Home network to keep wife happy + VPN (TV 4k netflix) + reduce intranet downtime

ChefRayB

Update:  Just received qotom hardware today!

@ChefRayB:

#2 In this design (vlan sharing same subnet), the only purpose of the VLAN is to allocate DHCP IP address so that I can route an IP range between ISP or OpenVPN at the router level (pfsense).  Feasible ? Will I end up with problems down the road ?

I just tried it, it says IPV address xxx.xxx.xxx.xxx is being used by or overlaps with VLAN xxx.xxx.xxx.xxx/subnet.
This means I can't use VLAN just for DHCP allocation ips but have all the VLANs share the same subnet.

I feel I am writing a blog here….

Anybody can comment, am I trying to find a solution to something that isn't really possible ?

coxhaus

I think what you are building is complicated and you are going to have figure it out as you go.  Personally I think it much easier to build VLANs if you assign a network to every VLAN.  Also to better support multiple devices it is better to use tagged VLANs rather untagged. Only use untagged for the default VLAN. When you use a trunk only one VLAN untagged can pass and that is the default VLAN.  I think you are going to find Apple and probably Sonos are not going to route so you will compromise your setup to fit within these rules.

Personally I think a layer 3 switch works better when you use VLANs.  You can turn off your router and everything in your local network still works locally.  Watching TV off a NAS no problem, still works.

I run pfsense using a Cisco SG300-28 layer 3 switch in L3 mode.  So I kind of know what you are building.

ChefRayB

@coxhaus:

I think what you are building is complicated and you are going to have figure it out as you go.  Personally I think it much easier to build VLANs if you assign a network to every VLAN.  Also to better support multiple devices it is better to use tagged VLANs rather untagged. Only use untagged for the default VLAN. When you use a trunk only one VLAN untagged can pass and that is the default VLAN.  I think you are going to find Apple and probably Sonos are not going to route so you will compromise your setup to fit within these rules.

Hi Coxhaus,

I think you've perfectly summarized the problem and I've came to a very similar conclusion.  I lack experience & knowledge, therefore it takes me a bit more time because I need to play around with hardware (e.g. L2 smart switch) to really grasph it's limitation and flexibility.

I am breaking down my home project in 2 phases:

Phase 1: Pfsense (VLANs, uPnP, IGMP proxy, firewall, routing, OpenVPN) + L2 Smart Switch (IGMP snooping if required)
Phase 2: Replace main switch with L3/L2 and only use pfsense for firewall/OpenVPN/routing.

@coxhaus:

Personally I think a layer 3 switch works better when you use VLANs.  You can turn off your router and everything in your local network still works locally.  Watching TV off a NAS no problem, still works.

I run pfsense using a Cisco SG300-28 layer 3 switch in L3 mode.  So I kind of know what you are building.

Yeah that' my ultimate destination.  It will be an interesting journey that will take me many months to get there.

Until today, arp -a is my best friend command !  Loving it :)

coxhaus

You may find phase 1 may be all you need.  You are going to able accomplish everything with an L2 switch except you won't be able to turn off pfsense and have your local network work as there is no layer 3 device to route local traffic locally.  The other thing is all your network setup will be in 1 place.  I like my setup spread out as it is easier to work on for me.  I do router things on the router, I do switch things on the switch and I do wireless on the wireless devices. To me it is much simpler that way.

ChefRayB

Agree in principle, breaking down each component makes it simple.

Spent a few hours on IGMP Proxy and wasn't able to get it working, doesn't seem to work across VLANs.

This will take much more time than expected.

Reading on Cisco SG300-10

coxhaus

I seen some the Cisco SG300-10 cheap on eBay.  If you buy one flash it to the latest firmware before you set it up.  Download the latest software from Cisco for the small business switches as it is free.  It is the reason I run Cisco small business devices instead of the IOS Pro Cisco gear which is not free software.

One other thing is start in L3 mode otherwise you will wipe out your config when you move over to L3 from L2.

ChefRayB

I have been reading exactly the same thing on the forum, it's the top 2 tips everyone suggest !  (1- Upgrade latest firmware 2-Activate L3 right away  3- Don't forget to click save or else next reboot it's gone)

Will it be easy activating IGMP Proxy across 2 VLANs ? ( IGMP Proxy in pfsense doesn't seem easy)

I was thinking of SG300-10P so that I can use 2 ports with FOSCAM, I checked the specs, the P, PP, MP and MPP use 13 watts minimum compared to 10 using 10 watts.

Reference:

http://www.cisco.com/c/en/us/products/collateral/switches/small-business-smart-switches/data_sheet_c78-610061.html

SG-300-10P = 62watts
SG-300-10PP = 62watts (POE+ Supported)
SG-300-10MP = 124watts
SG-300-10MPP = 124watts (POE+ Supported)

SG300-10P 62 Watts 8 802.3af
SG300-10PP 62 Watts 8 802.3at
SG300-10MP 124 Watts 8 802.3at
SG300-10MPP 124 Watts 8 802.3at

SG300-10P 104 degrees Fahrenheit (40 Centigrade)
SG300-10PP 113 degrees Fahrenheit (45 Centigrade)
SG300-10MP 104 degrees Fahrenheit (40 Centigrade)
SG300-10MPP 113 degrees Fahrenheit (45 Centigrade)
SG300-10SFP 113 degrees Fahrenheit (45 Centigrade)

SG300-10P 62 Watts 8 802.3af
SG300-10PP 62 Watts 8 802.3at
SG300-10MP 124 Watts 8 802.3at
SG300-10MPP 124 Watts 8 802.3at

SG300-10P
Energy Detect Short Reach
110V=13.13W
220V=13.48W
110V=81.44W
220V=81.16W
277.87

SG300-10PP
Energy Detect Short Reach
110V=13.37W
220V=12.99W
110V=83.47W
220V=81.58W
278.36

SG300-10MP
Energy Detect Short Reach
110V=12.21W
220V=12.25W
110V=154.36W
220V=152.42W
526.68

SG300-10MPP
Energy Detect Short Reach
110V=13.41W
220V=13.72W
110V=145.7W
220V=144.5W
493.05

coxhaus

I don't use ICMP Proxy so you will need to figure it out.  There is a drop down for it in the menus.  What are you going to use it for?  I think you are going to run out of ports before you have to have it. So your multicast hits a few extra ports. You only have 10 ports.

I like I said this is stuff you are going to have to figure out as you go.

I would go for a SG300-10 switch without power.

ChefRayB

Let's say I would buy SG300-10PP (PoE+),  I would install 1 AP Ubiquiti AC PRO (PoE+) and perhaps 1 IP CAM (PoE) to put near my living room TV stand.  Isn't having PoE+ for AP is practical, less wires visible when you put the AP on  wall along door frame (I don't own a house).  My current TV stand has over 15+ power adapters…  it's getting scary ! :-[

To compensate the lost of 2 ports on SG300-10,  I would bundle a few common devices together (e.g. TV, Android Box, Xbox, Nintendo Wii) under 1 port by using my smart switch since I can only operate 1 device at the time anyways)

On ebay  SG300-10 is ~120 USD and SG300-10PP is ~200 USD. I figure spending the extra $80 is worth it considering  buying a separate PoE Adapter cost $30 each. :-\  :-\  :-\

After I get this working, I am eyeing Ubiquiti AC PRO (multiple SSDIs)  for holidays 2017 :D

Loosing patience with pFsense IGMP Proxy !

Care to share your home setup ?

coxhaus

I still don't see why you need IGMP proxy?  How are you using it?

ChefRayB

Sorry, I miss understood your question.

For IGMP Proxy, I would have multiple VLANs sharing  Media Streams:

• Synology DLNA (Server), Synology Plex Server (server)
• Sonos (server), Windows Media Center (client, server)
• Android TV Box (Client),
• Android Tablet & Mobile Phone (client),
• TV (Client)

In the future….year 2018-2019.... I was thinking Google TV, Free 2 air HDTV channels (get a antenna + tuner card + Android TV Box)... Perhaps in 2019 everything will be in the cloud and I don't need to do anything anymore.... :)

johnpoz

You don't need igmp proxy to share media across subnets..  You only need that for shitty apps that don't understand that people might have more than one L2..

As to to the L3 advice of sg300.. Makes zero sense to me to be honest, I have mine in L2 mode.. Since not planning on using L3 mode..  If I did switch it and lost the config - what would it really matter?  Since I would be switching to L3 vs L2.. would be a different config, etc.

if you have devices that need to be on the same L2 for some feature - then put them on the same L2..

ChefRayB

@johnpoz:

You don't need igmp proxy to share media across subnets..  You only need that for shitty apps that don't understand that people might have more than one L2..

Then I  must have shitty apps ?

@johnpoz:

As to to the L3 advice of sg300.. Makes zero sense to me to be honest, I have mine in L2 mode.. Since not planning on using L3 mode..  If I did switch it and lost the config - what would it really matter?  Since I would be switching to L3 vs L2.. would be a different config, etc.

I believe the whole point of the L3 advice is to let people know that if they intend to use L3 from the get go, suggest to activate L3 feature  before configuring the switch so that they don't need to re-start from scratch.  It's just a heads up / guideline for newbie people. keep in mind some people are doing this as a hobby, it's not daily job, they don't have a strong network background, many people would expect a L3 flag On/Off without loosing the configuration,etc….

@johnpoz:

if you have devices that need to be on the same L2 for some feature - then put them on the same L2..

By putting them on the same L2, then you loose other features that the user (e.g. myself) require…  Perhaps at the end it's not worth doing it and everything will be in 1 subnet...call it a day...time will tell....

coxhaus

One subnet is hard to bead for simplicity.  It is not optimal but it is simple.

coxhaus

@johnpoz:

You don't need igmp proxy to share media across subnets..  You only need that for shitty apps that don't understand that people might have more than one L2..

As to to the L3 advice of sg300.. Makes zero sense to me to be honest, I have mine in L2 mode.. Since not planning on using L3 mode..  If I did switch it and lost the config - what would it really matter?  Since I would be switching to L3 vs L2.. would be a different config, etc.

if you have devices that need to be on the same L2 for some feature - then put them on the same L2..

John you should try L3 mode before you knock it.  It will give you faster through put if you move very much data on the local net like backups, music, or video files.  This is across networks which is a given if you are using a layer 3 switch.

When you setup L3 mode setup your router(pfsense) in a separate VLAN.  You will like the way it works.

johnpoz

Dude I know full well what an L3 switch does and why/how it would be used.  I have zero use for it my home network.. You then loose the ability to firewall between vlans at pfsense.

My point was if your not going to use L3 mode, then you don't have to put it in L3 mode.  But even if you put it in L3 mode you can still use it for L2.  I don't understand all the fuss of putting in L3 mode if your only going to use it as L2.  The logic behind doing it, is you loose your config when you change to L3 from L2.  To that I say so what - if I was going to be moving it to L3 my config would be different anyway ;)

You don't need 1 vlan - you can have many of them.. I have like 8.. But if you have devices that are limited so some nonsense protocol that only works when they are on the same L2 then put those devices on the same L2.. So you don't have to worry about doing something odd with an IGMP proxy.

Example of this - My wifi devices like iphone and ipad like to use airprint to access the printer.  While I could do a bit of extra work and using mdns or avahi get that to work across segments.  It was just easier to put the printer on the same L2 and my wifi network the iphone and ipad connect too.  Since my other devices that need to print don't need to use that airprint shit, they can just point to the IP of the printer.

That is just one simple example.  You are the one that should understand the requirements of your devices and the protocols they use - so just layout your network so devices that require to be on the same L2 are and there you go.. No need for IGMP proxy setup.

ChefRayB

@johnpoz:

Dude I know full well what an L3 switch does and why/how it would be used.  I have zero use for it my home network.. You then loose the ability to firewall between vlans at pfsense.

Not everyone requires heavy control between vlan in a home network 8).  If you recall my requirements, I mentioned having multiple SSIDs (route via ISP, via OpenVPN) and I would prefer to have the local network working even if I need to shut down the main router (upgrade, playing with OpenVPN, etc….)  I know I can create a lab but this is not my daily domain.  :-[

[quote author=johnpoz link=topic=129671.msg724984#msg724984 date=1496784269]
My point was if your not going to use L3 mode, then you don't have to put it in L3 mode.  But even if you put it in L3 mode you can still use it for L2.  I don't understand all the fuss of putting in L3 mode if your only going to use it as L2.  The logic behind doing it, is you loose your config when you change to L3 from L2.  To that I say so what - if I was going to be moving it to L3 my config would be different anyway ;)

The context of using enabling L3 mode was to do inter-vlan routing at the switch level, utilizing a more reliable IGMP Proxy and the ability to shut down/upgrade router without affecting your home network.  In other words complete segregation.  I would be able to still play sonos music, stream from Synology NAS, play movies, save files on the network share drive, work on laptop to save DSLR picture to NAS, etc…    (Assuming you are using multiple subnet and VLANs)

@johnpoz:

You don't need 1 vlan - you can have many of them.. I have like 8.. But if you have devices that are limited so some nonsense protocol that only works when they are on the same L2 then put those devices on the same L2.. So you don't have to worry about doing something odd with an IGMP proxy.

Example of this - My wifi devices like iphone and ipad like to use airprint to access the printer.  While I could do a bit of extra work and using mdns or avahi get that to work across segments.  It was just easier to put the printer on the same L2 and my wifi network the iphone and ipad connect too.  Since my other devices that need to print don't need to use that airprint shit, they can just point to the IP of the printer.

That is just one simple example.  You are the one that should understand the requirements of your devices and the protocols they use - so just layout your network so devices that require to be on the same L2 are and there you go.. No need for IGMP proxy setup.

What about my requirements ?  Coxhaus provided a solution based on what I want to achieve and informed me that it's complicated.  Your solution to put anything that needs same L2 in the same subnet solves only one aspect of the problem but doesn't resolve my primary initial goal of having the ability to switch to different AP SSID  (route via ISP, route via OpenVPN1, etc….).

I think you should also consider the users requirements (psss...btw...in this case it's me ) Isn't that fair to say ?  ;)

I currently have everything working in my apartment, everything is in a single subnet and I have ip based routing for OpenVPN but I don't like the fact I need to run openvpn client on latop, tablet, mobile phone to enable OpenVPN and  my linksys e4200 OpenVPN bandwidth isn't great...

Perhaps I might just suck it up and stick with TP Link L2 switch , I might not be able to dedicate all this time and effort forever :)  must be a slow pet project :)

I think we spend more time explaining ourselves that actually exchanging information !  ;D

It's all good, we are all geeks and control freaks ! LOL

In a few years, everything will run through the cloud...you won't need to worry about anything  :P

johnpoz

"aspect of the problem but doesn't resolve my primary initial goal of having the ability to switch to different AP SSID  (route via ISP, route via OpenVPN1, etc….)."

Sure it does... You can create and do whatever SSID you want and put them on whatever vlan you want.

What it seems to me is you have worked this up to be some huge thing, when its not all that difficult.. And you sure and hell do not need a L3 switch to do it.. And doing so then removes your ability to easy firewall between your segments.  And are at the mercy of ACL based rules at the L3 switch.

JFC start deploying stuff already! ;)  Start with couple of vlans and start moving stuff around and see what works and doesn't work if you don't actually understand their protocols in use.  For example while plex can use some discovery protocols and DLNA - it doesn't actually require that.  ALL my wifi devices can access it just fine from different vlans via their SSID.  The plex server is on my lan 192.168.9/24 while my wifi networks are either 192.168.2/24 for my devices or my guest wifi vlan is 192.168.6/24

Simple rule to allow what I want to port 32400 and done..

Vs planning out every little thing - your on 1 be it fat L2 right now are you not?  The bring it up 1 other segment at a time - isolate your 1 SSID, what is not working?  Then start expanding your network.  I use to have 2 networks my lan and my wlan..  It became more segmented over time (8 now I think), not all at once.  Now that the unifi AP support 8 SSIDs per band I will prob have a few more to isolate iot devices by type vs all lumped together.  For example my alexa is on same as my nest.. Going to put alexa on her own vlan to better isolate her from my other iot devices.

Start with your lan.. Break out a couple of wifi ssid, your stuff and guest for example.  Then play with your policy routing rules, etc.  Thought you said this was a lab ;)  So start labing it for gosh sake already! ;)

As to the cloud -- this brings up a good point.  So for example alexa is not on the same network as my lighting hub.. She still controls the lights - because it talks to the cloud, and alexa is tied to the cloud.  And tied to my lighting account.  She controls the lights just like I do when on the road from my phone via either a wifi connection or my cell data connection (Interent)..  Alexa and the lighting that she controls does not have to be on the same L2 nor do those L3 even need to be able to talk to each other.

ChefRayB

I know, I have to work on my lab ! Don't worry I am doing progress ! But sometimes creating the lab is challenging because I don't have enough devices. I don't have extra NAS and sonos controller.  I got 2 smart switch connected in trunk, I created 2 vlans, 1 laptops plugged in each switch in different vlans, they can ping each other, have working OpenVPN via IP based policy ( I love the NAT interface firewall Hybrid GUI)

Next step, add my travel AP (1 SSID) + 1 Alexa device.  I still don't have ubiquity AP, those things are expensive in Canada.

I even spent some time reading IGMP Proxy source code to better understand the logging information….

Microsoft Media Center doesn't display machines across VLAN, this is why I am trying to get IGMP Proxy working.  When in the same subnet I see all my sonos and NAS appliances.

johnpoz

Microsoft media center??  Who and the F still uses that ancient POS?? It was horrible when it came out for XP back in 2002..  There are so Many better options out there that is for damn sure - that doen't require being on the same L2..