Home network to keep wife happy + VPN (TV 4k netflix) + reduce intranet downtime

ChefRayB

Hi John,

Thanks for the reply. Just got home, Blue Jays lost against Tampa Bay 7-1.

So basically having 3 routers seems an overkill.

The concerns I have is that when I installed OpenVPN Client on DD-WRT router for the 1st time, the instructions required I put the command redirect-gateway, it makes OpenVPN redirect all traffic to VPN. Because the OpenVPN wasn't working, I lost internet access. I had to disable VPN and reboot to get internet works again to be able to read OpenVPN documentation. (Many VPN providers have their own DNS and over-complicated OpenVPN configurations, some have scripts, etc…)

After reading on OpenVPN, I learned you remove "redirect-gateway" and put "route-nopull" and use Policy Based Routing to have a specific range.

I guess it's all about my risk appetite and the level of control/flexibility I want.

Thank you

ChefRayB

johnpoz

What does loosing internet access have to do with your concern of devices talking to each other.. Yeah for sure you could do something to pfsense that breaks internet.. That is not what you were asking about.

ChefRayB

It was one of my main concerns which I described on my 1st post under "Problem with Current Setup". I was concerned with both local network and internet outages. Turns out local network isn't really the problem…. it's loosing internet access.

Problem with Current Setup:

Each time I experiment with linksys e4200 or OpenVPN I can potentially create an internal network or internet outage which means no more Sonos music, no more netflix, no more internet, no access to synology, no Android TV, Phone, Printer and then the wife starts nagging…. then the headache starts.... then I have to fix the network and I can only re-try when the wife either sleeps or is away....

The first time I installed OpenVPN, I used the default instruction redirect-gateway which routes ALL traffic. Automatically you loose internet access. I would like to play with a router and still have internet so that I an google stuff and listen to music and watch shows recorded on my Synology NAS....

johnpoz

Well loosing internet access when you break the thing that gives internet access - how is adding routers to NAT yet again behind solve that issue?

If you want to play with pfsense without messing with your actual connection pfsense - then setup a lab/vm you run pfsense on to play with vs messing with the one that is currently providing your network with internet access..

ChefRayB

I've come to the same conclusion…. For now I'll keep it simple. Thanks

johnpoz

Also as to this

"WAN port to Edge Router Opt1 and plug it directly in my modem"

If your on a cable modem.. That doesn't work.. Unless your devices had the same mac.. So you would have to reboot your modem when the device connected too it changes. So internet outage. So you might as well just live through the few seconds/minute it takes to reboot your edge router on the update.

I am currently running beta of pfsense, and I update it every few days to current code.. Who cares if the internet is off line for 30 freaking seconds? Especially when I am playing with it most times which is early morning or late at night.. Not during primetime when the wife is streaming some video, etc.. ;)

ChefRayB

Yeah, forgot about resetting modem because of the mac address. About 20 years ago, when I required to change my public internet address (was testing dynamic dns), I used to use the "MAC clone" feature by in my router, I used to do WAN DHCP release, change the MAC address, perform DHCP get in order to get the modem to return a different public ip address.

Purely educational, assuming I clone my linksys WAN port with the MAC address of my edge router WAN port and statically set my current assigned public WAN IP address to my linkysys router (10 seconds), I would be able to simply unplug my edge router and put my linksys router (5 seconds) and the modem cable would never know that I just switched it thus not requiring to reboot. (assuming DHCP, lease has 2 days left) Would it work ? :-[

IF the MAC address of the WAN port NIC from the edge router (e.g. qotom Q355G4 4 ports) is identical to the WAN port NIC of the linksys router which happens to be connected to the LAN port of the edge router. Would the edge router function correctly ? I believe in an un-managed switch, it's the port with the latest update that will be receiving data (perhaps some manufacturer implements it differently). I have no idea how a router or a router with pfsense would behave ! Do you happen to know ? :-[

modem–->wan port [edge router] Lan port –-> wan port [linksys e4200] (DHCP Enabled)

johnpoz

Yes if you clone your mac.. Which how exactly is that going to work in the same network.. But guess it would be on different sides of pfsense.. So now to reduce your outage to 10 seconds, your going to double nat? Yeah that sounds like a great idea <rolleyes>I do the mac thing with my cable modem for other VMs, so if want to play with different firewall/router distro - or different version of pfsense, etc.. I just use the same mac on that VM.. Turn off old vm, boot up new vm with same mac and keep my same public IP this way.

I really do not understand what your concern is here?? If you really don't want your internet to go down - then get a 2nd line and use it for failover..</rolleyes>

ChefRayB

Hi John,

No concerns, it's my geeky curiosity and trying to find a balance between laziness, easiness and flexibility. It's a home network, I definitely don't need a fail over :)

Back to the home routing, I believe I require the following protocols on my home network to work across subnets

TCP
UDP
SSDP (for UPnP and DLNA)
- TCP port 2869 multicast (HTTPMU) (Windows hosts)
- UDP port 1900 multicast (HTTPMU)
- UDP (private port) unicast (HTTPU)

Overall Services

STP ( Sonos seems to require )
uPnP
NTP
OpenVPN Client (Mandatory: Watch NetFlix)
OpenVPN Server (Optional: I can connect from outside to my box, I have Synology NAS providing me [mymachinename].synology.me)

Question:

1) Is that hard to configure so that both the non-vpn and vpn hosts from each subnet can talk to each other ? I read I would require to install IGMP, UPnP & NAT and perhaps add some rules….

If I stick with only 1 subnet under lan port1, I don't have to worry about all this but I then won't be able to switch between non-VPN to VPN on my tablets, mobiles, computers and my TV.

Is there a way to have only use 1 subnet but have the option not to route through VPN dynamically from the client ? Is that possible ? ( I know that I can have device run OpenVPN client but that's my last resort)

My method to switch from VPN to non-VPN was to change different AP (wlan) and have the TV switch from dhcp to static.

Thank you

johnpoz

"- SSDP (for UPnP and DLNA)"

Does not work across subnets..

Why do you think you need UPnP?? Do you host game via game consoles?? STP.. so you have a smart switch that does spanning tree?

ChefRayB

uPnP: I might do a bit of bitTorrent and I have Xbox/Wii
STP: okay, then I don't need it since I have a managed switch.

IF SSDP doesn't work across subnets then I won't be able to see my DLNA media accross subnets which is important for me

Do you know an elegant solution to accomplish the following:

AP 2.4GHZ Non-VPN
AP 5.0GHZ Non-VPN
AP 5.0GHZ VPN ( Go through VPN running on pfsense box)
LAN DCHP Non-VPN (e.g. sonos appliances, xbox, obiTalk VOIP)
All AP & LAN have DLNA/SSDP working (meaning all on the same subnet)
TV is connected on LAN and can easily switch between VPN vs non-VPN

New Solution ?

ALL AP + LAN on same subnet with 1 DHCP Server 192.168.20.128 to 255
For the TV, if I use DHCP I get non-VPN, if I set static I get VPN but I might need to setup the DNS rather using the DNS pushed by VPN provider ?
how do I route only users on AP 5.0GHZ VPN to OpenVPN on pfsense since they are now using the same DHCP server

Perhaps there is no solution to what I want to accomplish…..

Thanks

johnpoz

"STP: okay, then I don't need it since I have a managed switch"

Huh?? That would not be viable really unless you had a smart switch.. Why do you think you need that? Sonos do like to create loops on the network that is sure, since do they not talk to each other wireless and can be wired which creates a loop. STP can stop that for sure..

"For the TV, if I use DHCP I get non-VPN,"

Why would you do that? Just route it at pfsense, enable rule vpn, disable rule not vpn.. Clickity Clickity - 2 seconds..

" how do I route only users on AP 5.0GHZ VPN to OpenVPN on pfsense since they are now using the same DHCP server"

Why are they using the same dhcp server? But this is done with dhcp reservation so you client is always the same IP. You can then route them out the vpn or not route them out the vpn..

ChefRayB

(Keep in mind I am newbie)

STP: I thought I need it because I have a combinations of wired & wireless sonos appliances, the wireless ones use sonosnet which can potentially create a loop.

Switching TV from vpn to non-vpn should occur by going on the TV (vizio) and simply switch from DHCP to Static ip address. I don't want to connect to pfsense and disable a rule "clickity Clikity".

The whole purpose of this thread is to be flexible and lazy and deal with Netflix geo blocking. Can you suggest me a home solutions with the following criteria:

I would like to have 3 AP
- 2.4GHZ access via ISP provider
- 5.0GHZ access via ISP provider
- 5.0GHZ access via VPN ( IF I switch my mobile, tablet, computer to 5.0GHZ VPN, I am on VPN)
Despite which AP I am connected, I would like to access all my devices, see all DLNA, see printer, etc…
In my vizio TV, if I set to DHCP it routes to OpenVPN and if I set a static ip It routes to internet ( I don't want to go in pfsense and do "clickity Clikity")

I can buy whatever I need (within reason), I prefer to spend a few hundred dollars more and have flexibility, meaning I don't care if I need to buy one of more routers, one of more smart or L2 or L3 switches, AP, etc….

Question:

Would you be able to propose a solution that meets my requirement.
I read your thread on VLAN ( https://forum.pfsense.org/index.php?topic=103903.msg581183#msg581183 ). Can we use VLAN for the routing and DHCP allocations (e.g. each vlan has a dhcp server with a dhcp pool ?)
I also read that IGMP might help to resolve uPnP and DLNA accross subnets ( https://forum.pfsense.org/index.php?topic=36832.msg190581#msg190581)

Thank you

johnpoz

Sure you could use vlans and dhcp reservations to have complete control of what devices use specific rules.

I have read that yes sonos can create loops, and while its possible that some dumb switches have a basic implementation of STP.. without knowing the exact switch model it would be impossible to verify that. But to be honest I would be surprised if "dumb" switches actually support stp..

Here is some netgear dumb switch, gs108
https://www.netgear.com/business/products/switches/unmanaged/GS108.aspx#tab-techspecs

for loop detection, or stp is shows NA..

? 1) Yes it would be quite simple to draw up a solution for you ;) I have to leave for work in a few minutes - but if I get some free time at work can draw up some examples for you to work off of.

As to IGMP - sure that is possible do do some stuff with, but a much easy to implement and configure solution is to just put the devices that use DLNA/UPnP to discover devices like a TV or streamer on the same layer 2 network.

ChefRayB

Great ! Keen to see your proposal. I also created my proposal based on my last week readings and reading your historical posts. Keep in mind it's 15 years I didn't play in networks, never worked with VLAN and OpenVPN ! I started with 3com COAX cable network, Novell and HUBS !

Curious to see the difference ! :D

Hardware required:

pfsense box ( 2 port or 4 ports ? )
Switch 5 port L2 Managed ( Is there a L3 Managed under $200 worth it ?)
ubiquiti unifi AC Lite
8 port switch un-managed ( already have)
4 port switch un-managed ( already have)
DD-WRT Linksys e4200 (already have)

Wan - Modem
Lan -> Switch #1 (5 port L2 Managed)
-> Port 1 -> trunk connected Lan of Pfsense Box
-> Port 2 -> Access Switch #2 (8 port - Unmanaged)
-> Port 1 -> Port 2 of Switch #1
-> Port 2 -> router DD-WRT
-> AP 2.4GHZ (route to ISP internet)
-> AP 5.0GHZ (router to ISP internet)
-> port 3 to 7->(Sonos, Synology, Obitak VOIP, Xbox)
-> Port 8 -> Switch #3 (4 port - Unmanaged)
-> port 1-4 (Sonos)
->Port 3 -> trunk ubiquiti unifi ac lite
-> AP 5.0GHZ (route to VPN)
->Port 4 -> access TV
->Port 5 -> access empty

VLAN ID descriptions:
vlan1 default, I read don't touch it
vlan2 home internet via ISP
vlan3 vpn internet via OpenVPN

VLAN Configuration of switch #1 5 ports L2 Managed
Port1, Trunk, Tagged, vlan1,vlan2,vland3
Port2, Access, UnTagged, vlan2
Port3, trunk, Tagged, vlan3
Port4, Acccess, UnTagged, vlan3
Port5, Access, UnTagged, vlan2

Pfsense configuration:
vlan:

go to interfaces / VLANs, select em1 and add vlan2 home & vlan3 vpn
go to interfaces, add interfaces & associate VLAN & enable them.
set ip address & subnet for each interface
**home **
- home ip address 192.168.20.128/25 (62 hosts from 129 to 190)
- home dhcp server range 192.168.20.129-130 ( I might move the DHCP to the DD-WRT for the home network )
vpn
- vpn ip address 192.168.20.192/26 (62 hosts from 193 to 254)
- vpn dhcp server range 192.168.20.193-254
Firewall:
- rule #1 add home rule allow ipv4, source home 192.168.20.1/25 port *, dest *, port * , gateway * ( Router Port 2 home all static route to internet)
- rule #2 add home rule allow ipv4, source home 192.168.20.128/25 port *, dest *, port * , gateway * ( Router Port2 home DHCP address route to internet)
- rule #3 add GoViaVPN rule allow ipv4, source 192.168.20.192/26 , port *, dest *, port * , gateway * ( Router Port 3 & 4 VPN DHCP Address route to VPN)
(If TV on port 3 is set to static (e.g. 192.168.20.100), it will route based on Rule #1)

OpenVPN Client Setup:

Create OpenVPN Client, create interface & assign the OpenVPN Client connection, call it "openvpn_client"
Under Advanced Configuration, make sure you put route-nopull
OpenVPN Client NAT:
rule #4 add NAT rule source 192.168.20.192/26 , port *, gateway vpn address, port * ( All ip address from DHCP Server on 5.0GHZ VPN are routed to VPN)

Install IGMP

link vlan2 and vlan3 and make sure L2 Managed Switch has IGMP supported

Functionality:

Home static Lan, DHCP Lan, Home AP 2.4, AP 5.0 have access to home appliances + DLNA/UPnP available
VPN AP 5.0GHZ will allow me to route through VPN for internet anytime I want
If my TV is DHCP, it will route to VPN
If my TV is static ip ( Despite being on a vlan3 VPN port) when the packet exits L2 Smart Switch as vlan3 tag the Firewall rule is looking at IP address not the vlan3 tag) Does this make sense ?
If OpenVPN goes down, I still have internet
if edge router pfsense goes down, I only loose Internet for a while.
if edge router pfsense goes down for week, I enable DHCP on Linksys DD-WRT on WAN Port and plug directly to MODEM.

Further down the line:

Possibility to add another 3 additional AP with ubiquiti AP AC Lite ( Different VPN Provider, Guest , 5.0ghz AC Internet )
Create a vlan for Obitalk VOIP

Thank you :)

ChefRayB

After writing my previous post, I just realized I don't really need L2 managed, ubiquiti AP and the usage of VLAN .
VLANs are simply virtual interface sharing same hardware…. So a pfsense box with 4 ports (wan, lan, opt1, opt2) would suffice in theory.

Hardware required:

pfsense box ( 4 ports )
8 port switch un-managed ( already have)
4 port switch un-managed ( already have)
DD-WRT Linksys e4200 (already have)
cheap used router configured as AP supporting 5.0ghz (will ask around or still buy ubiquiti if can't get cheap 5.0ghz)

Pfsense Box (4 ports)
Wan - Modem
Lan -> router DD-WRT
-> DHCP Server Enabled ( This makes by dd-WRT fully independent)
- home ip address 192.168.20.129/25 (62 hosts from 129 to 190)
- home dhcp server range 192.168.20.130-190
-> AP 2.4GHZ (route to ISP internet)
-> AP 5.0GHZ (router to ISP internet)
-> wan -> pluged to Lan of Pfsense Box
-> Port 1 -> Access Switch #2 (8 port - Unmanaged)
-> Port 1 -> pluged to port 1 of router DD-WRT
-> port 2 to 7->(Sonos, Synology, Obitak VOIP, Xbox)
-> Port 8 -> Switch #3 (4 port - Unmanaged)
-> port 1-4 (Sonos)
Opt1 -> Cheap AP router
-> AP 5.0GHZ (route to VPN)
Opt2 -> plug directly to TV

pfsense configuration with interfaces (without any VLAN)
Lan interface internet via ISP
Opt1 internet via OpenVPN (opt1 is connected to AP )
Opt2 internet via OpenVPN (opt2 is connected to TV)

Lan interface (DHCP Disabled, my dd-wrt will take care of everything for home)

home ip address 192.168.20.64/26 (62 hosts from 65 to 126)

Opt1 interface (DHCP enabled, I put a used router for small AP)

vpn ip address 192.168.20.128/26 (62 hosts from 129 to 190)
vpn dhcp server range 192.168.20.129-190

Opt2 interface (DHCP enabled, this is what I plug to my TV, netflix 4k ! )

vpn ip address 192.168.20.192/26 (62 hosts from 193 to 254)
vpn dhcp server range 192.168.20.193-254

Firewall:

192.168.20.1/25 (126 hosts from 1 to 126) to internet ( this is my static range + dhcp range for home network to ISP )
192.168.20.128/25 (126 hosts from 129 to 190) to OpenVPN ( this is my dhcp range for openvpn )

OpenVPN

NAT 192.20.128/25 (128 hosts from 129 to 254) to OpenVPN

IGMP-Proxy

Install on lan, opt1 and opt2 ( Does IGMP proxy supports more than 2 interfaces ? )

Functionality:

Home static Lan, DHCP Lan, Home AP 2.4, AP 5.0 and DHCP Server all under dd-wrt router with DLNA/UPnP available
VPN AP 5.0GHZ will allow me to route through VPN for internet anytime I want
If my TV is DHCP, it will route to OpenVPN Interface which NAT translates to OpenVPN tunnel for internet
If my TV is static ip (<64), it will route to Internet
If OpenVPN goes down, I still have internet working
if edge router pfsense goes down, I only loose Internet for a while.
if edge router pfsense goes down for week, I enable DHCP on Linksys DD-WRT on WAN Port and plug directly to MODEM.

Thank you

ChefRayB

After more reading and better understanding IGMP snooping v1,2,3, I think it's worth getting a L2 smart switch because the multicasting across VLANs is done at the switch level rather than Edge Router ! I was reading the pdf manual of TP link TL-SG2008 and it allows multicast accross VLAN within the switch ! (See Reference)

If someone uses more than the lan interface (e.g. lan + opt1) on a pfsense router, then the pfsense box has to be responsible for multicasting between 2 interfaces if you want DLNA working.

Is there any advantages having 4nics on pfsense box when you can buy a L2 Smart switch 8 port ?

Thoughts ?

Reference: Page 90 of the user manual of TL-SG2008
https://www.manualslib.com/manual/721763/Tp-Link-Tl-Sg2008.html?page=90#manual

johnpoz

There is always advantage to having more nics in your router.. No matter how many switch ports your network has. If you want gig speeds between say lan 1 and your OPT network. If you use a vlan opt network that sits on your lan physical interface. Any traffic between lan and opt is /2 since your hairpin the traffic. The more vlans you add to an interface the more your sharing the bandwidth of the physical interface.

I you have multiple interfaces in pfsense you can distribute your networks across multiple interfaces so that intervlan traffic is not hairpinned across the same physical interface.

You should always use a smart switch if you ask me ;) Keep in mind that if your goal is to do stuff with igmp and multicasting, etc. those 30$ smart switches are not going to get you the features you really want.. Very Very limited igmp stuff.. You would want something more in full featured managed switch. I have cisco sg300-10, picked up for $180 few years back. Cisco sg350 would be replacement in that line. Or the unifi makes some switches very reasonable priced - feature rich as well.

But the simple way to deal with multicast and dlna is just put the devices that want to use that on the same layer 2 anyway.. To figure out the best layout of your network need to know all your devices and what protocol they are going to need talk to what other devices, etc.

ChefRayB

The thing I like with TL-SG2008 switch is that it's fanless, consumes <10 watts and can easily fit under TV cabinet.
I rent a small apartment and I often move each 2 years and relocate to different cities each 5 years.
The smaller, the better and the most silent/compact possible and lowest wattage. Some countries is 0.23center per kilowatt, it makes me feel guilty burning high wattage when I don't really need it and runs 24/7.

My devices Modem Cable DHCP ( TV Cabinet)
-> DD-WRT linksys ( TV Cabinet)
-> AP 2.4 GHZ 1x printer and sometimes Mobiles/Tablets and guest mobile
-> AP 5.0 GHZ 3xmobiles, 2x tablets, 2x Alexa, 1xkindle,
-> port1 Obitalk VOIP
-> port2 Synology NAS nic1
-> port3 Ip Cam or Laptop 1000Mbs (Upload picture from digital camera)
-> port4 switch #1 8 ports ( TV cabinet)
->Switch #1
-> port1 Sonos Playbar, wired switch #1
-> port2 TV
-> port3 Android TV
-> port4 survey machine
-> port5 xbox/wii
-> port6 Synology NAS nic2
-> port7 DD-WRT
-> port8 switch #2 5 ports ( 6 meter, goes behind sofa)
-> port1 Switch #2
-> port2 Sonos Play1 left side wired, wlan manually disabled
-> port3 Sonos Play1 right side wired, wlan manually disabled
-> port4 Laptop (use on Sofa, 1000mbs)
-> port5 powerline dlink DHP-AV500 (Powerline is like a hub, no vlan support)

Powerline (no vlan support)
Sonos Play1 dining room wired with powerline
Sonos Play1 kithen room wired with powerline
Sonos Play1 guest room wired with powerline
Sonos Play1 master room wired with powerline
Sonos Play1 toilet wired with powerline

See diagram attached

Below are the services & protocol (Based on my research)

session: Netbios,RTP, uPnP (SSDP)
Tranports: TCP, UPD
Internet Layer: ICMP, IGMP, IP, IPv4, (IPSec?)

survey machine:
No idea, it what works, I just know it works

obitalk:
Allow Outgoing:
TCP Ports: 6800, 5222, 5223
UDP Ports: 5060, 5061, 10000 to 11000, 16600 to 16998, 19305
Allow Incoming on UDP Port: 10000

Alexa Echo
Output TCP: *, 80, 8080, 443, 40317, 67, 68
Output UDP: *, 53, 123, 40317, 49317, 33434, 1900, 5000, 5353
Input TCP: 8080, 443, 40317
Input UDP: 53, 67, 68, 1900, 50000, 5353, 33434, 49317, 40317

SONOS:

TCP/IP:
80 (Internet Radio, updates and registration)
443 (Rhapsody, Napster, and SiriusXM)
445 (CIFS)
3400 (incoming UPnP events - Sonos Controller App for Mac or PC)
3401 (Sonos Controller App for iOS)
3445 (OS X File Sharing)
3500 (Sonos Controller App for Android)
4070 (Spotify incoming events)
4444 (Sonos update process)

UDP:
136-139 (NetBIOS)
1900 (UPnP events and device detection)
1901 (UPnP responses)
2869, 10243, 10280-10284 (Windows Media Player NSS)
5353 (Spotify Control)
6969 (Initial configuration)

Synology Services
Synology Assistant9999, 9998, 9997 UDP

Data Replicator, Data Replicator II, Data Replicator III9999, 9998, 9997, 137, 138, 139, 445 TCP
Hyper Backup Vault, DSM 5.2 Archiving Backup 6281TCP
LUN Backup3260 (iSCSI), 873, 22 (if encrypted over SSH) TCP
DSM 5.2 Data Backup, rsync, Shared Folder Sync, Remote Time Backup 873, 22 (if encrypted over SSH) TCP
Snapshot Replication3261 (iSCSI LUN), 5566 (Shared Folder)TCP

BT
6890 ~ 6999 (for models with firmware earlier than v2.0.1-3.0401);
16881 (for models with DSM v2.0.1 and onward)TCP/UDP

Web Applications
DSM5000 (HTTP), 5001 (HTTPS)TCP
File Station5000 (HTTP, additional port can be added), 5001 (HTTPS, additional port can be added)TCP
Mail Server
TypePort NumberProtocol
SMTP 25 TCP
POP 3110 TCP
IMAP143 TCP
IMAP over SSL/TLS993TCP

![Home network_smaller.jpg](/public/imported_attachments/1/Home network_smaller.jpg)
![Home network_smaller.jpg_thumb](/public/imported_attachments/1/Home network_smaller.jpg_thumb)

GentleJoe

Don't use Powerline networking.

For your Sonos, use its built in networking, give it a dedicated channel.