would that be set at the SG108E, the Main Deco (10.28.28.2) , or in Pfsense.

And, depending on the answer, if at the switch, would the Main deco be given the priority, and if at the Main Deco, would the switch be given the priority? or, perhaps something different?

mcury

@mitch-rapp said in TP-LINK TL-SG108E VLAN configuration issue:

I don't think you can disable NAT in this particular Deco model. :-(
Would there by any advantage to changing it from the way it is now? I don't think I will need Port forwarding on any of my wireless devices.

I wouldn't change, I would use all Decos in AP mode as they are now.

@mitch-rapp said in TP-LINK TL-SG108E VLAN configuration issue:

I am still curious what the VLAN feature is on the Deco, in Router mode only. You can set a VLAN ID and a priority (0-7) . Is that even useful to me?

That VLAN feature, based on what I observed in the documentation, seems to be only for IPTV, and not VLAN like you saw in the TL-SG108E.
Some WIFI devices like Unifi, you can create up to 8 WIFI networks and assign a different VLAN to each one of them.. This is not the case here.

@mitch-rapp said in TP-LINK TL-SG108E VLAN configuration issue:

One question I do have is about QoS for my Wifi network. It has always confused me. Would that be set at the SG108E, the Main Deco (10.28.28.2) , or in Pfsense.

I wouldn't set that at all, in any place... The QoS is for very specific situations.

Mitch Rapp

@mcury
Ok, forget that then.
Questions:

1. Can I allow my Wi-Fi device network to communicate with my LAN network without compromising security? If so, how do I do it?

example: "Alexa, turn on the home theatre."
Alexa - Wi-Fi (10.28.28.X) Home theatre - LAN (10.27.27.X)

2. I would like to add a server to my home network.
   How should I go about doing that?
   VLAN from LAN on TL-SG1024DE ?
   I already have a mini pc intel quad core, with windows 10 pro, for this purpose.

mcury

@mitch-rapp VLAN28 is going to the TL-SG108E, you can pass additional VLANs to that switch, no problem there.

@mitch-rapp said in TP-LINK TL-SG108E VLAN configuration issue:

Can I allow my Wi-Fi device network to communicate with my LAN network without compromising security? If so, how do I do it?

Yes you can, but I'm not experienced with Alexa... I would suggest you to put everything that Alexa needs to control in the same network, this would make things easier for Alexa to detect devices by mDNS, DLNA or whatever Alexa uses for that..

@mitch-rapp said in TP-LINK TL-SG108E VLAN configuration issue:

I would like to add a server to my home network.

You can add as many servers as you need, you have the option to create another VLAN for them, but this could lead to a throughput problem.
Note that all the routing between VLANs will go through the pfsense, and traffic in the same VLAN goes through the Switch.
So, if you have a Plex server for instance, which is for video streaming, you can put this server in the same network as the TV, this wouldn't need to go to the pfsense (1Gbps port), and come back to the other VLAN, you see?

Mitch Rapp

@mcury
I think I do. Let me see.
So, in your example, the server would use a pfsense interface, then through switch, to server, which might cause a throughput speed issue. Therefore, you are saying to add a server, such as a plex, on my LAN network, am I correct?

Or, are you saying that any VLAN, no matter how its connected (router interface port or switch), would have to pass through pfsense, then switch to server.

I do want to add a Synology NAS, with Plex, so I will add it as you describe above, directly into my LAN network.

Assuming I have understood your explanation, how then would I connect a server that would contain personal files, storage, and other sensitive data, and keep it secure ?