Interface + VLANs setup advice

4o4rh

@johnpoz
Hi John, i created a bridge for the separate LAN ports, so i can plug each switch directly into the quotom. they are only 8 port and 12 port netgears, but i need to free up some ports, which is why i got the 8 port qotom as an upgrade.

that approach also worked for the VLANs, but i am finding that increasing the total interfaces, causes the CPU to be running hotter even though the load is minimal (still on the bench)

some of the VLANs, i can isolate to upstairs or downstairs (thereby reducing a bridge + 1 vlan interface) that leaves me with the WIFI.

Currently i have 3 different access points, 2 connected to downstairs switch, 1 to upstairs.

I have internal WIFI network and a GUEST network.
I have them all setup with the same SSID and channel.
They are all on the same vlan (with the present setup) and work seemlessly.

with the new setup, i also bridged the vlans and it seems to work.

My question is;
if i put them on a separate vlan for upstairs and downstairs, will i still get seemless switching when moving between levels?

akuma1x

@gwaitsi said in Interface + VLANs setup advice:

that approach also worked for the VLANs, but i am finding that increasing the total interfaces, causes the CPU to be running hotter even though the load is minimal (still on the bench)

I think you're getting higher temperatures on your pfsense box because you are literally asking it do do everything on your network - switching, routing, firewalling, lagging, all of it. That's not normal for a router/firewall device on a small home computer network.

In my opinion, and I know you probably don't want to hear it, you don't have your network setup correctly.

johnpoz

@akuma1x said in Interface + VLANs setup advice:

you don't have your network setup correctly.

From these statement I would agree

@gwaitsi said in Interface + VLANs setup advice:

i created a bridge for the separate LAN ports

@gwaitsi said in Interface + VLANs setup advice:

i also bridged the vlans and it seems to work.

Generally speaking if your "bridging" your doing it wrong ;) If you need switch ports - get a switch.. While there are legit reasons to create a bridge, normally it would be when you need to change media types.. A typical legit reason for a "bridge" would be in say a AP, which is designed be a bridge from ethernet to wifi..

Seems like he bought a router with 8 discrete interfaces, just so he could use it as switch that he could of gotten for like $40...

I would like to see a drawing if this final setup - but yeah from comments of bridging I would say its not optimal at all..

4o4rh

@johnpoz here is my original/current network with a Qotom J1900 that runs with a temp of 47degC at 25% CPU utilization

The only additional packages to standard are pfblocker and suricata. everything works like a charm

J1900_Design.ndg.png

4o4rh

@johnpoz here is the new design, with the introduction of an additional managed switch for the IOT which has more than the 2 depicted.

i bridge the Lagg0/ProPOE/GS108 with the LAN 192.168.x.x/24 for the original LAN
i bridge the Lagg0/GS108 with the VLAN Home of the original 192.168.x.x/24
i bridge the Lagg0/GS108 with the VLAN WIFI of the original 192.168.x.x/24

according to the docs, the bridge will use spanning tree, so most of the traffic will go directly to the internet, but some will go to the server or home vlans.

the reason for 2 and 3 was to keep them backward compatible to not impact my windows /smb networking setup.

the IOT i made as 2 vlans and created an interface group to apply the rules to both
the VLAN GUEST i made as 2 vlans and created an interface group to apply the rules to both
WRK1/WRK2/MEDIA are single interface VLANS so backward compatible rule set
- media server will move into the SVR VLAN

as with the original, i have pfblocker and suricata plus ntopng. CPU utilization is at 5-10% with avg temp 50-55degC. increasing the number of interfaces makes the temp go up, by about 5deg as i added them in one by one and monitored.

On this config, there are 21 interfaces in total vs 15 of the J1900 config

i3_Design.ndg.png

4o4rh

@akuma1x see my current and upgrade designs. i am open to advice

4o4rh

@johnpoz Hey John, so i am wondering if this would be a better construct. would get rid of the lagg on the qotom, but don't see that it would help reduce the interfaces or firewall/routing greatly.

Media, home, wifi all pass to svrs through firewall rules only.
media, guest, DMZ/IOT/VOIP pass exclusively to internet
media/iot pass to svrs through firewall rules only.

i could reduce interfaces on the quotom for example by

vlan guest to only gs108 therefore 1st floor would switch through gs110 to gs108
vlan wifi to only gs110 therefore wifi ground/basement would switch through gs108 to gs110

what are your thoughts?

2022-03-22 18_43_11-C__Users_Stevo_OneDrive_Documents_i3_Designv2.ndg.png

johnpoz

@gwaitsi looks like a LOOP to me with that purple line connecting gs108t and your gs110

I would never do it like that.. I would never bridge on my router - get switch.. That becomes the distribution layer.

If your cameras are writing to your nas - I would put them in the same vlan, or your routing all that traffic.. And your hairpinning the traffic over physical interface. I take it purple is trunk.

If you want to firewall routing. Then you should have multiple interfaces as uplinks.. I would put in a switch where your router is.

Something like this..

And then use different physical interfaces for your different vlans - x y and z.. So your not haiprinning traffic over a physical interfaces and your not bridging across interfaces.

You understand in a bridge all traffic will be sent across all of those interfaces. The performance of a software bridge is never going to be the same a switch..

As I stated before and posted typical core, distribution, access layer model. If you have lots of traffic flowing between your switches, or even between vlans, etc. You could lagg where needed to provide for more bandwidth, etc. between multiple devices talking to each other, etc.

Be that a lagg for vlan X to your router and then laggs for your trunks between switches, etc.

If you can not home run all your switches to your distribution layer, then you can daisy chain some of them like this

4o4rh

@johnpoz thanks for the thoughts.

the cameras although they write to zoneminder, also write to addresses in China...like most stuff from there ;-)
same witht the IoT stuff like doorbells, etc.

That's why I have the servers on an isolated vlan so i can control what goes to them.
Same with the media stuff. i have a samsung bluray which loves to talk to russia and has most likely been backdoored. Sat boxes, playstation, etc. i keep them isolated on only allow certain boxes to reach the media server.

in summary, everything has to pass through the firewall to get out, or to get to an allowed internal device. i block all out going traffic and only allow based on rules too.

the purple, i currently have bridged as LAN which is only used as mgmt lan to each device. everything else is on a vlan and the switches are all L3 managed switches. so the alternative is to go back to a 192.168.x.x/26 for each interface or a 192.168.x.x/22

johnpoz

@gwaitsi said in Interface + VLANs setup advice:

are all L3 managed switches.

But your not using them for routing - your using them as just layer 2, ie your vlans.

I get why you want to isolate the stuff, but bridging at pfsense is a horrible idea.. especially if your going to bridge every interface for all your vlans.

Bite the bullet and get a switch to use.. Some $40 8 port gig smart switch would give you say 4 ports for your vlans to pfsense and 4 runs to to your access port switches, etc.

Or get a 16 port switch to allow for more growth, or more vlans... Trying to leverage your router as a switch via bridging is not a solution to anything..

8 port prob work just fine since you could trunk some vlans onto same physical - the vlans that don't do a lot of talking to each other.. And the vlans that do a lot of intervlan talking - put them on their own physical..

4o4rh

@johnpoz i think that is what i was suggesting in the 2nd setup.

e.g. wifi/guest vlans on the gs110 pass on the interface to the gs108 (netgear) which then pass on the single interface to pfsense. there won't be loops because they both support spanning tree. so in effect the vlans will be on cascaded switches.