Home network to keep wife happy + VPN (TV 4k netflix) + reduce intranet downtime
-
Yeah, forgot about resetting modem because of the mac address. About 20 years ago, when I required to change my public internet address (was testing dynamic dns), I used to use the "MAC clone" feature by in my router, I used to do WAN DHCP release, change the MAC address, perform DHCP get in order to get the modem to return a different public ip address.
Purely educational, assuming I clone my linksys WAN port with the MAC address of my edge router WAN port and statically set my current assigned public WAN IP address to my linkysys router (10 seconds), I would be able to simply unplug my edge router and put my linksys router (5 seconds) and the modem cable would never know that I just switched it thus not requiring to reboot. (assuming DHCP, lease has 2 days left) Would it work ? :-[
IF the MAC address of the WAN port NIC from the edge router (e.g. qotom Q355G4 4 ports) is identical to the WAN port NIC of the linksys router which happens to be connected to the LAN port of the edge router. Would the edge router function correctly ? I believe in an un-managed switch, it's the port with the latest update that will be receiving data (perhaps some manufacturer implements it differently). I have no idea how a router or a router with pfsense would behave ! Do you happen to know ? :-[
modem–->wan port [edge router] Lan port –-> wan port [linksys e4200] (DHCP Enabled)
-
Yes if you clone your mac.. Which how exactly is that going to work in the same network.. But guess it would be on different sides of pfsense.. So now to reduce your outage to 10 seconds, your going to double nat? Yeah that sounds like a great idea <rolleyes>I do the mac thing with my cable modem for other VMs, so if want to play with different firewall/router distro - or different version of pfsense, etc.. I just use the same mac on that VM.. Turn off old vm, boot up new vm with same mac and keep my same public IP this way.
I really do not understand what your concern is here?? If you really don't want your internet to go down - then get a 2nd line and use it for failover..</rolleyes>
-
Hi John,
No concerns, it's my geeky curiosity and trying to find a balance between laziness, easiness and flexibility. It's a home network, I definitely don't need a fail over :)
Back to the home routing, I believe I require the following protocols on my home network to work across subnets
- TCP
- UDP
- SSDP (for UPnP and DLNA)
- TCP port 2869 multicast (HTTPMU) (Windows hosts)
- UDP port 1900 multicast (HTTPMU)
- UDP (private port) unicast (HTTPU)
Overall Services
- STP ( Sonos seems to require )
- uPnP
- NTP
- OpenVPN Client (Mandatory: Watch NetFlix)
- OpenVPN Server (Optional: I can connect from outside to my box, I have Synology NAS providing me [mymachinename].synology.me)
Question:
1) Is that hard to configure so that both the non-vpn and vpn hosts from each subnet can talk to each other ? I read I would require to install IGMP, UPnP & NAT and perhaps add some rules….
- If I stick with only 1 subnet under lan port1, I don't have to worry about all this but I then won't be able to switch between non-VPN to VPN on my tablets, mobiles, computers and my TV.
Is there a way to have only use 1 subnet but have the option not to route through VPN dynamically from the client ? Is that possible ? ( I know that I can have device run OpenVPN client but that's my last resort)
My method to switch from VPN to non-VPN was to change different AP (wlan) and have the TV switch from dhcp to static.
Thank you
-
"- SSDP (for UPnP and DLNA)"
Does not work across subnets..
Why do you think you need UPnP?? Do you host game via game consoles?? STP.. so you have a smart switch that does spanning tree?
-
uPnP: I might do a bit of bitTorrent and I have Xbox/Wii
STP: okay, then I don't need it since I have a managed switch.IF SSDP doesn't work across subnets then I won't be able to see my DLNA media accross subnets which is important for me
Do you know an elegant solution to accomplish the following:
- AP 2.4GHZ Non-VPN
- AP 5.0GHZ Non-VPN
- AP 5.0GHZ VPN ( Go through VPN running on pfsense box)
- LAN DCHP Non-VPN (e.g. sonos appliances, xbox, obiTalk VOIP)
- All AP & LAN have DLNA/SSDP working (meaning all on the same subnet)
- TV is connected on LAN and can easily switch between VPN vs non-VPN
New Solution ?
- ALL AP + LAN on same subnet with 1 DHCP Server 192.168.20.128 to 255
- For the TV, if I use DHCP I get non-VPN, if I set static I get VPN but I might need to setup the DNS rather using the DNS pushed by VPN provider ?
- how do I route only users on AP 5.0GHZ VPN to OpenVPN on pfsense since they are now using the same DHCP server
Perhaps there is no solution to what I want to accomplish…..
Thanks
-
"STP: okay, then I don't need it since I have a managed switch"
Huh?? That would not be viable really unless you had a smart switch.. Why do you think you need that? Sonos do like to create loops on the network that is sure, since do they not talk to each other wireless and can be wired which creates a loop. STP can stop that for sure..
"For the TV, if I use DHCP I get non-VPN,"
Why would you do that? Just route it at pfsense, enable rule vpn, disable rule not vpn.. Clickity Clickity - 2 seconds..
" how do I route only users on AP 5.0GHZ VPN to OpenVPN on pfsense since they are now using the same DHCP server"
Why are they using the same dhcp server? But this is done with dhcp reservation so you client is always the same IP. You can then route them out the vpn or not route them out the vpn..
-
(Keep in mind I am newbie)
STP: I thought I need it because I have a combinations of wired & wireless sonos appliances, the wireless ones use sonosnet which can potentially create a loop.
Switching TV from vpn to non-vpn should occur by going on the TV (vizio) and simply switch from DHCP to Static ip address. I don't want to connect to pfsense and disable a rule "clickity Clikity".
The whole purpose of this thread is to be flexible and lazy and deal with Netflix geo blocking. Can you suggest me a home solutions with the following criteria:
- I would like to have 3 AP
- 2.4GHZ access via ISP provider
- 5.0GHZ access via ISP provider
- 5.0GHZ access via VPN ( IF I switch my mobile, tablet, computer to 5.0GHZ VPN, I am on VPN) - Despite which AP I am connected, I would like to access all my devices, see all DLNA, see printer, etc…
- In my vizio TV, if I set to DHCP it routes to OpenVPN and if I set a static ip It routes to internet ( I don't want to go in pfsense and do "clickity Clikity")
I can buy whatever I need (within reason), I prefer to spend a few hundred dollars more and have flexibility, meaning I don't care if I need to buy one of more routers, one of more smart or L2 or L3 switches, AP, etc….
Question:
-
Would you be able to propose a solution that meets my requirement.
-
I read your thread on VLAN ( https://forum.pfsense.org/index.php?topic=103903.msg581183#msg581183 ). Can we use VLAN for the routing and DHCP allocations (e.g. each vlan has a dhcp server with a dhcp pool ?)
-
I also read that IGMP might help to resolve uPnP and DLNA accross subnets ( https://forum.pfsense.org/index.php?topic=36832.msg190581#msg190581)
Thank you
- I would like to have 3 AP
-
Sure you could use vlans and dhcp reservations to have complete control of what devices use specific rules.
I have read that yes sonos can create loops, and while its possible that some dumb switches have a basic implementation of STP.. without knowing the exact switch model it would be impossible to verify that. But to be honest I would be surprised if "dumb" switches actually support stp..
Here is some netgear dumb switch, gs108
https://www.netgear.com/business/products/switches/unmanaged/GS108.aspx#tab-techspecsfor loop detection, or stp is shows NA..
? 1) Yes it would be quite simple to draw up a solution for you ;) I have to leave for work in a few minutes - but if I get some free time at work can draw up some examples for you to work off of.
As to IGMP - sure that is possible do do some stuff with, but a much easy to implement and configure solution is to just put the devices that use DLNA/UPnP to discover devices like a TV or streamer on the same layer 2 network.
-
Great ! Keen to see your proposal. I also created my proposal based on my last week readings and reading your historical posts. Keep in mind it's 15 years I didn't play in networks, never worked with VLAN and OpenVPN ! I started with 3com COAX cable network, Novell and HUBS !
Curious to see the difference ! :D
Hardware required:
- pfsense box ( 2 port or 4 ports ? )
- Switch 5 port L2 Managed ( Is there a L3 Managed under $200 worth it ?)
- ubiquiti unifi AC Lite
- 8 port switch un-managed ( already have)
- 4 port switch un-managed ( already have)
- DD-WRT Linksys e4200 (already have)
Wan - Modem
Lan -> Switch #1 (5 port L2 Managed)
-> Port 1 -> trunk connected Lan of Pfsense Box
-> Port 2 -> Access Switch #2 (8 port - Unmanaged)
-> Port 1 -> Port 2 of Switch #1
-> Port 2 -> router DD-WRT
-> AP 2.4GHZ (route to ISP internet)
-> AP 5.0GHZ (router to ISP internet)
-> port 3 to 7->(Sonos, Synology, Obitak VOIP, Xbox)
-> Port 8 -> Switch #3 (4 port - Unmanaged)
-> port 1-4 (Sonos)
->Port 3 -> trunk ubiquiti unifi ac lite
-> AP 5.0GHZ (route to VPN)
->Port 4 -> access TV
->Port 5 -> access emptyVLAN ID descriptions:
vlan1 default, I read don't touch it
vlan2 home internet via ISP
vlan3 vpn internet via OpenVPNVLAN Configuration of switch #1 5 ports L2 Managed
Port1, Trunk, Tagged, vlan1,vlan2,vland3
Port2, Access, UnTagged, vlan2
Port3, trunk, Tagged, vlan3
Port4, Acccess, UnTagged, vlan3
Port5, Access, UnTagged, vlan2Pfsense configuration:
vlan:- go to interfaces / VLANs, select em1 and add vlan2 home & vlan3 vpn
- go to interfaces, add interfaces & associate VLAN & enable them.
- set ip address & subnet for each interface
**home **
- home ip address 192.168.20.128/25 (62 hosts from 129 to 190)
- home dhcp server range 192.168.20.129-130 ( I might move the DHCP to the DD-WRT for the home network )
vpn
- vpn ip address 192.168.20.192/26 (62 hosts from 193 to 254)
- vpn dhcp server range 192.168.20.193-254
Firewall:
- rule #1 add home rule allow ipv4, source home 192.168.20.1/25 port *, dest *, port * , gateway * ( Router Port 2 home all static route to internet)
- rule #2 add home rule allow ipv4, source home 192.168.20.128/25 port *, dest *, port * , gateway * ( Router Port2 home DHCP address route to internet)
- rule #3 add GoViaVPN rule allow ipv4, source 192.168.20.192/26 , port *, dest *, port * , gateway * ( Router Port 3 & 4 VPN DHCP Address route to VPN)
(If TV on port 3 is set to static (e.g. 192.168.20.100), it will route based on Rule #1)
OpenVPN Client Setup:
- Create OpenVPN Client, create interface & assign the OpenVPN Client connection, call it "openvpn_client"
- Under Advanced Configuration, make sure you put route-nopull
OpenVPN Client NAT: - rule #4 add NAT rule source 192.168.20.192/26 , port *, gateway vpn address, port * ( All ip address from DHCP Server on 5.0GHZ VPN are routed to VPN)
Install IGMP
- link vlan2 and vlan3 and make sure L2 Managed Switch has IGMP supported
Functionality:
- Home static Lan, DHCP Lan, Home AP 2.4, AP 5.0 have access to home appliances + DLNA/UPnP available
- VPN AP 5.0GHZ will allow me to route through VPN for internet anytime I want
- If my TV is DHCP, it will route to VPN
- If my TV is static ip ( Despite being on a vlan3 VPN port) when the packet exits L2 Smart Switch as vlan3 tag the Firewall rule is looking at IP address not the vlan3 tag) Does this make sense ?
- If OpenVPN goes down, I still have internet
- if edge router pfsense goes down, I only loose Internet for a while.
- if edge router pfsense goes down for week, I enable DHCP on Linksys DD-WRT on WAN Port and plug directly to MODEM.
Further down the line:
- Possibility to add another 3 additional AP with ubiquiti AP AC Lite ( Different VPN Provider, Guest , 5.0ghz AC Internet )
- Create a vlan for Obitalk VOIP
Thank you :)
-
After writing my previous post, I just realized I don't really need L2 managed, ubiquiti AP and the usage of VLAN .
VLANs are simply virtual interface sharing same hardware…. So a pfsense box with 4 ports (wan, lan, opt1, opt2) would suffice in theory.Hardware required:
- pfsense box ( 4 ports )
- 8 port switch un-managed ( already have)
- 4 port switch un-managed ( already have)
- DD-WRT Linksys e4200 (already have)
- cheap used router configured as AP supporting 5.0ghz (will ask around or still buy ubiquiti if can't get cheap 5.0ghz)
Pfsense Box (4 ports)
Wan - Modem
Lan -> router DD-WRT
-> DHCP Server Enabled ( This makes by dd-WRT fully independent)
- home ip address 192.168.20.129/25 (62 hosts from 129 to 190)
- home dhcp server range 192.168.20.130-190
-> AP 2.4GHZ (route to ISP internet)
-> AP 5.0GHZ (router to ISP internet)
-> wan -> pluged to Lan of Pfsense Box
-> Port 1 -> Access Switch #2 (8 port - Unmanaged)
-> Port 1 -> pluged to port 1 of router DD-WRT
-> port 2 to 7->(Sonos, Synology, Obitak VOIP, Xbox)
-> Port 8 -> Switch #3 (4 port - Unmanaged)
-> port 1-4 (Sonos)
Opt1 -> Cheap AP router
-> AP 5.0GHZ (route to VPN)
Opt2 -> plug directly to TVpfsense configuration with interfaces (without any VLAN)
Lan interface internet via ISP
Opt1 internet via OpenVPN (opt1 is connected to AP )
Opt2 internet via OpenVPN (opt2 is connected to TV)Lan interface (DHCP Disabled, my dd-wrt will take care of everything for home)
- home ip address 192.168.20.64/26 (62 hosts from 65 to 126)
Opt1 interface (DHCP enabled, I put a used router for small AP)
- vpn ip address 192.168.20.128/26 (62 hosts from 129 to 190)
- vpn dhcp server range 192.168.20.129-190
Opt2 interface (DHCP enabled, this is what I plug to my TV, netflix 4k ! )
- vpn ip address 192.168.20.192/26 (62 hosts from 193 to 254)
- vpn dhcp server range 192.168.20.193-254
Firewall:
- 192.168.20.1/25 (126 hosts from 1 to 126) to internet ( this is my static range + dhcp range for home network to ISP )
- 192.168.20.128/25 (126 hosts from 129 to 190) to OpenVPN ( this is my dhcp range for openvpn )
OpenVPN
- NAT 192.20.128/25 (128 hosts from 129 to 254) to OpenVPN
IGMP-Proxy
- Install on lan, opt1 and opt2 ( Does IGMP proxy supports more than 2 interfaces ? )
Functionality:
- Home static Lan, DHCP Lan, Home AP 2.4, AP 5.0 and DHCP Server all under dd-wrt router with DLNA/UPnP available
- VPN AP 5.0GHZ will allow me to route through VPN for internet anytime I want
- If my TV is DHCP, it will route to OpenVPN Interface which NAT translates to OpenVPN tunnel for internet
- If my TV is static ip (<64), it will route to Internet
- If OpenVPN goes down, I still have internet working
- if edge router pfsense goes down, I only loose Internet for a while.
- if edge router pfsense goes down for week, I enable DHCP on Linksys DD-WRT on WAN Port and plug directly to MODEM.
Thank you
-
After more reading and better understanding IGMP snooping v1,2,3, I think it's worth getting a L2 smart switch because the multicasting across VLANs is done at the switch level rather than Edge Router ! I was reading the pdf manual of TP link TL-SG2008 and it allows multicast accross VLAN within the switch ! (See Reference)
If someone uses more than the lan interface (e.g. lan + opt1) on a pfsense router, then the pfsense box has to be responsible for multicasting between 2 interfaces if you want DLNA working.
Is there any advantages having 4nics on pfsense box when you can buy a L2 Smart switch 8 port ?
Thoughts ?
Reference: Page 90 of the user manual of TL-SG2008
https://www.manualslib.com/manual/721763/Tp-Link-Tl-Sg2008.html?page=90#manual -
There is always advantage to having more nics in your router.. No matter how many switch ports your network has. If you want gig speeds between say lan 1 and your OPT network. If you use a vlan opt network that sits on your lan physical interface. Any traffic between lan and opt is /2 since your hairpin the traffic. The more vlans you add to an interface the more your sharing the bandwidth of the physical interface.
I you have multiple interfaces in pfsense you can distribute your networks across multiple interfaces so that intervlan traffic is not hairpinned across the same physical interface.
You should always use a smart switch if you ask me ;) Keep in mind that if your goal is to do stuff with igmp and multicasting, etc. those 30$ smart switches are not going to get you the features you really want.. Very Very limited igmp stuff.. You would want something more in full featured managed switch. I have cisco sg300-10, picked up for $180 few years back. Cisco sg350 would be replacement in that line. Or the unifi makes some switches very reasonable priced - feature rich as well.
But the simple way to deal with multicast and dlna is just put the devices that want to use that on the same layer 2 anyway.. To figure out the best layout of your network need to know all your devices and what protocol they are going to need talk to what other devices, etc.
-
The thing I like with TL-SG2008 switch is that it's fanless, consumes <10 watts and can easily fit under TV cabinet.
I rent a small apartment and I often move each 2 years and relocate to different cities each 5 years.
The smaller, the better and the most silent/compact possible and lowest wattage. Some countries is 0.23center per kilowatt, it makes me feel guilty burning high wattage when I don't really need it and runs 24/7.My devices Modem Cable DHCP ( TV Cabinet)
-> DD-WRT linksys ( TV Cabinet)
-> AP 2.4 GHZ 1x printer and sometimes Mobiles/Tablets and guest mobile
-> AP 5.0 GHZ 3xmobiles, 2x tablets, 2x Alexa, 1xkindle,
-> port1 Obitalk VOIP
-> port2 Synology NAS nic1
-> port3 Ip Cam or Laptop 1000Mbs (Upload picture from digital camera)
-> port4 switch #1 8 ports ( TV cabinet)
->Switch #1
-> port1 Sonos Playbar, wired switch #1
-> port2 TV
-> port3 Android TV
-> port4 survey machine
-> port5 xbox/wii
-> port6 Synology NAS nic2
-> port7 DD-WRT
-> port8 switch #2 5 ports ( 6 meter, goes behind sofa)
-> port1 Switch #2
-> port2 Sonos Play1 left side wired, wlan manually disabled
-> port3 Sonos Play1 right side wired, wlan manually disabled
-> port4 Laptop (use on Sofa, 1000mbs)
-> port5 powerline dlink DHP-AV500 (Powerline is like a hub, no vlan support)Powerline (no vlan support)
Sonos Play1 dining room wired with powerline
Sonos Play1 kithen room wired with powerline
Sonos Play1 guest room wired with powerline
Sonos Play1 master room wired with powerline
Sonos Play1 toilet wired with powerlineSee diagram attached
Below are the services & protocol (Based on my research)
session: Netbios,RTP, uPnP (SSDP)
Tranports: TCP, UPD
Internet Layer: ICMP, IGMP, IP, IPv4, (IPSec?)survey machine:
No idea, it what works, I just know it worksobitalk:
Allow Outgoing:
TCP Ports: 6800, 5222, 5223
UDP Ports: 5060, 5061, 10000 to 11000, 16600 to 16998, 19305
Allow Incoming on UDP Port: 10000Alexa Echo
Output TCP: *, 80, 8080, 443, 40317, 67, 68
Output UDP: *, 53, 123, 40317, 49317, 33434, 1900, 5000, 5353
Input TCP: 8080, 443, 40317
Input UDP: 53, 67, 68, 1900, 50000, 5353, 33434, 49317, 40317SONOS:
TCP/IP:
80 (Internet Radio, updates and registration)
443 (Rhapsody, Napster, and SiriusXM)
445 (CIFS)
3400 (incoming UPnP events - Sonos Controller App for Mac or PC)
3401 (Sonos Controller App for iOS)
3445 (OS X File Sharing)
3500 (Sonos Controller App for Android)
4070 (Spotify incoming events)
4444 (Sonos update process)UDP:
136-139 (NetBIOS)
1900 (UPnP events and device detection)
1901 (UPnP responses)
2869, 10243, 10280-10284 (Windows Media Player NSS)
5353 (Spotify Control)
6969 (Initial configuration)Synology Services
Synology Assistant9999, 9998, 9997 UDPData Replicator, Data Replicator II, Data Replicator III9999, 9998, 9997, 137, 138, 139, 445 TCP
Hyper Backup Vault, DSM 5.2 Archiving Backup 6281TCP
LUN Backup3260 (iSCSI), 873, 22 (if encrypted over SSH) TCP
DSM 5.2 Data Backup, rsync, Shared Folder Sync, Remote Time Backup 873, 22 (if encrypted over SSH) TCP
Snapshot Replication3261 (iSCSI LUN), 5566 (Shared Folder)TCPBT
6890 ~ 6999 (for models with firmware earlier than v2.0.1-3.0401);
16881 (for models with DSM v2.0.1 and onward)TCP/UDPWeb Applications
DSM5000 (HTTP), 5001 (HTTPS)TCP
File Station5000 (HTTP, additional port can be added), 5001 (HTTPS, additional port can be added)TCP
Mail Server
TypePort NumberProtocol
SMTP 25 TCP
POP 3110 TCP
IMAP143 TCP
IMAP over SSL/TLS993TCP![Home network_smaller.jpg](/public/imported_attachments/1/Home network_smaller.jpg)
![Home network_smaller.jpg_thumb](/public/imported_attachments/1/Home network_smaller.jpg_thumb) -
Don't use Powerline networking.
For your Sonos, use its built in networking, give it a dedicated channel.
-
Don't use Powerline networking.
Why, it works fine or are you talking with the Sonos, I hear their networking implementation isn't the best.
I carry 6 VLANS over mine and no issues what so ever.
-
My current PowerLine seems to work fine with Sonos. the light sometimes go red on the powerline device but it works 98% percent of the time.
I use PowerLine for few reasons
- reduce where easily possible WiFi as much as possible in apartment ( Sonos)
- when a Sonos is far, easier putting PowerLine than a WiFi repeater….
- when Sonos is far, it uses its mesh network, that sometimes struggles ( 2.4ghz congestion, loops)PowerLine (based on my readings) seems to act line a hub , it has its the role and place, it brings ethernet across the apartment over electric cable. I am renting apartment....
I have a device that evaluates 0-8ghz frequencies power and trying to reduce it around me.... we are getting bombarded enough outside home...I believe less frequency at home might be good....
Over time...was thinking of getting ubiquity AP and put one in each room at the lowest power possible so that no device in the apartment is broadcasting strongly.... but that's later..now I want to fiigure out my current network....
Waiting for Johnpoz design / routing suggestion or anybody else that understand networks very well to suggest me their recommendation. I lack experience and wonder if my suggestion is correct.
-
Don't use Powerline networking.
Why, it works fine or are you talking with the Sonos, I hear their networking implementation isn't the best.
I carry 6 VLANS over mine and no issues what so ever.
Powerline line is not 100% reliable. That is why I don't use it.
This apartment is small enough that the Sonos network will work a lot better, more reliable.
Just put it on its own 2.4 channel. Any other WiFi AP, use channel 6 or channel 11, 20 Mhz width.
-
Any idea when you will provide your suggestions ? keen to see your design.
I won't be home this weekend but I will have internet access to read replies.In the meanwhile, I have some design questions about bridge/IGMP/DCHP where I need some guidance/confirmation. I am not sure how the routing would work in these scenarios.
Let's assume I am using qotom box with 4 nics
- Wan (cable modem)
- Lan (lan home network)
- Opt1 (AP OpenVPN network)
- Opt2 (lan OpenVPN network for TV)Scenario #1: If lan, opt1, opt2 is bridged and using same subnet 192.168.20.1/24
Outcome: UPnP/DLNA should work across bi-directionally all clients connected to all the 3 interfaces because the bridge feature behaves like a switch.
Problem with Scenario #1 configuration:
- Once bridged, only 1 DHCP server, can't have multiple dhcp server and it will be somewhat difficult to route range IP address to firewall/OpenVPN
- pfsense box is being used as switch rather Layer3 ip routing, just buy a $50 switch, bridge should only be used to bridge AP at best…Question#1: If Lan, opt1, opt2 is bridged but using different subnet (lan 192.168.20.1, opt2 192.168.30.1 and opt3 192.168.40.1), would the bridge feature still work ? can each client see the uPnP/DLNA ? Will the bridge still broadcast across different subnet or respect the rules of L2 subnet?
Scenario #2: Keep lan, opt1, opt1 separate (non-bridged), all 3 interface share the same subnet 192.168.20.1/24, have DHCP Server on each interface with ip range for each and enable IGMP Proxy
Outcome: UPnP/DLNA should work bi-directionally across all clients connected to all the 3 interfaces or uni-directionally one way lan->opt1 & opt2.
Problem with configuration scenario #2:
- pfsense is being used for IGMP management, you can buy a smart switch or L2 managed switch and delegate this work to switch rather pfsense box
- The 4 nics are used up, will need smart/managed switch to add more ip segments in the future.Question#2 What is the IGMP Proxy cardinality ? bidirectional or unidirectional ?
Unidirectional = By putting lan as upstream, opt1 & opt2 as downstream, this means that opt2 & opt3 are just clients and all the DLNA/UPnP Server must reside on lan. That means if I take android tablet connected on Opt2 Interface and enable uPnP Server to share pictures, users connected on Lan won't see the uPnP Server from Opt2 because IGMP Proxy is uni-directional, I'm assuming IGMP Proxy was designed from to cascade from WAN to LAN.
Bidirectional = IGMP Proxy is sharing everything both sides, DLNA/UPnP Server and Client are available & visible both sidesQuestion#3 Must the interfaces share the same subnet so that IGMP Proxy works ? (meaning lan, opt1, op2 must all be under 192.168.20.1/24 or can lan 192.168.20.1, opt2 192.168.30.1 and opt3 192.168.40.1 ) It seems it supports multiple subnet (https://doc.pfsense.org/index.php/IGMP_Proxy)
Question#4 Does a Smart/managed switch support bidirectional IGMP multicast (DLNA/uPnp) across:
a) single subnet only ?
b) multiple different subnets?
c) across VLANs ?Thank you
-
Sorry derby weekend, and work last couple of days been busy.. Not seems have lots to read here..
-
Enjoy! Kentucky Derby @ Louisville looks fun!
Never experienced that, perhaps in my 2018 bucket to do , will ask you about good seating location :)
-
Ordered: QOTOM Q355G4 I5 5250U 8GB RAM 120GB SSD
Delivery: 15-28 dayshttps://www.aliexpress.com/store/product/QOTOM-Q355G4-2017-New-fanless-X86-4-LAN-Micro-Computer-I5-5250U-Dual-core-onboard-1080P/108231_32800711474.html
-
Update:
- Managed to play with a L2 Smart switch TL-SG2008 ! ( Big huge thank you to DennyPage)
- Did more reading and played with a switch
Can someone help me in validating the below: ( Johnpoz, if you have time)
Network Design Summary:
- Create 4x vlans
- Each vlan has access to all other vlan (All ports in each vlan are untagged for each vlan with the exception of trunk of course )
- Each vlan shares the same subnet, meaning they can communicate with each other inside the same smart switch (arp should work)
- Each vlan has DHCP server assigned to a specifc IP range
- Configure the router to route certain IP range through OpenVPN rather WAN(ISP)
I have 3 question bugging me
#1 Since all 4x vlans are sharing the same subnet and each vlan has access to each port on the switch, technically all machines can communicate to each other without routing ? Correct?
#2 In this design (vlan sharing same subnet), the only purpose of the VLAN is to allocate DHCP IP address so that I can route an IP range between ISP or OpenVPN at the router level (pfsense). Feasible ? Will I end up with problems down the road ?
#3 If I enable IGMP Snooping on each VLAN, I reduce broadcasting noise when devices are streaming data because only the devices subscribed will receive the packets on the port on the L2 smart switch. Correct ? (Is it really worth doing it if you have a few devices on gigabit switch ?)
thanks
Ray
-
Update: Just received qotom hardware today!
#2 In this design (vlan sharing same subnet), the only purpose of the VLAN is to allocate DHCP IP address so that I can route an IP range between ISP or OpenVPN at the router level (pfsense). Feasible ? Will I end up with problems down the road ?
I just tried it, it says IPV address xxx.xxx.xxx.xxx is being used by or overlaps with VLAN xxx.xxx.xxx.xxx/subnet.
This means I can't use VLAN just for DHCP allocation ips but have all the VLANs share the same subnet.I feel I am writing a blog here….
Anybody can comment, am I trying to find a solution to something that isn't really possible ?
-
I think what you are building is complicated and you are going to have figure it out as you go. Personally I think it much easier to build VLANs if you assign a network to every VLAN. Also to better support multiple devices it is better to use tagged VLANs rather untagged. Only use untagged for the default VLAN. When you use a trunk only one VLAN untagged can pass and that is the default VLAN. I think you are going to find Apple and probably Sonos are not going to route so you will compromise your setup to fit within these rules.
Personally I think a layer 3 switch works better when you use VLANs. You can turn off your router and everything in your local network still works locally. Watching TV off a NAS no problem, still works.
I run pfsense using a Cisco SG300-28 layer 3 switch in L3 mode. So I kind of know what you are building.
-
I think what you are building is complicated and you are going to have figure it out as you go. Personally I think it much easier to build VLANs if you assign a network to every VLAN. Also to better support multiple devices it is better to use tagged VLANs rather untagged. Only use untagged for the default VLAN. When you use a trunk only one VLAN untagged can pass and that is the default VLAN. I think you are going to find Apple and probably Sonos are not going to route so you will compromise your setup to fit within these rules.
Hi Coxhaus,
I think you've perfectly summarized the problem and I've came to a very similar conclusion. I lack experience & knowledge, therefore it takes me a bit more time because I need to play around with hardware (e.g. L2 smart switch) to really grasph it's limitation and flexibility.
I am breaking down my home project in 2 phases:
Phase 1: Pfsense (VLANs, uPnP, IGMP proxy, firewall, routing, OpenVPN) + L2 Smart Switch (IGMP snooping if required)
Phase 2: Replace main switch with L3/L2 and only use pfsense for firewall/OpenVPN/routing.Personally I think a layer 3 switch works better when you use VLANs. You can turn off your router and everything in your local network still works locally. Watching TV off a NAS no problem, still works.
I run pfsense using a Cisco SG300-28 layer 3 switch in L3 mode. So I kind of know what you are building.
Yeah that' my ultimate destination. It will be an interesting journey that will take me many months to get there.
Until today, arp -a is my best friend command ! Loving it :)
-
You may find phase 1 may be all you need. You are going to able accomplish everything with an L2 switch except you won't be able to turn off pfsense and have your local network work as there is no layer 3 device to route local traffic locally. The other thing is all your network setup will be in 1 place. I like my setup spread out as it is easier to work on for me. I do router things on the router, I do switch things on the switch and I do wireless on the wireless devices. To me it is much simpler that way.
-
Agree in principle, breaking down each component makes it simple.
Spent a few hours on IGMP Proxy and wasn't able to get it working, doesn't seem to work across VLANs.
This will take much more time than expected.
Reading on Cisco SG300-10
-
I seen some the Cisco SG300-10 cheap on eBay. If you buy one flash it to the latest firmware before you set it up. Download the latest software from Cisco for the small business switches as it is free. It is the reason I run Cisco small business devices instead of the IOS Pro Cisco gear which is not free software.
One other thing is start in L3 mode otherwise you will wipe out your config when you move over to L3 from L2.
-
I have been reading exactly the same thing on the forum, it's the top 2 tips everyone suggest ! (1- Upgrade latest firmware 2-Activate L3 right away 3- Don't forget to click save or else next reboot it's gone)
Will it be easy activating IGMP Proxy across 2 VLANs ? ( IGMP Proxy in pfsense doesn't seem easy)
I was thinking of SG300-10P so that I can use 2 ports with FOSCAM, I checked the specs, the P, PP, MP and MPP use 13 watts minimum compared to 10 using 10 watts.
Reference:
http://www.cisco.com/c/en/us/products/collateral/switches/small-business-smart-switches/data_sheet_c78-610061.html
SG-300-10P = 62watts
SG-300-10PP = 62watts (POE+ Supported)
SG-300-10MP = 124watts
SG-300-10MPP = 124watts (POE+ Supported)SG300-10P 62 Watts 8 802.3af
SG300-10PP 62 Watts 8 802.3at
SG300-10MP 124 Watts 8 802.3at
SG300-10MPP 124 Watts 8 802.3atSG300-10P 104 degrees Fahrenheit (40 Centigrade)
SG300-10PP 113 degrees Fahrenheit (45 Centigrade)
SG300-10MP 104 degrees Fahrenheit (40 Centigrade)
SG300-10MPP 113 degrees Fahrenheit (45 Centigrade)
SG300-10SFP 113 degrees Fahrenheit (45 Centigrade)SG300-10P 62 Watts 8 802.3af
SG300-10PP 62 Watts 8 802.3at
SG300-10MP 124 Watts 8 802.3at
SG300-10MPP 124 Watts 8 802.3atSG300-10P
Energy Detect Short Reach
110V=13.13W
220V=13.48W
110V=81.44W
220V=81.16W
277.87SG300-10PP
Energy Detect Short Reach
110V=13.37W
220V=12.99W
110V=83.47W
220V=81.58W
278.36SG300-10MP
Energy Detect Short Reach
110V=12.21W
220V=12.25W
110V=154.36W
220V=152.42W
526.68SG300-10MPP
Energy Detect Short Reach
110V=13.41W
220V=13.72W
110V=145.7W
220V=144.5W
493.05 -
I don't use ICMP Proxy so you will need to figure it out. There is a drop down for it in the menus. What are you going to use it for? I think you are going to run out of ports before you have to have it. So your multicast hits a few extra ports. You only have 10 ports.
I like I said this is stuff you are going to have to figure out as you go.
I would go for a SG300-10 switch without power.
-
Let's say I would buy SG300-10PP (PoE+), I would install 1 AP Ubiquiti AC PRO (PoE+) and perhaps 1 IP CAM (PoE) to put near my living room TV stand. Isn't having PoE+ for AP is practical, less wires visible when you put the AP on wall along door frame (I don't own a house). My current TV stand has over 15+ power adapters… it's getting scary ! :-[
To compensate the lost of 2 ports on SG300-10, I would bundle a few common devices together (e.g. TV, Android Box, Xbox, Nintendo Wii) under 1 port by using my smart switch since I can only operate 1 device at the time anyways)
On ebay SG300-10 is ~120 USD and SG300-10PP is ~200 USD. I figure spending the extra $80 is worth it considering buying a separate PoE Adapter cost $30 each. :-\ :-\ :-\
After I get this working, I am eyeing Ubiquiti AC PRO (multiple SSDIs) for holidays 2017 :D
Loosing patience with pFsense IGMP Proxy !
Care to share your home setup ?
-
I still don't see why you need IGMP proxy? How are you using it?
-
Sorry, I miss understood your question.
For IGMP Proxy, I would have multiple VLANs sharing Media Streams:
- Synology DLNA (Server), Synology Plex Server (server)
- Sonos (server), Windows Media Center (client, server)
- Android TV Box (Client),
- Android Tablet & Mobile Phone (client),
- TV (Client)
In the future….year 2018-2019.... I was thinking Google TV, Free 2 air HDTV channels (get a antenna + tuner card + Android TV Box)... Perhaps in 2019 everything will be in the cloud and I don't need to do anything anymore.... :)
-
You don't need igmp proxy to share media across subnets.. You only need that for shitty apps that don't understand that people might have more than one L2..
As to to the L3 advice of sg300.. Makes zero sense to me to be honest, I have mine in L2 mode.. Since not planning on using L3 mode.. If I did switch it and lost the config - what would it really matter? Since I would be switching to L3 vs L2.. would be a different config, etc.
if you have devices that need to be on the same L2 for some feature - then put them on the same L2..
-
You don't need igmp proxy to share media across subnets.. You only need that for shitty apps that don't understand that people might have more than one L2..
Then I must have shitty apps ?
As to to the L3 advice of sg300.. Makes zero sense to me to be honest, I have mine in L2 mode.. Since not planning on using L3 mode.. If I did switch it and lost the config - what would it really matter? Since I would be switching to L3 vs L2.. would be a different config, etc.
I believe the whole point of the L3 advice is to let people know that if they intend to use L3 from the get go, suggest to activate L3 feature before configuring the switch so that they don't need to re-start from scratch. It's just a heads up / guideline for newbie people. keep in mind some people are doing this as a hobby, it's not daily job, they don't have a strong network background, many people would expect a L3 flag On/Off without loosing the configuration,etc….
if you have devices that need to be on the same L2 for some feature - then put them on the same L2..
By putting them on the same L2, then you loose other features that the user (e.g. myself) require… Perhaps at the end it's not worth doing it and everything will be in 1 subnet...call it a day...time will tell....
-
One subnet is hard to bead for simplicity. It is not optimal but it is simple.
-
You don't need igmp proxy to share media across subnets.. You only need that for shitty apps that don't understand that people might have more than one L2..
As to to the L3 advice of sg300.. Makes zero sense to me to be honest, I have mine in L2 mode.. Since not planning on using L3 mode.. If I did switch it and lost the config - what would it really matter? Since I would be switching to L3 vs L2.. would be a different config, etc.
if you have devices that need to be on the same L2 for some feature - then put them on the same L2..
John you should try L3 mode before you knock it. It will give you faster through put if you move very much data on the local net like backups, music, or video files. This is across networks which is a given if you are using a layer 3 switch.
When you setup L3 mode setup your router(pfsense) in a separate VLAN. You will like the way it works.
-
Dude I know full well what an L3 switch does and why/how it would be used. I have zero use for it my home network.. You then loose the ability to firewall between vlans at pfsense.
My point was if your not going to use L3 mode, then you don't have to put it in L3 mode. But even if you put it in L3 mode you can still use it for L2. I don't understand all the fuss of putting in L3 mode if your only going to use it as L2. The logic behind doing it, is you loose your config when you change to L3 from L2. To that I say so what - if I was going to be moving it to L3 my config would be different anyway ;)
You don't need 1 vlan - you can have many of them.. I have like 8.. But if you have devices that are limited so some nonsense protocol that only works when they are on the same L2 then put those devices on the same L2.. So you don't have to worry about doing something odd with an IGMP proxy.
Example of this - My wifi devices like iphone and ipad like to use airprint to access the printer. While I could do a bit of extra work and using mdns or avahi get that to work across segments. It was just easier to put the printer on the same L2 and my wifi network the iphone and ipad connect too. Since my other devices that need to print don't need to use that airprint shit, they can just point to the IP of the printer.
That is just one simple example. You are the one that should understand the requirements of your devices and the protocols they use - so just layout your network so devices that require to be on the same L2 are and there you go.. No need for IGMP proxy setup.
-
Dude I know full well what an L3 switch does and why/how it would be used. I have zero use for it my home network.. You then loose the ability to firewall between vlans at pfsense.
Not everyone requires heavy control between vlan in a home network 8). If you recall my requirements, I mentioned having multiple SSIDs (route via ISP, via OpenVPN) and I would prefer to have the local network working even if I need to shut down the main router (upgrade, playing with OpenVPN, etc….) I know I can create a lab but this is not my daily domain. :-[
[quote author=johnpoz link=topic=129671.msg724984#msg724984 date=1496784269]
My point was if your not going to use L3 mode, then you don't have to put it in L3 mode. But even if you put it in L3 mode you can still use it for L2. I don't understand all the fuss of putting in L3 mode if your only going to use it as L2. The logic behind doing it, is you loose your config when you change to L3 from L2. To that I say so what - if I was going to be moving it to L3 my config would be different anyway ;)The context of using enabling L3 mode was to do inter-vlan routing at the switch level, utilizing a more reliable IGMP Proxy and the ability to shut down/upgrade router without affecting your home network. In other words complete segregation. I would be able to still play sonos music, stream from Synology NAS, play movies, save files on the network share drive, work on laptop to save DSLR picture to NAS, etc… (Assuming you are using multiple subnet and VLANs)
You don't need 1 vlan - you can have many of them.. I have like 8.. But if you have devices that are limited so some nonsense protocol that only works when they are on the same L2 then put those devices on the same L2.. So you don't have to worry about doing something odd with an IGMP proxy.
Example of this - My wifi devices like iphone and ipad like to use airprint to access the printer. While I could do a bit of extra work and using mdns or avahi get that to work across segments. It was just easier to put the printer on the same L2 and my wifi network the iphone and ipad connect too. Since my other devices that need to print don't need to use that airprint shit, they can just point to the IP of the printer.
That is just one simple example. You are the one that should understand the requirements of your devices and the protocols they use - so just layout your network so devices that require to be on the same L2 are and there you go.. No need for IGMP proxy setup.
What about my requirements ? Coxhaus provided a solution based on what I want to achieve and informed me that it's complicated. Your solution to put anything that needs same L2 in the same subnet solves only one aspect of the problem but doesn't resolve my primary initial goal of having the ability to switch to different AP SSID (route via ISP, route via OpenVPN1, etc….).
I think you should also consider the users requirements (psss...btw...in this case it's me ) Isn't that fair to say ? ;)
I currently have everything working in my apartment, everything is in a single subnet and I have ip based routing for OpenVPN but I don't like the fact I need to run openvpn client on latop, tablet, mobile phone to enable OpenVPN and my linksys e4200 OpenVPN bandwidth isn't great...
Perhaps I might just suck it up and stick with TP Link L2 switch , I might not be able to dedicate all this time and effort forever :) must be a slow pet project :)
I think we spend more time explaining ourselves that actually exchanging information ! ;D
It's all good, we are all geeks and control freaks ! LOL
In a few years, everything will run through the cloud...you won't need to worry about anything :P
-
"aspect of the problem but doesn't resolve my primary initial goal of having the ability to switch to different AP SSID (route via ISP, route via OpenVPN1, etc….)."
Sure it does... You can create and do whatever SSID you want and put them on whatever vlan you want.
What it seems to me is you have worked this up to be some huge thing, when its not all that difficult.. And you sure and hell do not need a L3 switch to do it.. And doing so then removes your ability to easy firewall between your segments. And are at the mercy of ACL based rules at the L3 switch.
JFC start deploying stuff already! ;) Start with couple of vlans and start moving stuff around and see what works and doesn't work if you don't actually understand their protocols in use. For example while plex can use some discovery protocols and DLNA - it doesn't actually require that. ALL my wifi devices can access it just fine from different vlans via their SSID. The plex server is on my lan 192.168.9/24 while my wifi networks are either 192.168.2/24 for my devices or my guest wifi vlan is 192.168.6/24
Simple rule to allow what I want to port 32400 and done..
Vs planning out every little thing - your on 1 be it fat L2 right now are you not? The bring it up 1 other segment at a time - isolate your 1 SSID, what is not working? Then start expanding your network. I use to have 2 networks my lan and my wlan.. It became more segmented over time (8 now I think), not all at once. Now that the unifi AP support 8 SSIDs per band I will prob have a few more to isolate iot devices by type vs all lumped together. For example my alexa is on same as my nest.. Going to put alexa on her own vlan to better isolate her from my other iot devices.
Start with your lan.. Break out a couple of wifi ssid, your stuff and guest for example. Then play with your policy routing rules, etc. Thought you said this was a lab ;) So start labing it for gosh sake already! ;)
As to the cloud -- this brings up a good point. So for example alexa is not on the same network as my lighting hub.. She still controls the lights - because it talks to the cloud, and alexa is tied to the cloud. And tied to my lighting account. She controls the lights just like I do when on the road from my phone via either a wifi connection or my cell data connection (Interent).. Alexa and the lighting that she controls does not have to be on the same L2 nor do those L3 even need to be able to talk to each other.