1 switch, 2 pfsense boxes is this possible?
-
Not sure why your requirement for (2) physical pfSense boxes exists.
I'm not that familliar with pfsense. there's still a lot of unknowns for me to understand.
You can accomplish all of that with a single pfSense box with (2) NICs as long as your switch supports VLANs. Or if your switch doesn't support VLANs, then you could do it with a (3) NIC pfSense box.
(Switches that support VLAN are not expensive, I use a Netgear GS108T.)I didn't know this. can someone walk me through this? I've been reading about VLANS and I'm having a hard time
translating it in laymans term… I guess that's too much advanced for me.let's scratch the smart switches and the smart wifi routers. (they're expensive here)
pfSense can be configured to offer up different DHCP settings for each physical network (or VLAN).
pfSense can be used to control the flow of packets (what is / is not allowed) between the physical networks or VLANs.
Wireless Access Points should generally not be configured as DHCP servers (let the pfSense DHCP server handle that).noted.
If you are using (4) WAPs in order to get coverage across a large area, then all can use the same SSID, but each on a different channel, and all can use the same WPA2-PSK password.
is this possible with 4 different types of wifi routers? tp-link, tenda, dlink and linksys… hahaha
when I arrived in this office this is what they got...An example network with VLANs:
ISP -> WAN port -> pfSense -> internal port -> switch
Two VLANs defined in pfSense and also on the network switch:
#101 - Guest WiFi 192.168.101.0/24, DHCP .10-.250
#250 - Internal wired LAN 192.168.250.0/24, DHCP .10-.250If the WiFi points are "dumb" (don't understand VLANs) then you give them an address in the 192.168.101.0/24 range (usually .2, .3, .4, etc) and plug them into the switch on a port that is a member of VLAN #101.
Wired LAN devices get plugged into ports on the switch which are flagged for the LAN VLAN.
If your WiFi access points are "smart" and understand VLANs, you can do more advanced things like use the same physical AP to service both guests and internal users, with different SSIDs and WPA2 passwords, with the traffic being tagged to the appropriate VLAN before leaving the AP.the switches are dumb… so are the wifi routers...
I'm wondering what would be the best setup then?
ISP (WAN/nic1) -> PFSENSE1 (LAN/nic2) #250 -> Dumbswitch1 DHCP1 for LAN) and
PFSENSE1 (LAN2/nic3) #101 -> Dumbswitch2 DHCP2 to LAN:Wireless routers (not WAN: you said we won't let them broadcast and let pf do it)
101.1, 101.2, 101.3, and 101.4I was wondering how would the DHCP Server tabs in PFSENSE GUI would look like?
[WAN][LAN][LAN2] ? or should i call LAN2, VLAN?
and for the captive portal, it can be set to only LAN2 right?
sorry I'm not familiar with the terminologies
I'm configuring an existing, hand me down, running 24/7, network with me having little knowledge of networking…
thank you so much for reply
-
is this possible with 4 different types of wifi routers? tp-link, tenda, dlink and linksys… hahaha
when I arrived in this office this is what they got...Yes, it should work. Set all the SSIDs as similar as possible on all devices. (WPA2-only/AES, etc.)
and for the captive portal, it can be set to only LAN2 right?
Yes. A Captive Portal instance can listen on one or more interfaces. Other interfaces are unaffected.
I'm configuring an existing, hand me down, running 24/7, network with me having little knowledge of networking…
Sounds like someone somewhere doesn't care if their network actually works. Must not be that important to operations. I'd feel free to take it down if you need to.
-
Heh, the GS108T serves the purpose for now, and it was only $80 or so. I would go Cisco/HP for anything truly mission critical, but that gets up into the $25-$50 per port range. But you can usually find a basic "smart" switch (not managed) that still supports VLANs for $10/port.
Wifi AP's that talk VLANs start around $125-$150 in the USA (EnGenius ECB600, etc.). Business grade APs get up into the $300-$500 range, but usually last longer and don't require frequent reboots. Usually…
Different WiFi APs, all set to the same SSID and same WPA2-PSK password work fine together. Just make sure to put them on separate channels and get a tool like "WiFi Analyzer" on your Android phone. Or some similar tool on an iPhone. That will teach you about channel overlap and why people only use channels 1/6/11 in the 2.4GHz band.
For interface names, I suggest:
WAN
LAN
WIFI (rather then LAN2)The pfSense box will require (3) NICs. The WAN goes to your ISP modem.
You'll need a cable to go from the WIFI port on the pfSense box to a switch which is only connected to the (4) WiFi APs. Without VLAN support on the switches, you have to physically separate the networks.
You'll then need a second physical switch to support your internal LAN clients. All the internal clients will have to connect to that switch.
As Derelict says, you can put the captive portal on only the WIFI access port.
-
Heh, the GS108T serves the purpose for now, and it was only $80 or so. I would go Cisco/HP for anything truly mission critical, but that gets up into the $25-$50 per port range. But you can usually find a basic "smart" switch (not managed) that still supports VLANs for $10/port.
The Cisco (Small Business) SG200-08 is typically within about $5-$10 of the Netgear GS108T. I've used both and given a choice would take the Cisco.
-
My biggest problem with the Cisco small business switches is the huge power brick. For basic VLAN/sort-of-managed switches I prefer the little d-links (DGS-1100-08) for that single reason.
-
I connect two pfsense each with a public ip from my service provider as shown.
-
To all masters,
Thanks for the replies. I'll try everyone's suggestions this weekend.
I just hope there's a simulator I could use to test things out first.I'll be first trying gtharold's suggestion, since the purchases I requested are I don't know why but pending.
I have to explain to everyone from the operations manager to the purchasing/finance dept what's the purpose and what the devices do. this is just a small office and I'm already starting to hate it hahahaI have a question though
If I'll be using Lan1 and Lan 2, and the 4 routers will be linked to Lan2,
and the printer is Inside Lan1 but the users are in Lan2-wireless will they be able to connect to the printer?will my dumb switch and dumb wireless routers are capable to communicate back and forth?
-
You'll need to setup firewall rules on the pfBox to allow communication between the LAN1 subnet and the LAN2 subnet. You can just setup an allow all firewall rule from LAN1 -> LAN2 on the LAN1 interface, then setup another allow all rule from LAN2 -> LAN2 on the LAN2 interface.
If you want a bit more security between the two networks then you will need to identify what protocols should be allowed to cross the boundary between the two networks. That can be a multi-week process as you identify protocols that you didn't know about.
What I usually do is setup the following rule set when working on LAN network egress rules (i.e. rules that are defined on the LAN interface in pfSense where the "origin" is always "LAN network").
#1 - Is almost always the pfSense anti-lockout rules
#9998 (always the second to last rule) - is an allow-all rule with logging turned on
#9999 (always the last rule) - is a deny-all rule with logging turned onThen I start to watch the firewall log for the LAN interface and see what sort of packets are being passed by the allow-all rule. As I identify patterns, I create rules in the #2-#9001 positions that PASS that traffic. For example:
#2 Proto:IPv4 TCP/UDP Src:LAN net Port:1024-65535 Dest:* Port:80 Gateway:* Queue:none
That rule allows HTTP 80 over TCP or UDP out of the LAN network and to anywhere else. It has no logging, so now HTTP traffic over port 80 no longer appears in the firewall logs.
Repeat the process until you think you have all of the ports identified, then disable (not delete) the "allow-any" rule and see whether everything still works. If not, re-enable the "allow-any" rule and go look at the firewall logs and create more rules.
-
I'm configuring an existing, hand me down, running 24/7, network with me having little knowledge of networking…
This always confuses the hell out of me… Why are you doing it - if you don't understand what your doing? So your the one guy in the office that has a wifi router at home so your the IT guy?
You keep mentioning wifi routers.. Your going to be using them as AP rights.. Any soho wifi router can be used as just an ap, does not matter what cheap ass home model you think you can run a business with ;) Turn off their dhcp, connect them to your network via a lan port, change their lan IP to be on the network you connect them too. There you go $20 AP..
I would really look to getting at min some smart switches.. They can be had very cheap.. You don't need a cisco nexus 7k ;) You can for sure can find smart switches under $100 usd.. What part of the world are you in?
-
http://www.amazon.com/MikroTik-CRS125-24G-1S-RM-rackmount-enclosure-manageable/dp/B00I4QJSIM/ref=sr_1_21?ie=UTF8&qid=1436292362&sr=8-21&keywords=mikrotik+routerboard
One example of an inexpensive smart switch. This brute does way too much for so little. I just picked one up to test, and will roll it out to my test LAN in a few days.
-
I just picked one up to test
I would love to hear your opinions on it once your testing is complete.
RouterOS gateway/firewall/VPN router with passive cooling
So it's got vents then?
-
I'm configuring an existing, hand me down, running 24/7, network with me having little knowledge of networking…
This always confuses the hell out of me... Why are you doing it - if you don't understand what your doing? So your the one guy in the office that has a wifi router at home so your the IT guy?Precisely. I'm an IT support staff. I only repair computers, laptops install softwares… we used to be a 2 man team
A network Administrator (AWOL)
IT support staff (me)Since I have basic to no knowledge in Linux, BSD, and Networking. I became both.
I know I don't need to master everything just how things work and where to look if needed.You keep mentioning wifi routers.. Your going to be using them as AP rights.. Any soho wifi router can be used as just an ap, does not matter what cheap ass home model you think you can run a business with ;) Turn off their dhcp, connect them to your network via a lan port, change their lan IP to be on the network you connect them too. There you go $20 AP..
Noted.
I would really look to getting at min some smart switches.. They can be had very cheap.. You don't need a cisco nexus 7k ;) You can for sure can find smart switches under $100 usd.. What part of the world are you in?
I'm from the Philippines… unfortunately.
as for the purchases the company is in a really tight budget. And I already raised the issue even to the operations manager.all he said was:
"if the old device is still working, I don't see why we have to get a new one? the internet is working. the problem is that it's just too slow. when the IT admin was here it was working great. maybe the problem is in your side check your configuration maybe you clicked on something you shouldn't have.I was just wow... I want to just... smash the AP's with a sledge hammer and leave. but I wan't to fix things first before that, I might learn something while I'm doing it. hahaha after that I'm leaving this hell hole