Help with Setup

dsduarte

Hello!

I'm trying to upgrade my Wi-fi5/1GbE based on OpenWRT to a Wi-Fi6/2.5GbE based on PFSense and TP-Link Omada AP's... I"m having trouble to setup my network on pfsense and need some help!
Currently, I have 3 devices router/ap runing OpenWRT... The main device has 3 LAN ports and 1 WAN port and the ports are atacched like this:
WAN <-> ISP Modem
LAN1 <-> OpenWRT AP2 <-> OpenWRT AP3 <-> (lan/iot/guest WLAN's)
LAN2 <-> LAN Switch <-> LAN Devices
LAN3 <-> IoT Switch <-> IoT Devices

On the 3 AP's I have 3 Wireless LAN's: LAN, IoT and Guest.

I recently bought one of those mini PC's with 4 2.5GbE ports and a TP-Link Omada EAP670 and I'm trying do make something like I have now to the new network...What I'm trying to set up is:

igc0 (WAN) <-> ISP Modem
igc1 (LAN1) <-> TP-Link AP EAP670 <-> (lan/iot/guest WLAN's)
igc2 (LAN2) <-> LAN Switch <-> LAN Devices & OpenWRT AP2 <-> OpenWRT AP3 <-> (lan/iot/guest WLAN's)
igc3 (LAN3) <-> IoT Switch <-> IoT Devices

I'm trying to make 3 Networks (lan, iot and guest) and wish for the WLAN's match to the respective network... Also, my swithes are 1GbE unmanaged and I hope to connect the TP-link AP directly to the igc1 as both are 2.5GbE...

Is there a way to acomplish that?

Thanks!!!

keyser

@dsduarte Well, it's possible, but not in the way you have depicted.

What you should do, is buy a VLAN capable switch. Using unmanaged switches are fine as long as they only carry one network.
But you have 3 different networks, and that means you need to carry the 3 different networks as VLANs to every AP - doing that through an unnmanaged switch is a no-go if that switch has any clients or other devices than Uplinked APs (Because those devices can see all networks - and will get all broadcasts on all VLANs). And even doing only uplinked APs is a VERY bad network design solution because the switch really should be VLAN capable - there is no telling beforehand if everything will work correctly when tagging VLANs on to an unmanaged switch.

So get a VLAN capable switch with at least 4x2.5Gbit ports and however many 1Gbit ports you need - and do this design:

igc0 (WAN) <-> ISP Modem
igc1 (Join LAGG0 with igc2)
igc2 (Join LAGG0 with igc1)

LAGG0 = Link Agregation = 5Gbit uplink

VLAN 10 = LAN
VLAN 11 = IOT
VLAN 12 = GUEST

Assign the three VLANs as interfaces on LAGG0 and create a similar 2 port LAG on your new Switch and assign VLAN 10-12 to that LAG.
You now have a switch where APs, clients and everything else can be connected to - it only a matter of what VLANs you assign to each interface in the switch, and speed will never be an issue compared to before.

dsduarte

@keyser I see...
My problem is the 2.5GbE VLAN capable switch.... I live in Brazil and I can't find here a device that doesn't cost a kidney :p!

I'm thinking in buy a VLAN Managed 1GbE Switch and a 2.5 Unmanaged Switch and make like this:

igc0 (WAN) <-> ISP Modem
igc1 (LAN1) |<-> | 2.5GbE Switch <-> TP-Link AP EAP670 <-> (lan/iot/guest WLAN's)
|<-> | 2.5GbE Switch |<-> | 1GbE Managed Switch <-> OpenWRT AP's <-> (lan/iot/guest WLAN's)
|<-> | 1GbE Managed Switch <-> IoT & LAN devices tagged by port.

I believe this way, if I could make the correct config, all packets will pass trough the 2.5GbE Switch with the correct VLAN tag.

mcury

@dsduarte said in Help with Setup:

I live in Brazil and I can't find here a device that doesn't cost a kidney :p!

Cara, eu consegui um no AliExpress por 300 reais, peguei um:
Switch TP-Link TL-SH1005 R$ 371,95

É um switch não gerenciável que funciona direitinho.. de 5 portas mas tem a versão lá de 8 portas também..

O problema é começou a remessa conforme né, ai já viu que o preço deve estar o dobro disso agora..

Edit; Fui pesquisar de novo e cara, os impostos são praticamente comprar um pra você e outro pro governo.. quase 100%...

dsduarte

@mcury said in Help with Setup:

TL-SH1005

boa... eu to pensando em pegar esse:

https://pt.aliexpress.com/item/1005005423909745.html?spm=a2g0o.productlist.0.0.79cf12ed5poSP0&mp=1&gatewayAdapt=glo2bra

tá U$49,49 e fica na cota... do menor imposto.

mcury

@dsduarte said in Help with Setup:

@mcury said in Help with Setup:

TL-SH1005

boa... eu to pensando em pegar esse:

https://pt.aliexpress.com/item/1005005423909745.html?spm=a2g0o.productlist.0.0.79cf12ed5poSP0&mp=1&gatewayAdapt=glo2bra

tá U$49,49 e fica na cota... do menor imposto.

Cara, eu arriscaria, qualquer coisa você anuncia no Mercado Livre..
E anda logo pois o dolar pode subir um pouquinho e já te inviabilizar hein.. rsrs

Switch não gerenciável é difícil de errar, não tem firmware ou update, funciona ou não funciona...

dsduarte

@mcury mas o valor do dolar não influencia... o que vale é o valor em dolar... se passar de 50 dolares aí sim o bicho pega!

mcury

@dsduarte said in Help with Setup:

mas o valor do dolar não influencia... o que vale é o valor em dolar... se passar de 50 dolares aí sim o bicho pega!

hmm, essa é uma boa discussão, te dizer que você me deixou na dúvida agora..
realmente, pensando bem não sei oq acontece se o dólar subir, pois teoricamente subiu em relação ao Real apenas né..

dsduarte

@mcury said in Help with Setup:

te dizer que você me deixou na dúvida agora..
realmente, pensando bem não sei oq acontece se o dólar subir, pois teoricamente subiu em relação ao Real apenas né..

a regra do remessa conforme é até U$50,00... o valor do dólar em real não influencia nisso... de qualquer forma, comprei aquele... bateu no cartão R$294,98.

mcury

@dsduarte said in Help with Setup:

bateu no cartão R$294,98.

cara, para um switch de 2500Gbps, tá ótimo..
Chegando, lembra de vir aqui nesse tópico dizer como foi, blz ?

Vai ajudar outras pessoas nessa situação.

dsduarte

Hi @keyser ...
I got a TP-Link TL-SG108E 1Gbit VLAN capable switch and did something like you suggested:

PFSense device:
igc0 (WAN) <-> ISP Modem
igc1 (Join LAGG0 with igc2)
igc2 (Join LAGG0 with igc1)

VLAN 10 = LAN
VLAN 11 = IOT
VLAN 12 = GUEST

TP-Link Switch:

Port1 <-> LAG0
Port2 <-> LAG0
Port3 <-> EAP670 Access Point <-> (VLAN-10 SSID, VLAN-11 SSID and VLAN-12 SSID)
Port4 <-> OpenWRT-1 Access Point <-> OpenWRT-2 Access Point <-> (VLAN-10 SSID, VLAN-11 SSID and VLAN-12 SSID)
Port5 <-> LAN device
Port6 <-> LAN device
Port7 <-> LAN device
Port8 <-> IOT 1GBit Unmanaged Switch <-> IOT Devices

On the switch config, I made ports 1-7 VLAN 10 default and port 8 VLAN 11 default.... I ordered a 2,5GB Unmanaged Switch that I intend to connect on Port5 and expand the LAG0 with Port3<->igc3.

Everything on this setup is working as expected... well... there somehing that it's not working that it's very strange:

When I plug a non VLAN aware device on Ports 3-7, the device successefull get a LAN ip from the LAN DHCP Server;
Those AP's pluged on LAN ports get their LAN IP's from the LAN DHCP Server;
When I plug a non VLAN aware device on Port 8, the device successefull get a IOT ip from IOT DHCP Server;
When I connect a WLAN device on VLAN-10 SSID, VLAN-11 SSID and VLAN-12 SSID, the device gets the IP from the resepctive DHCP server.

Now, what is strange is that, for testing, besides VLAN-10 SSID, VLAN-11 SSID and VLAN-12 SSID, I created a non VLAN SSID and the device connected on that non VLAN SSID does not get IP from neither DHCP Server.... On PFSense DHCP logs I can find logs of the DHCP request on LAGG0.10 but the response aparently is not reaching back the device....

Well... when started this long text I did not have any idea why connect on non VLAN SSID was not working... now I thougth that it's probably because the packets are reaching the AP tagged with VLAN-10 and there is no rule for that on the AP...
So, I'll keep this here in case some find this thread looking for answers!!

keyser

@dsduarte ?? Why would you connect at 2.5.gbit switch to port 5 on a 1Gbit switch? Unless its for all LAN capable devices to have higher bandwidth between themselves, it will not help in terms of uplink to the firewall.
Regarding LAGGs: They are not loadbalancing on a packet level, but on a CLIENT/SERVER conenction basis, so adding three ports to a LAGG will not increase bandwidth further unless several clients all are attempting to use the uplink simultanesly (each at 1Gbe). Any one single client can only ever get 1Gbit through in a session on the LAGG.

Regarding the no VLAN SSID - You should always expect issues when using different vendors equipment and attempting to use “default VLAN” (Untagges frames) on a switch port in trunk mode. This is generally the case because the recieving device needs to have the same similar understanding of which VLAN is considered native. Otherwise it does not accept frames both tagged and untagged into the same VLAN (the native one), and it needs to do that for your experiment to work.

dsduarte

@keyser connect the 2.5Gbit switch to a 1Gbit port is only to pass trough tagging...
On the 2.Gbit switch it would have one port to de 1GB VLAN Switch, one to the EAP670 (2.5GB) and the other ports to others 2.5Gb devices.. NAS, Proxmox server, etc...
And the LAG upgrade to 3 ports would be to increase troughput to PFSense <-> WAN.