1 switch, 2 pfsense boxes is this possible?
-
is this possible with 4 different types of wifi routers? tp-link, tenda, dlink and linksys… hahaha
when I arrived in this office this is what they got...Yes, it should work. Set all the SSIDs as similar as possible on all devices. (WPA2-only/AES, etc.)
and for the captive portal, it can be set to only LAN2 right?
Yes. A Captive Portal instance can listen on one or more interfaces. Other interfaces are unaffected.
I'm configuring an existing, hand me down, running 24/7, network with me having little knowledge of networking…
Sounds like someone somewhere doesn't care if their network actually works. Must not be that important to operations. I'd feel free to take it down if you need to.
-
Heh, the GS108T serves the purpose for now, and it was only $80 or so. I would go Cisco/HP for anything truly mission critical, but that gets up into the $25-$50 per port range. But you can usually find a basic "smart" switch (not managed) that still supports VLANs for $10/port.
Wifi AP's that talk VLANs start around $125-$150 in the USA (EnGenius ECB600, etc.). Business grade APs get up into the $300-$500 range, but usually last longer and don't require frequent reboots. Usually…
Different WiFi APs, all set to the same SSID and same WPA2-PSK password work fine together. Just make sure to put them on separate channels and get a tool like "WiFi Analyzer" on your Android phone. Or some similar tool on an iPhone. That will teach you about channel overlap and why people only use channels 1/6/11 in the 2.4GHz band.
For interface names, I suggest:
WAN
LAN
WIFI (rather then LAN2)The pfSense box will require (3) NICs. The WAN goes to your ISP modem.
You'll need a cable to go from the WIFI port on the pfSense box to a switch which is only connected to the (4) WiFi APs. Without VLAN support on the switches, you have to physically separate the networks.
You'll then need a second physical switch to support your internal LAN clients. All the internal clients will have to connect to that switch.
As Derelict says, you can put the captive portal on only the WIFI access port.
-
Heh, the GS108T serves the purpose for now, and it was only $80 or so. I would go Cisco/HP for anything truly mission critical, but that gets up into the $25-$50 per port range. But you can usually find a basic "smart" switch (not managed) that still supports VLANs for $10/port.
The Cisco (Small Business) SG200-08 is typically within about $5-$10 of the Netgear GS108T. I've used both and given a choice would take the Cisco.
-
My biggest problem with the Cisco small business switches is the huge power brick. For basic VLAN/sort-of-managed switches I prefer the little d-links (DGS-1100-08) for that single reason.
-
I connect two pfsense each with a public ip from my service provider as shown.
-
To all masters,
Thanks for the replies. I'll try everyone's suggestions this weekend.
I just hope there's a simulator I could use to test things out first.I'll be first trying gtharold's suggestion, since the purchases I requested are I don't know why but pending.
I have to explain to everyone from the operations manager to the purchasing/finance dept what's the purpose and what the devices do. this is just a small office and I'm already starting to hate it hahahaI have a question though
If I'll be using Lan1 and Lan 2, and the 4 routers will be linked to Lan2,
and the printer is Inside Lan1 but the users are in Lan2-wireless will they be able to connect to the printer?will my dumb switch and dumb wireless routers are capable to communicate back and forth?
-
You'll need to setup firewall rules on the pfBox to allow communication between the LAN1 subnet and the LAN2 subnet. You can just setup an allow all firewall rule from LAN1 -> LAN2 on the LAN1 interface, then setup another allow all rule from LAN2 -> LAN2 on the LAN2 interface.
If you want a bit more security between the two networks then you will need to identify what protocols should be allowed to cross the boundary between the two networks. That can be a multi-week process as you identify protocols that you didn't know about.
What I usually do is setup the following rule set when working on LAN network egress rules (i.e. rules that are defined on the LAN interface in pfSense where the "origin" is always "LAN network").
#1 - Is almost always the pfSense anti-lockout rules
#9998 (always the second to last rule) - is an allow-all rule with logging turned on
#9999 (always the last rule) - is a deny-all rule with logging turned onThen I start to watch the firewall log for the LAN interface and see what sort of packets are being passed by the allow-all rule. As I identify patterns, I create rules in the #2-#9001 positions that PASS that traffic. For example:
#2 Proto:IPv4 TCP/UDP Src:LAN net Port:1024-65535 Dest:* Port:80 Gateway:* Queue:none
That rule allows HTTP 80 over TCP or UDP out of the LAN network and to anywhere else. It has no logging, so now HTTP traffic over port 80 no longer appears in the firewall logs.
Repeat the process until you think you have all of the ports identified, then disable (not delete) the "allow-any" rule and see whether everything still works. If not, re-enable the "allow-any" rule and go look at the firewall logs and create more rules.
-
I'm configuring an existing, hand me down, running 24/7, network with me having little knowledge of networking…
This always confuses the hell out of me… Why are you doing it - if you don't understand what your doing? So your the one guy in the office that has a wifi router at home so your the IT guy?
You keep mentioning wifi routers.. Your going to be using them as AP rights.. Any soho wifi router can be used as just an ap, does not matter what cheap ass home model you think you can run a business with ;) Turn off their dhcp, connect them to your network via a lan port, change their lan IP to be on the network you connect them too. There you go $20 AP..
I would really look to getting at min some smart switches.. They can be had very cheap.. You don't need a cisco nexus 7k ;) You can for sure can find smart switches under $100 usd.. What part of the world are you in?
-
http://www.amazon.com/MikroTik-CRS125-24G-1S-RM-rackmount-enclosure-manageable/dp/B00I4QJSIM/ref=sr_1_21?ie=UTF8&qid=1436292362&sr=8-21&keywords=mikrotik+routerboard
One example of an inexpensive smart switch. This brute does way too much for so little. I just picked one up to test, and will roll it out to my test LAN in a few days.
-
I just picked one up to test
I would love to hear your opinions on it once your testing is complete.
RouterOS gateway/firewall/VPN router with passive cooling
So it's got vents then?
-
I'm configuring an existing, hand me down, running 24/7, network with me having little knowledge of networking…
This always confuses the hell out of me... Why are you doing it - if you don't understand what your doing? So your the one guy in the office that has a wifi router at home so your the IT guy?Precisely. I'm an IT support staff. I only repair computers, laptops install softwares… we used to be a 2 man team
A network Administrator (AWOL)
IT support staff (me)Since I have basic to no knowledge in Linux, BSD, and Networking. I became both.
I know I don't need to master everything just how things work and where to look if needed.You keep mentioning wifi routers.. Your going to be using them as AP rights.. Any soho wifi router can be used as just an ap, does not matter what cheap ass home model you think you can run a business with ;) Turn off their dhcp, connect them to your network via a lan port, change their lan IP to be on the network you connect them too. There you go $20 AP..
Noted.
I would really look to getting at min some smart switches.. They can be had very cheap.. You don't need a cisco nexus 7k ;) You can for sure can find smart switches under $100 usd.. What part of the world are you in?
I'm from the Philippines… unfortunately.
as for the purchases the company is in a really tight budget. And I already raised the issue even to the operations manager.all he said was:
"if the old device is still working, I don't see why we have to get a new one? the internet is working. the problem is that it's just too slow. when the IT admin was here it was working great. maybe the problem is in your side check your configuration maybe you clicked on something you shouldn't have.I was just wow... I want to just... smash the AP's with a sledge hammer and leave. but I wan't to fix things first before that, I might learn something while I'm doing it. hahaha after that I'm leaving this hell hole
