Help me integrate pfSense into my existing network
-
If wireless is the problem - maybe a bit more detailed drawing. That current just looks like a complete cluster F ;) Looks like your double natting for starters and then you show 192.168.1.1 public?
Are these networks you mention want really on their own segments or vlans - or are you just running 3 different address spaces over the same wire? So they are all broadcasting on the same wire? Which then goes out your wireless network?
You mention wired/wireless for 1 segment and then a student and then guest wireless.
How exactly do you plan on isolating these networks - I see you have a wireless controller. How many AP exactly - are you going to put those physically on the different segments, or are they going to just vlan traffic based upon SSID?
Also for bandwidth issues, your phones are voip? You prob want to break that out to its own network, how much traffic over this phone system is office to office, or just local to the building.
Double natting? Possibly. Probably actually.
The existing network has a switch for 192.168.1.1 (on which are the Student and Public segments), but they're SSID-based (as is wireless Staff 172.10.0.).
There are 3 APs, all vlan'd based on SSID. As for the phones, I'm still getting my head around them; until a few weeks ago I'd never worked with an office phone system. They live on their own network (which I didn't include in my original diagram).
-
It's beginning to sound like I have other things to work on before integrating pfSense into my network. I spoke with management today to find out why the network was setup as it is (as they'd hired the setup out) and basically management asked to make as few changes to the previous network as possible. But the old network had been added to and modified piecemeal over the years; I think it should have just been redesigned from the ground up.
If it's appropriate here, let's talk redesign instead. Keeping the essence of my proposed network diagram, I need to provide the following:
Staff subnet, wired and wireless
Student subnet, wired and wireless (I hadn't specified wired previously)
Public subnet, wireless
Voip for the phonesI have the following hardware:
10 port PoE managed switch (SG 300-10P PoE)
3 access points, ZoneFlex 7363
Wireless controller (ZoneDirector 1100)
New gigabit managed switch (to be purchased to replace existing 10/100 gear)
10/1Mbps connection (which could be upgraded if the case can be made)
pfSense router
Cat5e for all cabling, to patch panelRather than addressing existing problems, it seems to me that a redesign is just easier. Is this a bad approach?
-
Nothing wrong with a redesign if it makes sense imho. Do you have Visio, I can make a network diagram for your perusal.
-
Nothing wrong with a redesign if it makes sense imho. Do you have Visio, I can make a network diagram for your perusal.
I do–that would be great. Thanks!
-
Decided to use gliffy.com just encase someone else comes by and reads this post later maybe they can benefit from it as well.
Here is what I have come up with:
It's pretty straight forward and with your current configuration I don't think that it would be hard to implement. Your switches are Cisco but I believe they are linksys rebranded as Cisco and I don't have much experience with them. What's nice about Cisco (and if your switches support this is would be great) is they have a protocol called VTP. What this will allow you to do is you can create a VTP domain and give it a password. Then you would set all your switches to the same VTP domain and password. You can make your core switch the VTP domain Server and you can set all the other switches to VTP clients. Now all you have to do is create the VLANs in your Server and VTP will push the configurations to the clients which makes configuration a lot easier. Then you can prune your VLANs as necessary. Some people don't like VTP because if you are not careful you can wipe out your VLAN database but all in all it make life much easier.
Now if your switches don't support VTP then just make all the VLANs on your switches manually. I didn't include the LAGG ports but any port going from your core switch to the your access switches can be LAGG if your switches support this feature. If not spanning-tree will kick in and put one of the ports into blocking mode (which basically disables it) until the main link goes down.
As far as configuration you will have to make all the VLANs in Pfsense and they will have to have the same numbers as the ones you created on your Switches. They don't have to have the same name but I recommend that you keep them consistent for sanity and that way anyone coming after you will be able to follow what's going on. Make sure you apply all those VLANs to the interface that you designate as the LAN port.
Once you do all that just confirm that every thing can talk to everything and ever thing is working. If it is then I would start applying rules to PfSense to block things that you don't want to communicate, for example: make a rule so that the public vlan can't communicate to any other network/subnet on your LAN.
Once all your rules are established and everything is working the way that you want then you can start thinking about adding a proxy server configuration to see if that speeds up your Internet, also you can use it for content filtering which is probably a good idea at a school.
Once all this is done you should be set and the only thing left is to talk your boss into upgrading your ISP connection to 100/100 or what ever fits into your budget.
As a side note Gigabit is good but not necessary unless you are transferring large files around your network. It's good that you are getting a gigabit switch and I would make that the core, but unless one of your switches dies or you need to buy more switches because your network is growing 10/100 is fine. As things die I would replace them with gigabit as my strategy. You can and even think about a rolling upgrade where you replace just a few pieces a year until your network is completely upgraded.
As far as management of all your gear I would put them on their own network (VLAN) and call it management. When your network gets more mature and you start replacing/upgrading equipment you might want to think about putting the management VLAN on it's own switch with maybe a access server and a secondary ISP connection just to have out of band management but that is down the road and not necessary at the moment.
I welcome all comments, I think that this is a pretty straight forward design that shouldn't be hard to implement. I don't think you ever mentioned if your VoIP is running locally or if its a hosted solution. If it is hosted then you may have to contact your provider to let them know of the changes you plan to make to see if there is something they need to do on their end.
-
You haven't included the mystery 'port 67' device. ;)
Looks like a far more more rational approach though.Did you find out anything more about that?
Steve
-
I welcome all comments, I think that this is a pretty straight forward design that shouldn't be hard to implement. I don't think you ever mentioned if your VoIP is running locally or if its a hosted solution. If it is hosted then you may have to contact your provider to let them know of the changes you plan to make to see if there is something they need to do on their end.
Thanks for this. Busy day here and an early weekend, so I won't be around terribly much until Monday. I'll spend some time with your diagram and report back with any comments or questions.
Voip is hosted locally.
-
You haven't included the mystery 'port 67' device. ;)
Looks like a far more more rational approach though.Did you find out anything more about that?
Steve
Still haven't unplugged it. I assume it's phones related, but can't say yet. (Maybe it was just grandfathered in from whatever had been setup before–maybe it's never done a thing!)
-
I've had some time to go over the diagram you posted. There are a couple elements that I'd have to change to make it work with my hardware due to a couple limitations.
The first limitation is that my APs are PoE, and my only PoE provider is (currently) the 10-port managed switch. The wireless controller is a single port in, single port out; it can't handle the APs directly.
The other issue is capacity–because my existing switches (except the 10-port PoE) are unmanaged, they can only handle traffic from one VLAN. One switch for Students is fine; the other for servers is fine, but that leaves a few drops disconnected; they'll have to be routed through the other managed switch if I don't buy greater capacity. The simplest solution for that is buying two switches, a 48-port and a 24 (site limitations make that a true max capacity for physical connections). 2 managed switches instead of one would free up the 10-port to handle the APs (or APs and VoIP).
Is there a better solution than these mods?
-
Nothing wrong with that. You don't need managed switches I just like them because they let you have more control of your network. I would just make sure that you only send untagged traffic to your unmanaged switches. Although there are some unmanaged switches that can deal with tagged traffic. Typically unmanaged switches will not support LAGG and may not have spanning tree too so be careful when running extra links between switches for redundancy.