Home Network with Cisco SG350 Best Practice?
-
My Network using a single pfSense LAN interface :-
VLAN ID VLAN Name Type
1 UNUSED Static
2 USER Static
3 GUEST Static
4 IOT Static
5 DMZ Static
6 VOICE Static
4093 Default
-
Nice drawing NogBadTheBad, curious question for you - is this missing lots of devices? I curious why even bother to tag/allow all those vlans to your switch-3 top left corner with your Apple mac pro connected.. Is that box sniff those vlans or something.. Looks like its only the vlan 2 though? Unless the vlan is needed on the downstream switch there is really no need to allow the vlan even on the the uplink..
You have all those ports open on your pfsense - why would you not leverage them as uplinks from your switches for the different networks/vlans.. All your intervlan traffic in such a setup is limited to the speed of that 1 interface. If you spread your vlans across different interfaces on your pfsense which seems to have plenty free your intervlan traffic would have more bandwidth to work with. But looks like you have some constraints already with the powerline connections between your switches anyway.
-
Nice drawing NogBadTheBad, curious question for you - is this missing lots of devices? I curious why even both to tag/allow all those vlans to your switch-3 top left corner with your Apple mac pro connected.. Is that box sniff those vlans or something.. Unless the vlan is needed on the downstream switch there is really no need to allow the vlan even on the the uplink..
You have all those ports open on your pfsense - why would you not leverage them as uplinks from your switches for the different networks/vlans.. All your intervlan traffic in such a setup is limited to the speed of that 1 interface. If you spread your vlans across different interfaces on your pfsense which seems to have plenty free your intervlan traffic would have more bandwidth to work with.
I tend to work on the Mac-Pro and configure devices connected to switch-3 before I move them to their final location so I just carry every lan to all the switches, as you mention it also gives me that ability to sniff.
The untagged vlan is needed to manage the devolo stuff from the mac-mini.
I'm limited to 70/20 on the wan interface, 500 Mbps through the devolos, there is a single power socket where the router is located and there is no structured cabling.
-
Why such a big pfsense if your only going to leverage 1 interface? SG-2220 or even 1000 prob would be enough for such a setup - just curious. Money to burn I would buy the bigger box too I guess ;) hehehe
-
Money to burn I would buy the bigger box too I guess ;) hehehe
lol that and also it give me the option to set other stuff up for work lab type environments and not mess with my home lan.
The 1000 wasn't about when I purchased the 4860.
-
Very true can never have too many extra interfaces on your firewall/router.. Leaves room for growth and as you say play/test.. And that sized appliance has more umph to it as well, let alone more interfaces..
If the budget committee (wife) wouldn't throw a conniption fit when it showed up in the mail, prob be clicking order right now – hehehe
-
Just because your sg350 can do layer 3 doesn't mean you need or have to use it as layer 3. In such a simple network there would be little reason to have the switch do your internal routing.. You would loose all the firewall features of pfsense between those segments then..
So you want to run a wifi network via ssid on the same network as your lan.. Sure you can do that.. All comes down to if you want to leverage both your interfaces or just use 1 interface on pfsense with your untagged and tagged traffic?
Do you need a drawing on how to connect it using your 1 sg350 switch?
My pfSense is a Supermicro C2758 with 4 interfaces. I have never used a smart switch and so don't even know the best way to wired the SG350 to the pfSense box and so a drawing would be great.
Ideally:
I would like untrusted devices in one network, semi-trusted devices like BD players, media players, game consoles on another network, and then trusted devices in their own network. However, I do have a trusted server that need to be "discovered" and accessed by the semi-trusted device. In addition, my trusted devices should be able to "discover" the semi-trusted devices (as if they are on the same network). If I understand things correctly, the "discovering" uses some kind of broadcast and so devices on different subnets are not discovered. All devices should be able to access the Internet.There can be wired and wireless devices in each network. Can the UniFi AC Pro do that? The biggest obstacle is that if a Chromecast is in the semi-trusted network, will my trusted devices be able to stream to it?
Untrusted Devices = Guest devices, smart phones, tablets where I have no idea what the apps are doing.
Semi-Trusted Devices = Home appliances like BD players, media streamers, game consoles
Trusted Devices = My unRAID server, PCs, Laptops where I built and installed all softwareRealistically
I am OK with just a untrusted and trusted network.I am looking for a robust design that will utilize both the pfSense and SG350 to their full potential without violating good network design practices or slow down my symmetrical gigabit Internet service. I am open to using 1 or all interfaces on the pfSense box. I am currently using 2 interfaces. I can see a design where only Internet traffic makes it to the pfSense box and all other traffic is handled at the switch. However, if that requires a lot of configurations, then I can see keeping it simple and let pfSense do all the routing required. I just don't know enough to say which one is best for me and so I am hoping the more experienced users can give me some tips and perspectives (cons and pros) of what the role of pfSense and the SG350 switch.
-
"need to be "discovered" and accessed by the semi-trusted device. In addition, my trusted devices should be able to "discover" the semi-trusted devices (as if they are on the same network)."
Discovered via what protocol? If all your looking for is msdns that can be proxied via avahi..
If all your looking for is broadcast for netbios name - that does not have anything to do with being on the same network segment. You just need to use fqdn for the device or IP address.
You need to understand this discovery your talking about and what exactly do you need to them to be discovered in? Are you just talking that they show up in the network neighborhood on a windows machine or some other application that "discovers" something via what???
I have 7 different segments running on my current network - I don't have anything that requires "discovery" So what exactly is it that needs discovery?
-
"need to be "discovered" and accessed by the semi-trusted device. In addition, my trusted devices should be able to "discover" the semi-trusted devices (as if they are on the same network)."
Discovered via what protocol? If all your looking for is msdns that can be proxied via avahi..
If all your looking for is broadcast for netbios name - that does not have anything to do with being on the same network segment. You just need to use fqdn for the device or IP address.
You need to understand this discovery your talking about and what exactly do you need to them to be discovered in? Are you just talking that they show up in the network neighborhood on a windows machine or some other application that "discovers" something via what???
I have 7 different segments running on my current network - I don't have anything that requires "discovery" So what exactly is it that needs discovery?
Currently, the UniFi AC Pro is on Opt1 interface and my wired network is on the LAN interface. So all my trusted laptops are on a different subnet as my wired devices. I have a wired network TV tuner (HDHomeRun) and a wired Chromecast on the LAN. From my laptop, Windows media player does not discover the network tuner and I cannot cast to the Chromecast.
I have configured pfSense to allow access between the wireless and wired networks and all works fine when I specify the hostname or IP. However, Windows media player and casting in the Chrome browser doesn't ask me for either and just goes out and try to "discover" and comes back saying no devices detected. I don't know how they are "discovering". The point is, they don't give me an option to specify hostname or IP.
Edit:
The only DNS I am running is from pfSense (via DNS resolver?). -
chromecast across segments is a nightmare.. If your wanting to use chromecast these should be on the same network/vlan.
You might be able to get it to work with the igmp proxy - but good luck.. Your best bet would put those devices on the same layer 2 network in that case.
Or using something better than chromecast ;) I run a plex server for example - all of my devices can access my plex no matter what network segment they are on.
It might be possible to get it to work with avahi?? But I put my chromecast on a shelf long time ago.. I could pull it out and see.. It was a fun toy to play with for a bit - but really had very limited features. I got a roku for my main tv and a couple of roku sticks for my other tvs and use plex and have no issues..
-
Wouldn't it be easier to have a few vlans off the LAN port and use the switch to carry the vlans ?
I'd just go for a trusted and non trusted network.
The Ubiquity AP could have 2 SSIDs called Trusted & Untrusted.
It's what I do with mine, I've got SSID's for USER, GUEST and IOT, I could also pop any of the subnets out a normal LAN port on the switch by placing it into the correct VLAN.
I did have trouble getting DNLA to work from my NAS hence the two ports one in the USER and one in the IOT VLAN, I use the firewall on the NAS to allow DNLA only on the IOT interface.
Here's what my Switch1 looks like :-
-
"NAS hence the two ports one in the USER and one in the IOT VLAN"
So your multihoming your nas and it has interfaces in all your networks? Not really a good security model but sure that is one way to skin the layer 2 problem ;) Problem from security is if that nas is compromised from say the internet or one of its legs - you then have a leg in another network without having to get through a firewall.
-
I only use the Chromecast to project (cast) my browser. My media streamers handles all my true needs. An example of where the Chromecast comes in handy is with Xfinity TV where I can stream to any TV in the house without the need to have a cable box at each TV location. I believe Xfinity TV has a beta Roku app, but a Roku is still more expensive than a Chromecast. The other issue I have is the network TV tuners. Same issue where I am not allowed to specify the hostname or IP of the tuners.
Anyway, let's say I will just have two networks, a VLAN 20 and an untagged network. VLAN 20 will be for untrusted wired and wireless devices. Untagged will be for my trusted devices (including the semi-trusted). I am thinking of dedicating about 2-3 ports on the switch for VLAN20 wired devices, a port (trunk?) for the UniFi AC Pro, a port or two to pfSense, and then the rest can be part of the untagged trusted Network.
-
What is the best way to wire up the SG350 and UniFi AC Pro to the pfSense box?
-
What configuration will be needed on pfSense and the SG350?
-
-
"NAS hence the two ports one in the USER and one in the IOT VLAN"
So your multihoming your nas and it has interfaces in all your networks? Not really a good security model but sure that is one way to skin the layer 2 problem ;) Problem from security is if that nas is compromised from say the internet or one of its legs - you then have a leg in another network without having to get through a firewall.
Yup.
-
I only use the Chromecast to project (cast) my browser. My media streamers handles all my true needs. An example of where the Chromecast comes in handy is with Xfinity TV where I can stream to any TV in the house without the need to have a cable box at each TV location. I believe Xfinity TV has a beta Roku app, but a Roku is still more expensive than a Chromecast. The other issue I have is the network TV tuners. Same issue where I am not allowed to specify the hostname or IP of the tuners.
Anyway, let's say I will just have two networks, a VLAN 20 and an untagged network. VLAN 20 will be for untrusted wired and wireless devices. Untagged will be for my trusted devices (including the semi-trusted). I am thinking of dedicating about 2-3 ports on the switch for VLAN20 wired devices, a port (trunk?) for the UniFi AC Pro, a port or two to pfSense, and then the rest can be part of the untagged trusted Network.
-
What is the best way to wire up the SG350 and UniFi AC Pro to the pfSense box?
-
What configuration will be needed on pfSense and the SG350?
1. Pop an ip address for your untagged vlan on the LAN interface on your pfSense box ( you've done this )
2. Interfaces -> VLANs create vlan 20 and assign its Parent Interface to the LAN interface.
3. Configure an ip address on the vlan interface.
4. Configure the port on the SG350 as a trunk, making it a pass the untagged vlan and vlan20 and connect this to pfSense LAN port.
5. Repeat step 4 for the Ubiquity AP switch port, the AP's management interface needs to be in the untagged vlan.
6. Configure the two SSIDS making them a member of the correct vlan.
7. Configure the two ports you want for vlan 20 on the switch to pass vlan 20 untagged.
8. Configure the rest of the ports to carry the untagged trusted network.
If you look at my examples think of my vlan 4903 as your trusted network and my vlan 3 or 4 as your vlan 20.
-
-
Thanks NogBadTheBad. This is what I originally thought, but after reading some posts about VLANS and Layer 3 switches, I got my head all twisted.
Johnpoz asked how many interfaces on the pfSense box did I wanted to use. Is there another way to install the SG350 where I use more than one pfSense interface to connect the SG350?
-
If you are not pushing close to maybe 500Mbit/s all the time, there is little to gain. But if you want to you can LACP a couple ports to the switch and generally load balance across them. Tag all your VLANs to the lagg.
The main reason to tag all your VLANs to the switch (lagg or not) is so you can put wireless networks on your private LAN without silly things like bridges.
-
Sure you could lagg them - but that is not how I would do it less he had shitton of devices and more than 1 ge up down on internet..
You can use the other interfaces for uplinks of other networks/vlans - all comes down to how many vlans your going to have - which vlans talk to each other the most, etc.. To the internet unless it was quite a fat pipe doing multiple uplinks to pfsense not going to give you anything more.
What I am talking about is not hairpinning when doing intervlan traffic on the vlans that talk to each other the most.. See attached..
So when you trunk to 1 physical interface to the router if in the drawing vlan 300 wants to talk to vlan 200 your max possible speed between vlan 200 and 300 is /2 of that trunks speed.. So gig now becomes max 500mbps between vlan 200 and 300, or either of those to 100, etc..
But if don't use 1 single trunked uplink to pfsense.. 2nd Attached now when vlan 200 and 300 talk they could do full gig between each other.. Now this very simplified drawing with only few vlans, etc.
If your not going to have much or a lot of intervlan traffic then doesn't really matter - but just keep in mind that all vlans that share the same connection if they are talking to each other your doing a hairpin and that bandwidth is cut in half of that interface speed. Now depending maybe those are both trunk connections with multiple vlans on them vs I show it only single vlan.. Or maybe is just access without any tagging and other is trunked with untagged pvid and then tagged vlans.
Devices that talk to each other alot should be on the same layer 2, ie vlan - so their traffic never leaves the switch. But when you start to segment, you want to know what devices and what vlan they are on so vlans that are going to have lots of traffic between should not share the same uplink to the router.
-
Hi johnpoz.
I like your drawings. Once the SG350 arrives (March 1, 2017), I will probably ask more configuration nuts & bolts questions.
I think I will start off with just two networks (untagged and VLAN 10). I like to implement your second drawing which has a trunk for each network to the pfSense box. If I understand your second drawing correctly, how does VLAN 100 gets to the Internet?
PfSense
To implement the two uplinks, I just use the default LAN interface for the untagged network. Then I define a VLAN and assign it to the the Opt1 interface?SG350 Switch (This will be my 1st time using a managed switch.)
-
How to designate Port for UniFi AC Pro which will have untagged and VLAN 10?
-
How to designate uplink ports for each of the untagged and VLAN 10?
-
In this configuration, is switch acting only as Layer 2?
-
-
yes switch is only doing layer 2 in my drawings.. You only need to trunk a port if its going to carry tagged vlans. If you only have 2 networks and your going to use 2 different uplinks you don't need a trunk to the switch the only place you would have to create a trunk is to your AP which will carrry untagged and tagged traffic on the same wire.
