Hardware for using pfsense as a managed switch?
-
Are cheap and stackable the only requirements?
(Note that those terms are usually mutually-exclusive. You might also need to define the term cheap)
-
This discussion has gone far from the topic starter's question, hasn't it?
-
They always morph into "what should I do instead.?"
-
I need it on the WAN side to connect 3 VDSL Router. The existing VDSL Router have built in switches, actually directly connected to a Firebox, but it seems like they are causing trouble with the CARP failover. So, VLAN and spanning Tree, configurable ARP timer would be good. Did I forgot something? Do I need anything for CARP/VRRP support?
Are cheap and stackable the only requirements?
(Note that those terms are usually mutually-exclusive. You might also need to define the term cheap)
-
I think getting a bridged modem is a better option. CARP/VRRP is problematic if it happens too often since most providers do MAC throttling to prevent draining the lease pool too quickly.
-
CARP on WAN generally does not play nice with residential-type WAN connections.
You need a static /29 there. You can usually get away with a static /32 on the secondary WAN but it is sub-optimal.
-
@johnkeates:
I think getting a bridged modem is a better option. CARP/VRRP is problematic if it happens too often since most providers do MAC throttling to prevent draining the lease pool too quickly.
A CARP failover happens very seldom, maybe once a month, but it has to work.
What do you mean with bridged modem? PPPoE? Does this play with CARP?
Actually, I am using a private IP net only as transfer net between the PFSense und the router, doing double NAT (in the PFSense as well as in the router) . No, I am not using SIP ;-)
Would probably a OpenWRT routers (without an extra switch) work better, as far as I know, you can configure ARP timeout with OpenWRT? -
CARP on WAN generally does not play nice with residential-type WAN connections.
You need a static /29 there. You can usually get away with a static /32 on the secondary WAN but it is sub-optimal.
I know that´s sub optimal, but that is the use case. We are replacing expensive company Internet lines with low cost residential VDSL lines, plus adding additional HA with LTE lines (LTE is not available together with public IP in Germany).
So I am doing double NAT, with a private IP net between pfsense and the router. Shouldn't that work, it is pretty much the same as on the LAN side?
-
Yes. If you want to do double NAT and put a bunch of potential points of failure in front of the firewalls it will work fine.
As long as both primary and secondary can access the internet while the CARP VIPs are in the BACKUP state it should work.
-
Hello all.
I'm not sure how practical this is. I am looking for a managed switch for vlans and such and was wondering if pfsense could do this? I'm already using pfsense in a routing capasity but baught a prebuilt hardware solution for that. This time i'd like to build my own.
The questions i have are this.
1, is it a practical use of pfsense to use it as a managed switch OS?
2, if so, what would you guys recommend for an 8 port box? It should be future proofed for updates and be under $200 if possible.
The switch will be on the lan side so should have full gigabit speeds.Thoughts?
At first get a switch that owns 8 GB LAN Ports! And if you need Layer3 Routing, VLANs, LAGs (LACP)
CLI and a real serial console port get a Cisco SG300-10 or Cisco SG350-10. They are often able to
get at amazon.com for ~$110 (SG300-10) or ~$200 (SG350-10) if more ports and other things such
SFP/SFP+ Ports or 10 GBit/s abillity is another point you will be fine with a D-Link DGS1510-20 for
around ~$270 but with much more power and ports. They are also other solutions out!Netgear Layer2
Netgear GS108E
Netgear GS108Tv2
Netgear GS110TCisco Layer2 & Layer3
Cisco SG200-08
Cisco SG300-10
Cisco SG350-10Layer3 more ports
D-link DGS1510-20 -
We are replacing expensive company Internet lines with low cost residential VDSL lines, plus adding …
What the hell does this have to do with "using pfsense as a managed switch"? Create a new thread for your topic.
-
Hi all.
Thanks for all the thoughts. This just goes to show how inexperienced i am that i even asked the question. I like tinkering and i figured that if i could find something with 4 to 8 ethernet ports i could load an OS on it and away i go. Guess such hardware isn't available the way this sounds.
Anyway, my origional question was answered. I baught the (TL-SG108E) before reading this so will work with it and see if i run into issues. Someone mentioned a possible vlan issue with this unit. Could you elaborate? Do vlans not work at all? or just certain types?
I'm new with vlans so will probably struggle a bit once i get this configured but that's fine, i like a good challenge.
As for the cli, I am familiar with junos, but nothing much else. I'd love to buy a junipor switch but they're to expensive for what i'm doing.
Curious, does pfsense have a good cli? The one time i logged in via ssh i didn't see one but i may have missed something.Thanks again for all the help.
-
250-post thread here:
https://forum.pfsense.org/index.php?topic=76022.0
-
I'd prefer working in the CLI too. Most times I go the CLI route even if a GUI is available.
Ditto. I've found most easy to get around in. If you're familiar with the cli in a Cisco switch it's hardly a jump at all to manage a Dell switch, for example. They're that close.
-
For some little edge switch, I really don't care as long as the web interface actually does what you tell it to do. A proper management VLAN capability for the web interface is also nice.
CLI all the way for real work.
-
as long as the web interface actually does what you tell it to do
And just as important is that it's clear that what you think you're doing is what you're actually doing. I've never really dealt with the web interface in a fully managed switch, always used the CLI, but in the "prosumer" (I hate that term, but it actually seems applicable here) realm the hardest part IMO (for someone otherwise comfortable managing a switch) is that translating what the interface says to what is actually happening can be less than intuitive. Obviously it's not rocket science, but I don't fault anyone for not initially realizing that "PVID" = "native VLAN" for example.
-
Right - and that is specifically one of the areas the switch in question falls on its face - the PVID.
-
Right - and that is specifically one of the areas the switch in question falls on its face - the PVID.
I know. I have two of them. They'll get replaced pretty soon but it's mostly because I need more ports. For my uses they've actually been fine, and the PVID issue that has been discussed extensively is largely academic for me in my home environment.
-
I baught the (TL-SG108E) before reading this so will work with it and see if i run into issues. Someone mentioned a possible vlan issue with this unit. Could you elaborate? Do vlans not work at all? or just certain types?
I use 2 of these at home right now and the PVID issue aside, they work fine.
In a nutshell, the issue is that no matter how you assign VLANs, VLAN1 is always available on any given port and that leads right to the management IP. That's a big no-no for the office, but in real world home use, it won't affect how the switch actually works with VLANs. If you already have it, use it. It's fine for home use. All the VLAN stuff that you would want with pfSense will work.
-
I use 2 of these at home right now and the PVID issue aside, they work fine.
In a nutshell, the issue is that no matter how you assign VLANs, VLAN1 is always available on any given port and that leads right to the management IP. That's a big no-no for the office, but in real world home use, it won't affect how the switch actually works with VLANs. If you already have it, use it. It's fine for home use. All the VLAN stuff that you would want with pfSense will work.
Thanks for the explanation.
For me here, having access to vlan 1 isn't a problem, I get why you say it would be a problem in larger office networks though, although, if i was working on such a network i'd not use home equipment at all which kind of takes care of that.
