Home network to keep wife happy + VPN (TV 4k netflix) + reduce intranet downtime
-
You don't need igmp proxy to share media across subnets.. You only need that for shitty apps that don't understand that people might have more than one L2..
As to to the L3 advice of sg300.. Makes zero sense to me to be honest, I have mine in L2 mode.. Since not planning on using L3 mode.. If I did switch it and lost the config - what would it really matter? Since I would be switching to L3 vs L2.. would be a different config, etc.
if you have devices that need to be on the same L2 for some feature - then put them on the same L2..
John you should try L3 mode before you knock it. It will give you faster through put if you move very much data on the local net like backups, music, or video files. This is across networks which is a given if you are using a layer 3 switch.
When you setup L3 mode setup your router(pfsense) in a separate VLAN. You will like the way it works.
-
Dude I know full well what an L3 switch does and why/how it would be used. I have zero use for it my home network.. You then loose the ability to firewall between vlans at pfsense.
My point was if your not going to use L3 mode, then you don't have to put it in L3 mode. But even if you put it in L3 mode you can still use it for L2. I don't understand all the fuss of putting in L3 mode if your only going to use it as L2. The logic behind doing it, is you loose your config when you change to L3 from L2. To that I say so what - if I was going to be moving it to L3 my config would be different anyway ;)
You don't need 1 vlan - you can have many of them.. I have like 8.. But if you have devices that are limited so some nonsense protocol that only works when they are on the same L2 then put those devices on the same L2.. So you don't have to worry about doing something odd with an IGMP proxy.
Example of this - My wifi devices like iphone and ipad like to use airprint to access the printer. While I could do a bit of extra work and using mdns or avahi get that to work across segments. It was just easier to put the printer on the same L2 and my wifi network the iphone and ipad connect too. Since my other devices that need to print don't need to use that airprint shit, they can just point to the IP of the printer.
That is just one simple example. You are the one that should understand the requirements of your devices and the protocols they use - so just layout your network so devices that require to be on the same L2 are and there you go.. No need for IGMP proxy setup.
-
Dude I know full well what an L3 switch does and why/how it would be used. I have zero use for it my home network.. You then loose the ability to firewall between vlans at pfsense.
Not everyone requires heavy control between vlan in a home network 8). If you recall my requirements, I mentioned having multiple SSIDs (route via ISP, via OpenVPN) and I would prefer to have the local network working even if I need to shut down the main router (upgrade, playing with OpenVPN, etc….) I know I can create a lab but this is not my daily domain. :-[
[quote author=johnpoz link=topic=129671.msg724984#msg724984 date=1496784269]
My point was if your not going to use L3 mode, then you don't have to put it in L3 mode. But even if you put it in L3 mode you can still use it for L2. I don't understand all the fuss of putting in L3 mode if your only going to use it as L2. The logic behind doing it, is you loose your config when you change to L3 from L2. To that I say so what - if I was going to be moving it to L3 my config would be different anyway ;)The context of using enabling L3 mode was to do inter-vlan routing at the switch level, utilizing a more reliable IGMP Proxy and the ability to shut down/upgrade router without affecting your home network. In other words complete segregation. I would be able to still play sonos music, stream from Synology NAS, play movies, save files on the network share drive, work on laptop to save DSLR picture to NAS, etc… (Assuming you are using multiple subnet and VLANs)
You don't need 1 vlan - you can have many of them.. I have like 8.. But if you have devices that are limited so some nonsense protocol that only works when they are on the same L2 then put those devices on the same L2.. So you don't have to worry about doing something odd with an IGMP proxy.
Example of this - My wifi devices like iphone and ipad like to use airprint to access the printer. While I could do a bit of extra work and using mdns or avahi get that to work across segments. It was just easier to put the printer on the same L2 and my wifi network the iphone and ipad connect too. Since my other devices that need to print don't need to use that airprint shit, they can just point to the IP of the printer.
That is just one simple example. You are the one that should understand the requirements of your devices and the protocols they use - so just layout your network so devices that require to be on the same L2 are and there you go.. No need for IGMP proxy setup.
What about my requirements ? Coxhaus provided a solution based on what I want to achieve and informed me that it's complicated. Your solution to put anything that needs same L2 in the same subnet solves only one aspect of the problem but doesn't resolve my primary initial goal of having the ability to switch to different AP SSID (route via ISP, route via OpenVPN1, etc….).
I think you should also consider the users requirements (psss...btw...in this case it's me ) Isn't that fair to say ? ;)
I currently have everything working in my apartment, everything is in a single subnet and I have ip based routing for OpenVPN but I don't like the fact I need to run openvpn client on latop, tablet, mobile phone to enable OpenVPN and my linksys e4200 OpenVPN bandwidth isn't great...
Perhaps I might just suck it up and stick with TP Link L2 switch , I might not be able to dedicate all this time and effort forever :) must be a slow pet project :)
I think we spend more time explaining ourselves that actually exchanging information ! ;D
It's all good, we are all geeks and control freaks ! LOL
In a few years, everything will run through the cloud...you won't need to worry about anything :P
-
"aspect of the problem but doesn't resolve my primary initial goal of having the ability to switch to different AP SSID (route via ISP, route via OpenVPN1, etc….)."
Sure it does... You can create and do whatever SSID you want and put them on whatever vlan you want.
What it seems to me is you have worked this up to be some huge thing, when its not all that difficult.. And you sure and hell do not need a L3 switch to do it.. And doing so then removes your ability to easy firewall between your segments. And are at the mercy of ACL based rules at the L3 switch.
JFC start deploying stuff already! ;) Start with couple of vlans and start moving stuff around and see what works and doesn't work if you don't actually understand their protocols in use. For example while plex can use some discovery protocols and DLNA - it doesn't actually require that. ALL my wifi devices can access it just fine from different vlans via their SSID. The plex server is on my lan 192.168.9/24 while my wifi networks are either 192.168.2/24 for my devices or my guest wifi vlan is 192.168.6/24
Simple rule to allow what I want to port 32400 and done..
Vs planning out every little thing - your on 1 be it fat L2 right now are you not? The bring it up 1 other segment at a time - isolate your 1 SSID, what is not working? Then start expanding your network. I use to have 2 networks my lan and my wlan.. It became more segmented over time (8 now I think), not all at once. Now that the unifi AP support 8 SSIDs per band I will prob have a few more to isolate iot devices by type vs all lumped together. For example my alexa is on same as my nest.. Going to put alexa on her own vlan to better isolate her from my other iot devices.
Start with your lan.. Break out a couple of wifi ssid, your stuff and guest for example. Then play with your policy routing rules, etc. Thought you said this was a lab ;) So start labing it for gosh sake already! ;)
As to the cloud -- this brings up a good point. So for example alexa is not on the same network as my lighting hub.. She still controls the lights - because it talks to the cloud, and alexa is tied to the cloud. And tied to my lighting account. She controls the lights just like I do when on the road from my phone via either a wifi connection or my cell data connection (Interent).. Alexa and the lighting that she controls does not have to be on the same L2 nor do those L3 even need to be able to talk to each other.
-
I know, I have to work on my lab ! Don't worry I am doing progress ! But sometimes creating the lab is challenging because I don't have enough devices. I don't have extra NAS and sonos controller. I got 2 smart switch connected in trunk, I created 2 vlans, 1 laptops plugged in each switch in different vlans, they can ping each other, have working OpenVPN via IP based policy ( I love the NAT interface firewall Hybrid GUI)
Next step, add my travel AP (1 SSID) + 1 Alexa device. I still don't have ubiquity AP, those things are expensive in Canada.
I even spent some time reading IGMP Proxy source code to better understand the logging information….
Microsoft Media Center doesn't display machines across VLAN, this is why I am trying to get IGMP Proxy working. When in the same subnet I see all my sonos and NAS appliances.
-
Microsoft media center?? Who and the F still uses that ancient POS?? It was horrible when it came out for XP back in 2002.. There are so Many better options out there that is for damn sure - that doen't require being on the same L2..
-
I meant Microsoft Media Player on Windows Machine… We use Media Player on the Windows machine to stream video....
-
Why?? Stream video from what? Are you actually streaming it or just accessing the files stored via the network on your nas via SMB? (windows file sharing).
You sure and the hell do not need to be on the same L2 to watch video on your network.. Unless your using some stupid protocol like DLNA to find the thing offering it up… This protocol is designed for the idiot user that just plugs everything in.. Doesn't even know what an IP address is ;)
If your wanting to graduate to the next level and start segmenting out your network your going to have to leave those kid toys behind ;)
As already mentioned I stream video from my plex server all the time to multiple devices - wired, wireless - same segment not same segment. Shit my sons watch video off of it from their TVs from their houses ;) You don't need some stupid L2 only protocol like DLNA to find what your want to stream from.
If you really want to continue to use media player - just add the file share where you store your media to your media player library. Click click there you go - no L2 discovery protocols required, can be on any network segment.. Simple file sharing to access it using port 445 in windows. So just the 1 port needed to be open in your firewall from the source segment/ip to the dest segment/ip
2nd pic - I added folder of my storage server to some home video of my granddaughter - took all of 2 seconds to do. Clickity Clickity.. Not on the same network segment.. simple windows drive mapping to the share..
Or can just use the plex media player to access my videos and music off my server, again does not have to be on the same L2.. Or can just hit with fav browser if don't want to use their player (supports multiple OS and embedded devices) like phone, tablet, fireTV, roku, etc. etc..
-
Good points…. just do a few clickity clickity (Johnpoz Trademark ) . I get what you mean. All your suggestions are valid, your logic is undeniable! :) Basically you are telling me to reduce as much as possible the usage of L2 discovery protocol. :)
I am aware that if I use SMB/NFS then I am not really streaming, I am simply reading a file from a storage location. I am also aware of Plex doesn't require DLNA. My goal is to have DLNA across subnets . My intend is to implement "dumb L2 discovery protocol" across subnets in my home network because it's my home, I want things to be easy, dumb proof and willing to forgo some security & performance because it's just my home network.
Fair enough some devices don't really need the L2 discovery (e.g. Media Player use SMB) But my purpose of using Windows Media player was also to simulate being TV (discovering streaming devices), plug my 2 laptops in different subnets has observe how the "dumb protocol like DLNA" would behave if I enable IGMP Proxy. I can't use my TV as client because wife is watching TV at night after dinner…. I'm the geek that plays with 2 laptops and 2 switches by myself for few hours at night... :-[
The reason I wanted to get DLNA working is that I plan on getting another TV without any Android Box attached to it. I might even drop DLNA all together because some files are not supported by my DLNA server can't render/convert the file format I want to stream. So I might end up getting another Android Box and just stream via SMB/NFS if when required.
Weekend 24th June I will install 1 sonos controller in my new Lab, I need to see how I can stream music to the Sonos Speakers directly accross VLANs. ;)
Btw Beautiful Baby :)
-
Thanks - its my granddaugther..
"I want things to be easy, dumb proof "
heheeh - if you think setting up multicast L2 discovery protocols across different vlans is easy ;) heheh dumb proof.. Yeah have fun ;) Your going to need a GOOD switch.. while igmp proxy can work - its flaky as shit.. Your going to want to do this at the switch layer. It pretty much a bad security practice, amounts to running multiple layer 3 over the same layer 2 - same principle.
If you want it to be easy, dumb proof like the makers of such protocols intended - then put it all on the same L2..
-
Update:
Got my hands on a SG300 only for 2 days, put SG300 in L3 Mode but wasn't able to get IGMP Proxy cross vlan working…. :( IGMP Proxy & PIM-sparse seems to be available on routers and not really switches. IGPM Proxy is mostly used between WAN to LAN, not really cross VLAN. ( Again based on my limited knowledge and reading )
I am still determined to perhaps give it another try... use a router to do it....
L2 Switch(vlans) <-> local router (IGMP Proxy) <-> Edge router (Pfsense) <-> cable modem <-> Internet
Any tips ?
1- Is it feasible ?
2- Any any affordable router that can do this ?I've reduced my requirements, I just want 2 SSIDs each with a specific IP Range so that I can put specific routing rules on pfense(route through OpenVPN or ISP). Both SSIDs can be within the same subnet or VLANs (I need IGMP PRoxy/PIM). I wasn't able to find a way to get 2 DHCP within same subnet.
I really didn't think it would be so hard.... :( :'( :( :'( :-[
-
If you are going to use 2 SSIDs for like 5GHz and 2.4GHz in the same VLAN or network they are going to use the same DHCP scope because they are in the same network. Any consumer router you buy will do this. If you want isolated traffic then you need separate VLANs.
I am not sure why you think you need IGMP Proxy in a switch. It is used in a large switch network to reduce the amount of broadcast traffic so you don't slow down a large network and you have 1 to many stream. I would think it would work in some form or Cisco would not advertise it.
-
It's my lack of knowledge in network that made my assume that you can have IGMP Proxy at the switch level / across VLAN. It's the router responsibility. The switch uses IGMP Snooping only make things more efficient by not flooding multicast to all ports. I read about cisco PIM dense, PIM sparce mode but these are on the cisco routers.
This is why I might need 2 routers….
L2 Switch(vlans) <-> local router (IGMP Proxy) <-> Edge router (Pfsense) <-> cable modem <-> Internet
1st (local) router will route cross VLAN and take care of IGMP broadcast cross VLAN.
2nd (edge) router (Pfsense) takes care of just routing internet/firewall/other services. -
I am no expert but I believe IGMP proxy is at layer 3 and it works in layer 3 switches. If you want layer 2 it IGMP snooping which also works in switches. So you can use either one depending on what kind of switch you are using.
But like I have said all along in your small network it may not make much of a difference. I understand wanting to use it as I want to run a routing protocol between my switch and router. A routing protocol is not needed by I want to use a routing protocol.
-
I just don't want to deal with multicast protocols ( IGMP, PIM, SSDP). If I can get a router that does it, I prefer to spend $100 on a router than having to configure pfsense to get them all working (IGMP PRoxy Buggy, Avahi plugin, etc….)
It seems sonos uses SSDP https://forum.pfsense.org/index.php?topic=96160.0
I might have to decide keep everything in 1 subnet or like Johnpos suggested create the VLAN and move items one at the time, just deal with each issue clickly clickly. The only one I can't really ignore is Sonos because I have all my sound connected, hard to disregards and I want t control it from any subnet.
It's like the new logitech keyboards, they now support both bluetooth and wireless, they support up to 3 devices, you just press a button. I can now have 1 keyboard + mouse that I can use to type with laptop, Mobile Phone and Tablet ! It took a lot of years to get there....finally a keyboard+mouse combo worth buying ;)
-
If you don't want to use IGMP don't. Just let the multicast flood your network. Your network is so small I doubt you will notice a difference.
-
multicast flood doesn't occur across VLAN…
-
So you are going to run multiple devices on different VLANs with the exact same video stream? If you run different video streams then you don't need IGMP. Please explain what you are doing?
-
https://forum.pfsense.org/index.php?topic=132668.msg730018#msg730018
My goal was always to have a way to dynamically change SSIDs and have ip policy based rules on the NAT in pfsense to route my outbound internet through a different gateway and regardless which SSIDs I use, I can always access my Sonos. At first I though I can configure anything across VLAN but I was wrong, it seems Sonos doesn't work across VLAN and multicast routing across VLAN doesn't work.
Another alternative (Plan B) is trying to see if I can make everything work within 1 subnet but still have many SSIDs. In the other forum thread (See below) , a user suggested to me Bridge the 3 interfaces together and use the interface based rules at the NAT level. Something worth looking into. I know bridging is not great but it's for home….
Below is an example https://forum.pfsense.org/index.php?topic=132668.msg730018#msg730018
I take my Tablet Select SSID A, go on website www.whatismyip.com and is says Canada, I go on netflix Canada.
I take the same Tablet, change to SSID B, go on website www.whatismyip.com and it says USA, I go on netflix USA, Hulu USA
I take the same table, change to SSID C, go on website www.whatismyip.com and it says UK, I go on netflix UKDespite whichever SSID I select (A or B or C) I still wish to remain in the same subnet so that all my Synology NAS, Sonos, Wireless Printer, IP TV and all whatever protocol that usually works just within a subnet still works on my tablet regardless of which SSID.
I am aware of the work arounds:
- use VLAN and either use IGMP Proxy, Avahi or stop using those home protocols ( clickely clickely )
- Simply change the ip address manually on the tablet to a different range within the same subnet ( I can even write Android application that does that….I know...)
- Simply use OpenVPN Android software directly on the tablet, create a OpenVPN directly from Tablet
-
All I want to know is the video for IGMP. What are you doing?
