Is my scheme correct, or could I be doing it better?

OpenFerret · Oct 15, 2015, 2:20 PM

Hi all,

I'm just waiting for my Supermicro A1SRI-2758F with 8GB of RAM to turn up in the post, and then I'll be building and integrating my first ever firewall into my home network.

I'm just planning out the addressing scheme and was curious if I should be doing things any different to make things more efficient.

Apologies, I'm quite new to all of this and this is as much a learning exercise as anything else. What I'm thinking of doing is shown in the diagram below, is this correct or should I be subnetting the LAN / OPT1 instead of using the usual Class C (/24) address space?:

chris4916 · Oct 15, 2015, 2:38 PM

What's your concern with IP range ?
1 - you can define , within /24 subnet, how large is the range of IP to be delivered by DHCP server.
2 - does it really matter if your range is, e.g. from 192.168.0.100 to 192.168.0.200 even if you have only 5 devices attached?

OpenFerret · Oct 15, 2015, 2:46 PM

Hi Chris,

I just wanted to check that I'm thinking along the right directions.

I then understand that I can bridge the LAN and OPT1 connections to allow each subnet to communicate between one another, which is what I'm intending to do.

heper · Oct 15, 2015, 3:43 PM

i'd change your lan subnet to something less common.
if you ever want to use vpn to connect to your home network, then its best to have a home-lan-subnet that not the same as the one you are connecting from

OpenFerret · Oct 15, 2015, 4:01 PM

Thanks Heper.

I'll keep that in mind and go for a slightly different C Class range.

johnpoz · Oct 15, 2015, 5:45 PM

"I then understand that I can bridge the LAN and OPT1 connections to allow each subnet to communicate between one another"

What?? Why would you do that? Pfsense is more than capable of routing and firewalling traffic between 2 segments. If you just want everthing on the same segment then connect them all to the same switch..

OpenFerret · Oct 15, 2015, 9:27 PM

That is the desired endstate, but as stated in my original post I'm still very much in the learning stage.

Everyone has to start some where dude…

Derelict · Oct 15, 2015, 11:09 PM

I just downloaded the manual for that wrt1900ac. Searched for VLAN - "No results found." At that price point you're in the range of a Ubiquiti UAP-Pro or UAP-AC. Or something from Xclaim, maybe.

I wouldn't blow a router port on the AP. I'd tag the VLANs to your switch and plug the AP in there. Then you can "bridge" an SSID with the LAN (put it on the same VLAN) make a guest SSID that's isolated from your LAN, etc.

Unless you know you're going to have more than 250 hosts on one segment, just leave it at /24. It's what everyone's used to seeing.

chris4916 · Oct 16, 2015, 5:18 AM

@Derelict:

I just downloaded the manual for that wrt1900ac. Searched for VLAN - "No results found."

Although this is slightly off-topic, as it may help to improve current design, even if I think we are pretty close to the perfect one given inputs defined so far, it has to be noticed that WRT1900AC is a very expensive but very powerfull wifi router.
It does support VLAN tagging and also allows alternative firmware like OpenWRT (although this one is not yet 100% stable).

This means that you should not face any problem with your initial design:

wired devices attached to your switch
wifi either via wrt1900 attached to pfSense which will implement rules to control flow between wifi and wired networks
or
wrt1900 attached to SG300-10 on dedicated VLAN and interVLAN managed at pfSense level.

Almost everything is possible, including capability to expose secondary SSID for guest.

From my viewpoint, you won't have any hardware/firmware related issue but can't neither improve your technical design until you progress on features and services you want to provide. I would focus on this first without any fears about hardware/software limitation.

johnpoz · Oct 16, 2015, 4:00 PM

"Everyone has to start some where dude…"

Agreed, and thinking you should "bridge" you lan and opt together is wrong start.. "Bridging" has its uses - but not for this.. If you want your wifi on same network as your wired, then connect your AP to your switch. Trying to use a router interface as a switch port is wrong start!!!

Guest · Oct 16, 2015, 4:30 PM

I fully agree with @johnpoz and it would be not going better with or for your network at home
to try out the same thing more and more again as I see it right. For sure all peoples will be standing
on a starting point and network engineers would be not falling down from the heaven this is also a
well known and logical knowledge. And even try out the worst case or something nearly this would
be not nice but also fine by going step by step and asking before and not after, I accept this really.

Since the last time even more and more often peoples join, related to the circumstances that many
"good" or by friends given tips owed to the circumstance that the best firewall would be a transparent
firewall and there fore ports must be bridged and so on and so on, please read my lips, it is not so,
in very rarely cases and mostly only for peoples they absolutely know what they do and when they do
it right, bridging would be coming with a success and also a wining point.

The best way if you are starting with pfSense and if you have not really special needs, I really suggest the
best would be to go a straight and ordinary or most common way, because then if there is coming something
on top or your network will grow up, you are in the best position to realize it without any work around or hassle.