Home Router Recommendation
-
Here's what it looks like in practice, and please excuse the messy naming conventions, this is one of my oldest and most hacked up installs. But it works great!
The config problems I alluded to in my previous post are because, as you can see, you can only add unassigned interfaces to a LAGG. This box only has two. Without one configured as a LAN port, management of the box is from the console only. But that can be worked around. In my case, I set up all the VLANs on bce0 first, got the box up and running, then used a VM to see what the LAGG config looked like in the config file. Downloaded my config file, added the LAGG config, and then changed every interface definition from bce0_vlanx to lagg0_vlanx. Uploaded the modified config, rebooted, and it just works. It might be easier now. I know FreeNAS has added that ability into their console based setup. If pfsense hasn't, they should :D
-
Okay, let's make sure I understand this. Modem will plug into switch, then another cable will go from another port on the switch to the router WAN port. Now is there another cable coming from LAN port on router back to switch?
To answer this specific question, all traffic to and from the pfsense box will be handled by two cables, on the switch side they are plugged into a LAG port group, and on the pfsense side they are plugged into two NICs configured in a LAGG (the terminology is LAGG, LAG, LACP, and maybe some others depending on the vendor). We're using VLANS, so all the traffic, WAN included is trunked over those cables. With the LAGG setup you can unplug one of those two cables from either the switch or pfsense and traffic will be uninterrupted. The two cables is just to increase the potential bandwidth of the connection between your networks.
-
A quick question before responding to everything else.. What's the workaround for management access? Not just locally, but I'd want to be able to login to router remotely, so how would I do that in this configuration?
-
One other question. Why wouldn't there just be 1 cable from modem to router WAN port, them 2 other cables in 2 LAN ports lagged together to the switch? There must be a valid reason. I would just like to understand what it is. Thanks.
-
A quick question before responding to everything else.. What's the workaround for management access? Not just locally, but I'd want to be able to login to router remotely, so how would I do that in this configuration?
Your LAN interface would be on a VLAN. So in my previous example your WAN is on VLAN20. So let's say your LAN is on VLAN10. Your computer(s) are plugged into switchports in this VLAN. The computers don't care what the VLAN is; the switch does the work. So let's say your pfsense box has its LAN interface as lagg0_vlan10, with an IP address of 10.233.233.1/24. Any computer plugged into a switch port on VLAN 10 that has an IP address in that same network will be able to communicate with pfsense.
EDIT: and for remote access, which some may frown upon, I forward port 8080 to 443 from my WAN to my LAN. I'm not entirely comfortable with that and wouldn't do it in a corporate environment (I'd use VPN instead) but it's an easy way to gain remote access while not using a common port, which are generally more susceptible to attacks from the internet.
And one more edit, haha: The example I posted above is not from my home network. I live alone and have absolutely no need for that kind of setup. I do use pfsense at home but not in that kind of scenario.
-
One other question. Why wouldn't there just be 1 cable from modem to router WAN port, them 2 other cables in 2 LAN ports lagged together to the switch? There must be a valid reason. I would just like to understand what it is. Thanks.
What I posted is just an example of a way to have pfsense set up with a single logical connection (regardless of whether it's LAGG or just a single NIC; they're both a single logical interface with VLANS on top). You could very easily have 4 physical interfaces with 2 in a LAGG to connect to your LANs and a single physical interface connected straight to your cable modem.
I realize I'm providing TMI for a home router build. Apologies. I just love talking about it, and you must be at least a bit curious if you're even considering pfsense :). Just stick to the basics, buy some hardware that will last a while, and come back and ask questions when you're ready. The reason I even brought this up is that a) you mentioned VLANS, b) some were suggesting you buy a L3 switch which is nice but not strictly necessary. I'm simply providing a scenario where you can do inter-VLAN routing on a L2 switch with less of a performance hit.
-
What I posted is just an example of a way to have pfsense set up with a single logical connection (regardless of whether it's LAGG or just a single NIC; they're both a single logical interface with VLANS on top). You could very easily have 4 physical interfaces with 2 in a LAGG to connect to your LANs and a single physical interface connected straight to your cable modem.
I realize I'm providing TMI for a home router build. Apologies. I just love talking about it, and you must be at least a bit curious if you're even considering pfsense :). Just stick to the basics, buy some hardware that will last a while, and come back and ask questions when you're ready. The reason I even brought this up is that a) you mentioned VLANS, b) some were suggesting you buy a L3 switch which is nice but not strictly necessary. I'm simply providing a scenario where you can do inter-VLAN routing on a L2 switch with less of a performance hit.
Regarding implementing the VLAN's; it wasn't something I planned on doing initially. I could, but I'd like to be setup for it anyways. Let me ask you this. Is there a reason you mentioned modem-to-switch-to-router as the way of connecting versus the more straightforward modem-to-router-to-switch direction? Is that way better for some reason?
With VLAN's, would only the inter-VLAN traffic go through router? I believe that is yes, even with a layer 2 switch, just wanted clarification. Any other traffic that would stay off router?
I wouldn't typically have Gigabit speed traffic going through network while I was doing anything else, at least not much else at all to the point of caring. Those high speed large file transfers almost only happen while I sleep.
Even with VLAN's, there would hardly be any inter-VLAN traffic that I would need to travel at Gigabit speeds, at least none that I'm aware of at this time. Those transfers would be on same VLAN.
-
The more I research VLAN's and think about it, the more I wonder whether I should bother implementing them, especially at the additional cost. Realistically, I'd probably never have more than 40-50 devices, even if I did complete my dream of an advanced smart home, although perhaps closer to 75-80 if I did. Many of those wouldn't always be on or transmitting or receiving traffic, so I don't know that's it worth even doing.
-
For the scenarios you're describing, VLANS let you separate your network into different subnets (that pfSense can manage effectively) without having to have a different NIC and switch for each subnet.
Without seeing all the intricate details, I would guess you could benefit from perhaps 3 "internal" subnets LAN (most stuff), WiLAN (WiFi stuff) OLAN (Other stuff you want kept separate).
To implement without VLANS, you need 4 NICs (or one 4 port NIC) - WAN, LAN, WiLAN, OLAN and three switches to connect the different devices.
With VLANs, I'd suggest two NICs - WAN and MLAN. MLAN can support as many VLANs as you like (depending on the switch usually up to 4095). In addition you need only one switch, often making cabling a little cleaner. The "downside" is the switch needs to be configured and documented so you know what ports service which network.Cost wise, the VLAN approach will be moderately higher (although there's tons of good used gear available). Fixed NICs make the design "simpler" to visualize at a glance, but can get more cumbersome if and when you expand to more subnets.
You can always plan big, but start small - implement a simple 2 NIC WAN,LAN setup and expand it as necessary.
-
" especially at the additional cost."
What the few bucks more a smart switch cost? I don't quite yet have your 40 devices, but getting close with 29 that I can count off the top of my head. Not counting guest wireless devices that might come on and off the network.
But as more an more things get connected, iot as we now call it not segmenting your network seems pretty lack view of security. Does that smart thermostat really need to be on the same network as computers? Does the dvr made in china need to be on that same network? What about the game console? Segregation of your network becomes more and more important when you start adding more and more type devices that may or may not have the best security, and or maybe phone home, etc..
Now if you had only devices that you control and put the OS on, etc. What about billy bobs laptop that comes over and wants to use your wifi - you sure that thing is not infected with something bad? Why would you not want that isolated from all your other devices. Devices that join my guest wifi, I will hand them an IP via dhcp. And they can ping the gateway to validate they have connectivity. But other than that they can not talk to any of my other segments, they don't even use my dns - they get handed the isp dns.
I have another wifi network for my iot devices that do not support eap-tls, I then have my wifi network where I connect my devices via eap-tls. But even this is restricted and does not have full access into my actual lan network where my workstation and servers and services run. It has limited access to use my printer, hit my plex server on the plexserver port, etc. I currently have 7 different segments/vlans on my home network. This allows me to isolate and limit different types of devices to what they need access to and group them with like devices, etc.
When it comes to vlan support, you don't need a 1000 $ enterprise class switch to do this. I just picked up a 8 port gig netgear smart switch for $30 for my av cabinet to replace the aging switch that was in there that had been locking up on me, etc. Pretty disappointed with its feature set, but it does what I needed it to do was the ability to understand vlans. So in that sense it is fine. I would like to have been able to monitor it via snmp, etc. But this works for vlans.
-
Regarding implementing the VLAN's; it wasn't something I planned on doing initially. I could, but I'd like to be setup for it anyways. Let me ask you this. Is there a reason you mentioned modem-to-switch-to-router as the way of connecting versus the more straightforward modem-to-router-to-switch direction? Is that way better for some reason?
With VLAN's, would only the inter-VLAN traffic go through router? I believe that is yes, even with a layer 2 switch, just wanted clarification. Any other traffic that would stay off router?
I wouldn't typically have Gigabit speed traffic going through network while I was doing anything else, at least not much else at all to the point of caring. Those high speed large file transfers almost only happen while I sleep.
Even with VLAN's, there would hardly be any inter-VLAN traffic that I would need to travel at Gigabit speeds, at least none that I'm aware of at this time. Those transfers would be on same VLAN.
Regarding the LAGG setup, where you'd have the modem connected to a switchport rather than directly to the router, that was just me rambling about ways to speed up inter VLAN traffic without using a Layer3 switch, which is a kind of router in its own right. No need to implement that at all. Just one of many options.
With VLANs, traffic originating from a host in a VLAN will not hit the router unless it leaves that VLAN, either to go to another VLAN or to the internet. In other words, a large file transfer between a workstation and a NAS will never hit the router unless the workstation is in a different VLAN than the NAS.
With pfsense and a $30 smart switch you'll have all the hardware and software you need for a simple network, or a more advanced one.
All that said, I'll go ahead and make an admission: I have the hardware, software and knowledge to use multiple VLANs and even multiple wireless SSIDs in different VLANs for guest networks and the like at home. But I don't, yet. Why? I live alone, for one. I don't share my network with many guests at all, and those I do, I know well. I have a few devices (my Airport Express devices that I use to stream audio around the house) that don't like to be on a different network than the devices they're receiving audio from. But that's just my use case. The post from johnpoz just below the one I'm replying to is a different use case, and a very good example of where network segmentation with VLANs in a home environment is desirable.
-
Okay further careful consideration, I'm going to go with a powerful enough pfSense router that will be capable of handling VLAN's and the inter-VLAN traffic at high speed when it comes up, whether sooner or later. I'll go with Layer 2 Switches.
I'm going to build my own. I'm getting something mostly comparable to the SG-4860. I'll have great power to handle anything I'll throw at it, future proof with the AES-NI and QuickAssist as well. I wasn't opposed to official hardware when I was thinking maybe Layer 3 Switch, but I can't spend over $700 for the router, but I can build a solid equivalent for $375-400 it seems.
Supermicro Mini ITX A1SRI-2558F: $243
4GB ECC RAM: $33
120GB SSD: $30 (Already had one, probably no other use for it until now)
M350 Case with 80w Pico PSU/60w Pico Power Adapter: $69
=$375I am missing anything else I'd need, besides a SATA cable? I have a number of those.
-
Supermicro Mini ITX A1SRI-2558F: $243
4GB ECC RAM: $33
120GB SSD: $30 (Already had one, probably no other use for it until now)
M350 Case with 80w Pico PSU/60w Pico Power Adapter: $69
=$375Cisco SG300-10PP-K9-NA ~$199
or
Cisco SG300-10-SRW2008-K9-NA ~$189
$375 + $189 = $564
-
Okay further careful consideration, I'm going to go with a powerful enough pfSense router that will be capable of handling VLAN's and the inter-VLAN traffic at high speed when it comes up, whether sooner or later. I'll go with Layer 2 Switches.
I'm going to build my own. I'm getting something mostly comparable to the SG-4860. I'll have great power to handle anything I'll throw at it, future proof with the AES-NI and QuickAssist as well. I wasn't opposed to official hardware when I was thinking maybe Layer 3 Switch, but I can't spend over $700 for the router, but I can build a solid equivalent for $375-400 it seems.
Supermicro Mini ITX A1SRI-2558F: $243
4GB ECC RAM: $33
120GB SSD: $30 (Already had one, probably no other use for it until now)
M350 Case with 80w Pico PSU/60w Pico Power Adapter: $69
=$375I am missing anything else I'd need, besides a SATA cable? I have a number of those.
That motherboard will run off a 12 volt input. Skip the pico psu and get an adapter cable and 12 volt power brick.
-
Okay further careful consideration, I'm going to go with a powerful enough pfSense router that will be capable of handling VLAN's and the inter-VLAN traffic at high speed when it comes up, whether sooner or later. I'll go with Layer 2 Switches.
I'm going to build my own. I'm getting something mostly comparable to the SG-4860. I'll have great power to handle anything I'll throw at it, future proof with the AES-NI and QuickAssist as well. I wasn't opposed to official hardware when I was thinking maybe Layer 3 Switch, but I can't spend over $700 for the router, but I can build a solid equivalent for $375-400 it seems.
Supermicro Mini ITX A1SRI-2558F: $243
4GB ECC RAM: $33
120GB SSD: $30 (Already had one, probably no other use for it until now)
M350 Case with 80w Pico PSU/60w Pico Power Adapter: $69
=$375I am missing anything else I'd need, besides a SATA cable? I have a number of those.
Sounds like a good build to me. I like the idea of running off a 12V brick as well, but be careful with that purchase. In other words, read reviews and get a good one. Those things always seem to fail on me, and can do really funny things when they do, like causing issues that are really difficult to pin down unless you have another one lying around. Actually I guess that sounds like power supplies in general.
When you're picking out a switch, it might be best to ask around, since the terminology can be confusing. There's the "managed switch" which can be L2 or L3, and generally comes will a full set of features including SSH access and a command line (which many people, myself included, who have worked with them find much better than a web interface), and then there's the "smart switches" with perhaps just a web interface, and now "easy smart" with a Java management app, which is what I have at home. Any of them can do what you want to do in a home network, but the differences in terminology for the various features can be infuriating sometimes.
Build on. Enjoy. And keep us updated.
Matt
-
Thanks, guys. It seems like the most popular one I found that's being used in similar builds is here. http://www.mini-box.com/12v-12-5A-AC-DC-Power-Adapter
That combo is actually more costly, but seems better, so minor difference in cost is fine. Revised parts list. I added more RAM, too, to be safe and have the interleave benefit, as minor as that may be.
Supermicro Mini ITX A1SRI-2558F: $243
8GB Kit of ECC RAM: $62
128GB SSD: $30 (Refurb Crucial M4, that I've had sitting around way too long)
M350 Case: $40
EDAC 12v 12.5a 150w Power Adapter with needed adapter: $44.50
Female to Female Molex to SATA Cable: ?
P4 Power Extender Cable: ?
=$419.50+I don't offhand remember pricing on the last 2 cables, too late to lookup. Would this be all and sound good then?
-
Thanks, guys. It seems like the most popular one I found that's being used in similar builds is here. http://www.mini-box.com/12v-12-5A-AC-DC-Power-Adapter
That combo is actually more costly, but seems better, so minor difference in cost is fine. Revised parts list. I added more RAM, too, to be safe and have the interleave benefit, as minor as that may be.
Supermicro Mini ITX A1SRI-2558F: $243
8GB Kit of ECC RAM: $62
128GB SSD: $30 (Refurb Crucial M4, that I've had sitting around way too long)
M350 Case: $40
EDAC 12v 12.5a 150w Power Adapter with needed adapter: $44.50
Female to Female Molex to SATA Cable: ?
P4 Power Extender Cable: ?
=$419.50+I don't offhand remember pricing on the last 2 cables, too late to lookup. Would this be all and sound good then?
I wouldn't worry about the extra RAM. 4GB is more than enough for a home build. But it's cheap, so no harm if you want to double up. The cables are super cheap. All sounds robust for a home build. Maybe just being paranoid but perhaps put the refurb SSD into a system where you can test it before a build.
-
@BlueKobold:
Cisco SG300-10PP-K9-NA ~$199
or
Cisco SG300-10-SRW2008-K9-NA ~$189
$375 + $189 = $564
Sorry to go off topic here, but is there a thread you could point me to that discusses the nuts and bolts of these devices? They seem compelling, but my experience with Cisco branded SOHO hardware has been abysmal over the last 10 years or so. Basically my opinion is that anything branded Cisco that isn't in at least a 1U rack config, painted green, and doesn't have fans that make it unpalatable in a home or small office environment is not worth buying. Glad to take it to another thread. Just curious.
-
P4 Power Extender Cable: ?
Female to Female Molex to SATA Cable: ?
C2G / Cables To Go 10150 15-Pin Serial ATA Female to LP4 Female Power Cable (6 Inch)
And 150 watt power brick is serious overkill. Save some cash and get a smaller one.
-
P4 Power Extender Cable: ?
Female to Female Molex to SATA Cable: ?
C2G / Cables To Go 10150 15-Pin Serial ATA Female to LP4 Female Power Cable (6 Inch)
And 150 watt power brick is serious overkill. Save some cash and get a smaller one.
Thanks. I thought it was overkill, too. I didn't understand why that was the go-to option. Is there some reason that it is?
If that 84w one is okay, how would the 60w be? Plenty of power support it has, plus perhaps more efficient with the power draw not being so incredibly low.