Home network to keep wife happy + VPN (TV 4k netflix) + reduce intranet downtime

ChefRayB

The thing I like with TL-SG2008 switch is that it's fanless, consumes <10 watts and can easily fit under TV cabinet.
I rent a small apartment and I often move each 2 years and relocate to different cities each 5 years.
The smaller, the better and the most silent/compact possible and lowest wattage. Some countries is 0.23center per kilowatt, it makes me feel guilty burning high wattage when I don't really need it and runs 24/7.

My devices Modem Cable DHCP ( TV Cabinet)
-> DD-WRT linksys ( TV Cabinet)
-> AP 2.4 GHZ 1x printer and sometimes Mobiles/Tablets and guest mobile
-> AP 5.0 GHZ 3xmobiles, 2x tablets, 2x Alexa, 1xkindle,
-> port1 Obitalk VOIP
-> port2 Synology NAS nic1
-> port3 Ip Cam or Laptop 1000Mbs (Upload picture from digital camera)
-> port4 switch #1 8 ports ( TV cabinet)
->Switch #1
-> port1 Sonos Playbar, wired switch #1
-> port2 TV
-> port3 Android TV
-> port4 survey machine
-> port5 xbox/wii
-> port6 Synology NAS nic2
-> port7 DD-WRT
-> port8 switch #2 5 ports ( 6 meter, goes behind sofa)
-> port1 Switch #2
-> port2 Sonos Play1 left side wired, wlan manually disabled
-> port3 Sonos Play1 right side wired, wlan manually disabled
-> port4 Laptop (use on Sofa, 1000mbs)
-> port5 powerline dlink DHP-AV500 (Powerline is like a hub, no vlan support)

Powerline (no vlan support)
Sonos Play1 dining room wired with powerline
Sonos Play1 kithen room wired with powerline
Sonos Play1 guest room wired with powerline
Sonos Play1 master room wired with powerline
Sonos Play1 toilet wired with powerline

See diagram attached

Below are the services & protocol (Based on my research)

session: Netbios,RTP, uPnP (SSDP)
Tranports: TCP, UPD
Internet Layer: ICMP, IGMP, IP, IPv4, (IPSec?)

survey machine:
No idea, it what works, I just know it works

obitalk:
Allow Outgoing:
TCP Ports: 6800, 5222, 5223
UDP Ports: 5060, 5061, 10000 to 11000, 16600 to 16998, 19305
Allow Incoming on UDP Port: 10000

Alexa Echo
Output TCP: *, 80, 8080, 443, 40317, 67, 68
Output UDP: *, 53, 123, 40317, 49317, 33434, 1900, 5000, 5353
Input TCP: 8080, 443, 40317
Input UDP: 53, 67, 68, 1900, 50000, 5353, 33434, 49317, 40317

SONOS:

TCP/IP:
80 (Internet Radio, updates and registration)
443 (Rhapsody, Napster, and SiriusXM)
445 (CIFS)
3400 (incoming UPnP events - Sonos Controller App for Mac or PC)
3401 (Sonos Controller App for iOS)
3445 (OS X File Sharing)
3500 (Sonos Controller App for Android)
4070 (Spotify incoming events)
4444 (Sonos update process)

UDP:
136-139 (NetBIOS)
1900 (UPnP events and device detection)
1901 (UPnP responses)
2869, 10243, 10280-10284 (Windows Media Player NSS)
5353 (Spotify Control)
6969 (Initial configuration)

Synology Services
Synology Assistant9999, 9998, 9997 UDP

Data Replicator, Data Replicator II, Data Replicator III9999, 9998, 9997, 137, 138, 139, 445 TCP
Hyper Backup Vault, DSM 5.2 Archiving Backup 6281TCP
LUN Backup3260 (iSCSI), 873, 22 (if encrypted over SSH) TCP
DSM 5.2 Data Backup, rsync, Shared Folder Sync, Remote Time Backup 873, 22 (if encrypted over SSH) TCP
Snapshot Replication3261 (iSCSI LUN), 5566 (Shared Folder)TCP

BT
6890 ~ 6999 (for models with firmware earlier than v2.0.1-3.0401);
16881 (for models with DSM v2.0.1 and onward)TCP/UDP

Web Applications
DSM5000 (HTTP), 5001 (HTTPS)TCP
File Station5000 (HTTP, additional port can be added), 5001 (HTTPS, additional port can be added)TCP
Mail Server
TypePort NumberProtocol
SMTP 25 TCP
POP 3110 TCP
IMAP143 TCP
IMAP over SSL/TLS993TCP

![Home network_smaller.jpg](/public/imported_attachments/1/Home network_smaller.jpg)
![Home network_smaller.jpg_thumb](/public/imported_attachments/1/Home network_smaller.jpg_thumb)

GentleJoe

Don't use Powerline networking.

For your Sonos, use its built in networking, give it a dedicated channel.

NogBadTheBad

@Gentle:

Don't use Powerline networking.

Why, it works fine or are you talking with the Sonos, I hear their networking implementation isn't the best.

I carry 6 VLANS over mine and no issues what so ever.

ChefRayB

My current PowerLine seems to work fine with Sonos. the light sometimes go red on the powerline device but it works 98% percent of the time.
I use PowerLine for few reasons
- reduce where easily possible WiFi as much as possible in apartment ( Sonos)
- when a Sonos is far, easier putting PowerLine than a WiFi repeater….
- when Sonos is far, it uses its mesh network, that sometimes struggles ( 2.4ghz congestion, loops)

PowerLine (based on my readings) seems to act line a hub , it has its the role and place, it brings ethernet across the apartment over electric cable. I am renting apartment....

I have a device that evaluates 0-8ghz frequencies power and trying to reduce it around me.... we are getting bombarded enough outside home...I believe less frequency at home might be good....

Over time...was thinking of getting ubiquity AP and put one in each room at the lowest power possible so that no device in the apartment is broadcasting strongly.... but that's later..now I want to fiigure out my current network....

Waiting for Johnpoz design / routing suggestion or anybody else that understand networks very well to suggest me their recommendation. I lack experience and wonder if my suggestion is correct.

GentleJoe

@NogBadTheBad:

@Gentle:

Don't use Powerline networking.

Why, it works fine or are you talking with the Sonos, I hear their networking implementation isn't the best.

I carry 6 VLANS over mine and no issues what so ever.

Powerline line is not 100% reliable. That is why I don't use it.

This apartment is small enough that the Sonos network will work a lot better, more reliable.

Just put it on its own 2.4 channel. Any other WiFi AP, use channel 6 or channel 11, 20 Mhz width.

ChefRayB

@Johnpoz

Any idea when you will provide your suggestions ? keen to see your design.
I won't be home this weekend but I will have internet access to read replies.

In the meanwhile, I have some design questions about bridge/IGMP/DCHP where I need some guidance/confirmation. I am not sure how the routing would work in these scenarios.

Let's assume I am using qotom box with 4 nics
- Wan (cable modem)
- Lan (lan home network)
- Opt1 (AP OpenVPN network)
- Opt2 (lan OpenVPN network for TV)

Scenario #1: If lan, opt1, opt2 is bridged and using same subnet 192.168.20.1/24
Outcome: UPnP/DLNA should work across bi-directionally all clients connected to all the 3 interfaces because the bridge feature behaves like a switch.
Problem with Scenario #1 configuration:
- Once bridged, only 1 DHCP server, can't have multiple dhcp server and it will be somewhat difficult to route range IP address to firewall/OpenVPN
- pfsense box is being used as switch rather Layer3 ip routing, just buy a $50 switch, bridge should only be used to bridge AP at best…

Question#1: If Lan, opt1, opt2 is bridged but using different subnet (lan 192.168.20.1, opt2 192.168.30.1 and opt3 192.168.40.1), would the bridge feature still work ? can each client see the uPnP/DLNA ? Will the bridge still broadcast across different subnet or respect the rules of L2 subnet?

Scenario #2: Keep lan, opt1, opt1 separate (non-bridged), all 3 interface share the same subnet 192.168.20.1/24, have DHCP Server on each interface with ip range for each and enable IGMP Proxy
Outcome: UPnP/DLNA should work bi-directionally across all clients connected to all the 3 interfaces or uni-directionally one way lan->opt1 & opt2.
Problem with configuration scenario #2:
- pfsense is being used for IGMP management, you can buy a smart switch or L2 managed switch and delegate this work to switch rather pfsense box
- The 4 nics are used up, will need smart/managed switch to add more ip segments in the future.

Question#2 What is the IGMP Proxy cardinality ? bidirectional or unidirectional ?
Unidirectional = By putting lan as upstream, opt1 & opt2 as downstream, this means that opt2 & opt3 are just clients and all the DLNA/UPnP Server must reside on lan. That means if I take android tablet connected on Opt2 Interface and enable uPnP Server to share pictures, users connected on Lan won't see the uPnP Server from Opt2 because IGMP Proxy is uni-directional, I'm assuming IGMP Proxy was designed from to cascade from WAN to LAN.
Bidirectional = IGMP Proxy is sharing everything both sides, DLNA/UPnP Server and Client are available & visible both sides

Question#3 Must the interfaces share the same subnet so that IGMP Proxy works ? (meaning lan, opt1, op2 must all be under 192.168.20.1/24 or can lan 192.168.20.1, opt2 192.168.30.1 and opt3 192.168.40.1 ) It seems it supports multiple subnet (https://doc.pfsense.org/index.php/IGMP_Proxy)

Question#4 Does a Smart/managed switch support bidirectional IGMP multicast (DLNA/uPnp) across:
a) single subnet only ?
b) multiple different subnets?
c) across VLANs ?

Thank you

johnpoz

Sorry derby weekend, and work last couple of days been busy.. Not seems have lots to read here..

ChefRayB

Enjoy! Kentucky Derby @ Louisville looks fun!

Never experienced that, perhaps in my 2018 bucket to do , will ask you about good seating location :)

ChefRayB

Ordered: QOTOM Q355G4 I5 5250U 8GB RAM 120GB SSD
Delivery: 15-28 days

https://www.aliexpress.com/store/product/QOTOM-Q355G4-2017-New-fanless-X86-4-LAN-Micro-Computer-I5-5250U-Dual-core-onboard-1080P/108231_32800711474.html

ChefRayB

Update:

Managed to play with a L2 Smart switch TL-SG2008 ! ( Big huge thank you to DennyPage)
Did more reading and played with a switch

Can someone help me in validating the below: ( Johnpoz, if you have time)

Network Design Summary:

Create 4x vlans
Each vlan has access to all other vlan (All ports in each vlan are untagged for each vlan with the exception of trunk of course )
Each vlan shares the same subnet, meaning they can communicate with each other inside the same smart switch (arp should work)
Each vlan has DHCP server assigned to a specifc IP range
Configure the router to route certain IP range through OpenVPN rather WAN(ISP)

I have 3 question bugging me

#1 Since all 4x vlans are sharing the same subnet and each vlan has access to each port on the switch, technically all machines can communicate to each other without routing ? Correct?

#2 In this design (vlan sharing same subnet), the only purpose of the VLAN is to allocate DHCP IP address so that I can route an IP range between ISP or OpenVPN at the router level (pfsense). Feasible ? Will I end up with problems down the road ?

#3 If I enable IGMP Snooping on each VLAN, I reduce broadcasting noise when devices are streaming data because only the devices subscribed will receive the packets on the port on the L2 smart switch. Correct ? (Is it really worth doing it if you have a few devices on gigabit switch ?)

thanks

Ray

ChefRayB

Update: Just received qotom hardware today!

@ChefRayB:

#2 In this design (vlan sharing same subnet), the only purpose of the VLAN is to allocate DHCP IP address so that I can route an IP range between ISP or OpenVPN at the router level (pfsense). Feasible ? Will I end up with problems down the road ?

I just tried it, it says IPV address xxx.xxx.xxx.xxx is being used by or overlaps with VLAN xxx.xxx.xxx.xxx/subnet.
This means I can't use VLAN just for DHCP allocation ips but have all the VLANs share the same subnet.

I feel I am writing a blog here….

Anybody can comment, am I trying to find a solution to something that isn't really possible ?

coxhaus

I think what you are building is complicated and you are going to have figure it out as you go. Personally I think it much easier to build VLANs if you assign a network to every VLAN. Also to better support multiple devices it is better to use tagged VLANs rather untagged. Only use untagged for the default VLAN. When you use a trunk only one VLAN untagged can pass and that is the default VLAN. I think you are going to find Apple and probably Sonos are not going to route so you will compromise your setup to fit within these rules.

Personally I think a layer 3 switch works better when you use VLANs. You can turn off your router and everything in your local network still works locally. Watching TV off a NAS no problem, still works.

I run pfsense using a Cisco SG300-28 layer 3 switch in L3 mode. So I kind of know what you are building.

ChefRayB

@coxhaus:

I think what you are building is complicated and you are going to have figure it out as you go. Personally I think it much easier to build VLANs if you assign a network to every VLAN. Also to better support multiple devices it is better to use tagged VLANs rather untagged. Only use untagged for the default VLAN. When you use a trunk only one VLAN untagged can pass and that is the default VLAN. I think you are going to find Apple and probably Sonos are not going to route so you will compromise your setup to fit within these rules.

Hi Coxhaus,

I think you've perfectly summarized the problem and I've came to a very similar conclusion. I lack experience & knowledge, therefore it takes me a bit more time because I need to play around with hardware (e.g. L2 smart switch) to really grasph it's limitation and flexibility.

I am breaking down my home project in 2 phases:

Phase 1: Pfsense (VLANs, uPnP, IGMP proxy, firewall, routing, OpenVPN) + L2 Smart Switch (IGMP snooping if required)
Phase 2: Replace main switch with L3/L2 and only use pfsense for firewall/OpenVPN/routing.

@coxhaus:

Personally I think a layer 3 switch works better when you use VLANs. You can turn off your router and everything in your local network still works locally. Watching TV off a NAS no problem, still works.

I run pfsense using a Cisco SG300-28 layer 3 switch in L3 mode. So I kind of know what you are building.

Yeah that' my ultimate destination. It will be an interesting journey that will take me many months to get there.

Until today, arp -a is my best friend command ! Loving it :)

coxhaus

You may find phase 1 may be all you need. You are going to able accomplish everything with an L2 switch except you won't be able to turn off pfsense and have your local network work as there is no layer 3 device to route local traffic locally. The other thing is all your network setup will be in 1 place. I like my setup spread out as it is easier to work on for me. I do router things on the router, I do switch things on the switch and I do wireless on the wireless devices. To me it is much simpler that way.

ChefRayB

Agree in principle, breaking down each component makes it simple.

Spent a few hours on IGMP Proxy and wasn't able to get it working, doesn't seem to work across VLANs.

This will take much more time than expected.

Reading on Cisco SG300-10

coxhaus

I seen some the Cisco SG300-10 cheap on eBay. If you buy one flash it to the latest firmware before you set it up. Download the latest software from Cisco for the small business switches as it is free. It is the reason I run Cisco small business devices instead of the IOS Pro Cisco gear which is not free software.

One other thing is start in L3 mode otherwise you will wipe out your config when you move over to L3 from L2.

ChefRayB

I have been reading exactly the same thing on the forum, it's the top 2 tips everyone suggest ! (1- Upgrade latest firmware 2-Activate L3 right away 3- Don't forget to click save or else next reboot it's gone)

Will it be easy activating IGMP Proxy across 2 VLANs ? ( IGMP Proxy in pfsense doesn't seem easy)

I was thinking of SG300-10P so that I can use 2 ports with FOSCAM, I checked the specs, the P, PP, MP and MPP use 13 watts minimum compared to 10 using 10 watts.

Reference:

http://www.cisco.com/c/en/us/products/collateral/switches/small-business-smart-switches/data_sheet_c78-610061.html

SG-300-10P = 62watts
SG-300-10PP = 62watts (POE+ Supported)
SG-300-10MP = 124watts
SG-300-10MPP = 124watts (POE+ Supported)

SG300-10P 62 Watts 8 802.3af
SG300-10PP 62 Watts 8 802.3at
SG300-10MP 124 Watts 8 802.3at
SG300-10MPP 124 Watts 8 802.3at

SG300-10P 104 degrees Fahrenheit (40 Centigrade)
SG300-10PP 113 degrees Fahrenheit (45 Centigrade)
SG300-10MP 104 degrees Fahrenheit (40 Centigrade)
SG300-10MPP 113 degrees Fahrenheit (45 Centigrade)
SG300-10SFP 113 degrees Fahrenheit (45 Centigrade)

SG300-10P 62 Watts 8 802.3af
SG300-10PP 62 Watts 8 802.3at
SG300-10MP 124 Watts 8 802.3at
SG300-10MPP 124 Watts 8 802.3at

SG300-10P
Energy Detect Short Reach
110V=13.13W
220V=13.48W
110V=81.44W
220V=81.16W
277.87

SG300-10PP
Energy Detect Short Reach
110V=13.37W
220V=12.99W
110V=83.47W
220V=81.58W
278.36

SG300-10MP
Energy Detect Short Reach
110V=12.21W
220V=12.25W
110V=154.36W
220V=152.42W
526.68

SG300-10MPP
Energy Detect Short Reach
110V=13.41W
220V=13.72W
110V=145.7W
220V=144.5W
493.05

coxhaus

I don't use ICMP Proxy so you will need to figure it out. There is a drop down for it in the menus. What are you going to use it for? I think you are going to run out of ports before you have to have it. So your multicast hits a few extra ports. You only have 10 ports.

I like I said this is stuff you are going to have to figure out as you go.

I would go for a SG300-10 switch without power.

ChefRayB

Let's say I would buy SG300-10PP (PoE+), I would install 1 AP Ubiquiti AC PRO (PoE+) and perhaps 1 IP CAM (PoE) to put near my living room TV stand. Isn't having PoE+ for AP is practical, less wires visible when you put the AP on wall along door frame (I don't own a house). My current TV stand has over 15+ power adapters… it's getting scary ! :-[

To compensate the lost of 2 ports on SG300-10, I would bundle a few common devices together (e.g. TV, Android Box, Xbox, Nintendo Wii) under 1 port by using my smart switch since I can only operate 1 device at the time anyways)

On ebay SG300-10 is ~120 USD and SG300-10PP is ~200 USD. I figure spending the extra $80 is worth it considering buying a separate PoE Adapter cost $30 each. :-\ :-\ :-\

After I get this working, I am eyeing Ubiquiti AC PRO (multiple SSDIs) for holidays 2017 :D

Loosing patience with pFsense IGMP Proxy !

Care to share your home setup ?

coxhaus

I still don't see why you need IGMP proxy? How are you using it?