TP-LINK TL-SG108E VLAN configuration issue
-
If you are going to use the homeshield pro features, we will have to change a few things..
-
Ok, I did get that before I bought the pfsense router with firewall.
What do I need to change? -
@mitch-rapp said in TP-LINK TL-SG108E VLAN configuration issue:
Ok, I did get that before I bought the pfsense router with firewall.
What do I need to change?Few things to consider:
- Change the operation mode to router mode, instead of ap mode.
- New network behind the Decos
- Create a new NAT entry in pfsense.
- Change the firewall rule in pfsense.
- Create a static route in pfsense.
- Disable DHCP in pfsense.
I can't find where to disable NAT in these Decos, which means that you wouldn't be able to filter users IPs in pfsense, all IPs would natted before they reach pfsense...
So, pfsense would see only the Deco IP -
Ok, let’s tackle those items tomorrow. My family is mad right now because they’re not getting any attention today. I’ve been battling this (along side you) for two solid days nonstop.
I’m worried if I change it back to Router mode, it will stop working again. Will test tomorrow.
All decos online!
I cannot thank you enough for getting me to this point. You are the most patient person I’ve come across in IT. I am deeply in your debt.
David.
-
You are welcome =)
-
Are you ready to tackle these items? :-)
Few things to consider:
Change the operation mode to router mode, instead of ap mode.
New network behind the Decos
Create a new NAT entry in pfsense.
Change the firewall rule in pfsense.
Create a static route in pfsense.
Disable DHCP in pfsense.I can't find where to disable NAT in these Decos, which means that you wouldn't be able to filter users IPs in pfsense, all IPs would natted before they reach pfsense...
So, pfsense would see only the Deco IP -
Sure, but the question is, do you really want to?
I didn't find anything in the Deco documentation saying how to disable the NAT.If we really can't disable NAT in the Deco, keep in mind that pfsense rules, pfsense logs, pfsense filters like pfblocker and etc, would only see the Deco IP..
Also, portforward and things like that, you would have to create them twice, once in pfsense, then create that same rule in the Deco..Can you tackle around the device options to see if you can find a NAT disable option?
-
@mcury
Sure, let me do some checking. -
@mcury
I don't think you can disable NAT in this particular Deco model. :-(Would there by any advantage to changing it from the way it is now? I don't think I will need Port forwarding on any of my wireless devices.
I am still curious what the VLAN feature is on the Deco, in Router mode only. You can set a VLAN ID and a priority (0-7) . Is that even useful to me?
One question I do have is about QoS for my Wifi network. It has always confused me. Would that be set at the SG108E, the Main Deco (10.28.28.2) , or in Pfsense.
And, depending on the answer, if at the switch, would the Main deco be given the priority, and if at the Main Deco, would the switch be given the priority? or, perhaps something different?
-
@mitch-rapp said in TP-LINK TL-SG108E VLAN configuration issue:
I don't think you can disable NAT in this particular Deco model. :-(
Would there by any advantage to changing it from the way it is now? I don't think I will need Port forwarding on any of my wireless devices.I wouldn't change, I would use all Decos in AP mode as they are now.
@mitch-rapp said in TP-LINK TL-SG108E VLAN configuration issue:
I am still curious what the VLAN feature is on the Deco, in Router mode only. You can set a VLAN ID and a priority (0-7) . Is that even useful to me?
That VLAN feature, based on what I observed in the documentation, seems to be only for IPTV, and not VLAN like you saw in the TL-SG108E.
Some WIFI devices like Unifi, you can create up to 8 WIFI networks and assign a different VLAN to each one of them.. This is not the case here.@mitch-rapp said in TP-LINK TL-SG108E VLAN configuration issue:
One question I do have is about QoS for my Wifi network. It has always confused me. Would that be set at the SG108E, the Main Deco (10.28.28.2) , or in Pfsense.
I wouldn't set that at all, in any place... The QoS is for very specific situations.
-
@mcury
Ok, forget that then.
Questions:- Can I allow my Wi-Fi device network to communicate with my LAN network without compromising security? If so, how do I do it?
example: "Alexa, turn on the home theatre."
Alexa - Wi-Fi (10.28.28.X) Home theatre - LAN (10.27.27.X)- I would like to add a server to my home network.
How should I go about doing that?
VLAN from LAN on TL-SG1024DE ?
I already have a mini pc intel quad core, with windows 10 pro, for this purpose.
-
@mitch-rapp VLAN28 is going to the TL-SG108E, you can pass additional VLANs to that switch, no problem there.
@mitch-rapp said in TP-LINK TL-SG108E VLAN configuration issue:
Can I allow my Wi-Fi device network to communicate with my LAN network without compromising security? If so, how do I do it?
Yes you can, but I'm not experienced with Alexa... I would suggest you to put everything that Alexa needs to control in the same network, this would make things easier for Alexa to detect devices by mDNS, DLNA or whatever Alexa uses for that..
@mitch-rapp said in TP-LINK TL-SG108E VLAN configuration issue:
I would like to add a server to my home network.
You can add as many servers as you need, you have the option to create another VLAN for them, but this could lead to a throughput problem.
Note that all the routing between VLANs will go through the pfsense, and traffic in the same VLAN goes through the Switch.
So, if you have a Plex server for instance, which is for video streaming, you can put this server in the same network as the TV, this wouldn't need to go to the pfsense (1Gbps port), and come back to the other VLAN, you see? -
@mcury
I think I do. Let me see.
So, in your example, the server would use a pfsense interface, then through switch, to server, which might cause a throughput speed issue. Therefore, you are saying to add a server, such as a plex, on my LAN network, am I correct?Or, are you saying that any VLAN, no matter how its connected (router interface port or switch), would have to pass through pfsense, then switch to server.
I do want to add a Synology NAS, with Plex, so I will add it as you describe above, directly into my LAN network.
Assuming I have understood your explanation, how then would I connect a server that would contain personal files, storage, and other sensitive data, and keep it secure ?
-
@mitch-rapp said in TP-LINK TL-SG108E VLAN configuration issue:
So, in your example, the server would use a pfsense interface, then through switch, to server, which might cause a throughput speed issue. Therefore, you are saying to add a server, such as a plex, on my LAN network, am I correct?
All intervlan connectivity will have to go to pfsense, this happens because pfsense is the default gateway of the networks.
So, If one user in VLAN28 wants to send a file to a server in VLAN27, this file will go to the gateway, and the gateway will send this packet to VLAN27.Now imagine that during this file transfer, three other users in VLAN28 wants to download a file from the Internet ok?
What is going to happen is that depending on the file transfer speed, and your Internet speed, your 1Gbps Pfsense interface connected to the switch TL-SG108E wouldn't be enough and things would slow down..
@mitch-rapp said in TP-LINK TL-SG108E VLAN configuration issue:
Or, are you saying that any VLAN, no matter how its connected (router interface port or switch), would have to pass through pfsense, then switch to server.
All connections in the same VLAN, wouldn't go to pfsense, it passes directly through the switch.
@mitch-rapp said in TP-LINK TL-SG108E VLAN configuration issue:
I do want to add a Synology NAS, with Plex, so I will add it as you describe above, directly into my LAN network.
I would add this server in the same VLAN as the clients that will access this server are, thus using only the switch to make this connection.
@mitch-rapp said in TP-LINK TL-SG108E VLAN configuration issue:
Assuming I have understood your explanation, how then would I connect a server that would contain personal files, storage, and other sensitive data, and keep it secure ?
From the Internet perspective, there is a default deny rule in your Firewall that will block all packets coming to it. So, your server will only be reachable from the Internet if you create a portforward to it. Only outbound connections are allowed by default.
From the users inside your network perspective, you can put the server in another VLAN/or network, but this may or may not cause the problem mentioned above, with the 1Gbps link.
Or, you can use the Synology NAS internal Firewall, to allow users to access specific services in the NAS.Also, there is another option that is authentication, for an example:
I have here a samba server, it works very similar to a Active Directory.
I created groups and these groups can access specific folders, services and etc..
Public folders are available to all domain users. -
Ah! I think I understand now. :-)
One other question, on pfsense, my WAN_DHCP(default) Gateway is working fine, however, the WAN_DHCP6 Gateway still says "pending."
Therefor none of my Ipv6 devices are getting an Ipc6 address.I'm pretty sure I must have something set incorrectly. any ideas?
-
Is the ISP modem in bridge mode? If so, pfsense should be receiving a public IP address in the WAN.
-
@mcury
There is no ISP modem. It's just a straight fiber run to the house, fiber to Ethernet converter, then ethernet straight to router.Ivp4 is fine.
-
-
@mcury
Yes.
However, under status, gateways, DHCP_6 is "pending." -
@mitch-rapp My ipv6 knowledge is weak unfortunately, so I'm not the best guy to explain you how it works or how you should configure it.
I know that my provider is using DHCP and not SLAAC, and that they only give me a /64, which means that I can use IPv6 in only one network..
You would have to try different settings there, or call your provider to see how it should be configured. Or maybe someone else here in the forum could assist you in that..
