My first VLAN. Would this setup work? (graphics included)
-
Greetings,
I need some assistance with my first ever VLAN implementation on a SG-4860 PfSense box.
My AS-IS setup, pictured on graph 1, has all devices on the same network.
I want to move away from that setup and implement VLANs to properly separate devices on my network.Below is the TO-BE state I'd like to reach (pending any wiring errors I might have made):
I drew up graph 2 here-under, assuming this will be a functional setup.
Could someone please have a look and see if it makes sense?A few notes of importance:
-
All devices on my network, regardless of the VLAN, will have fixed IPs assigned
-
Access points need to be useable by ALL devices regardless of VLAN
-
I am planning on using different configs (SQUID, captive portal, etc) on each VLAN, hence my use of the physical OPT ports on the SG-4860.
Questions:
-
Did I make any mistakes in the design or would that be a functional setup?
-
In principle I want all VLANs fully isolated BUT with some ability to "reach accross" VLANs to administer devices, etc (Eg if my phone is on VLAN 10 and an IOT device on VLAN 30, I'd like the ability to "reach in" with my phone to administer the IOT device. The IOT device should not be able to reach-out on its own. Is that possible? If so, how would I go about configuring that? Would that be done purely with firewall rules?
-
Do I need to configure the ports linking my Access Points X and Y as trunk or access ports on my switch? I am assuming trunk…
-
Bonus question: I have configured specific DNS servers on my PfSense box. But since my ISP box (NOT in bridge mode) uses my ISPs DNS servers as well, how can I make sure that all devices on my PfSense networks use my PfSense defined DNS and not the ones from my ISP?
-
-
Why don't you just get a pfSense and a switch and check it out? Fiddling with settings yourself has always porven to be the best kind of education vs. just being told.
1. There aren't many mistakes to make. I cannot see any here.
2. Rules will block or allow traffic between interfaces. Doesn't depend on physical or virtual ones.
3. Depends on your APs. They might be capable of VLANs and multiple SSIDs spread out on those or they might not.
4. https://doc.pfsense.org/index.php/Redirecting_all_DNS_Requests_to_pfSenseEdit:
Between your switches you will need a trunk containing all VLANs.
You just wrote "SFP" but the media is irrelevant here. -
You do not need trunks to your pfsense in your design.. Since those ports will not need to carry tagged vlans. How you have it setup is native.. The only trunk ports you would need to carry tagged would be to your AP and your uplink to sg-28
Since you have a Unifi switch, I have to assume you have Unifi AP - which do vlans so yeah looks like your good.
But again in your setup the ports on your unifi switch to pfsense would only need to be access since they will only have 1 network on them. There would be no reason in you setup to create "vlan" interfaces on pfsense.
-
It's a waste of those extra ports on the 4860, dependant on the amount of traffic, how much traffic passes through the current setup LAN port ?
I'd also create a LAN management subnet pop your switches & access-points in there, I used the untagged LAN interface.
Your giving your vlans the 3rd octet of the IP address which gets a thumbs up from me :)
Your setup is very much like mine but I have all the vlans comming off my 4680 LAN port.
-
@all
First of all many thanks for taking the time to respond. Much appreciated! :)@jahonix
I do have the devices listed on the diagram (Pfsense SG-4860, Ubiquiti and Cisco switches and Unifi access points).
I am already experimenting a lot but cannot afford the take the whole network down for too long if I get something wrong.
I updated the link between switches to TRUNK as per your indication. Thanks@johnpoz
Ok, I removed the TRUNK ports between the Ubiquiti and PfSense and added the missing one between the switches.@NogBadTheBad
In terms of traffic, the LAN averages about 20GB/day for most days, but a couple of days a month I would be in the 100-150GB/day range.-
Is there any advantage/disadvantage for me to use the physical OPT ports here as opposed to just using the LAN port and tagging the VLANs there ?
-
I guess if I install SQUID it will then apply to all VLANs as opposed to the setup I am envisioning where I can restrict is usage to one subnet?
-
For the LAN management subnet I assume I would have to tag it something else than VLAN1 for better security?
Many thanks again for your input and help
-
-
Sorry I should have asked what does your peak bandwidth look like?
You could even create a LAG group of your LAN and OPT1 interface and pop your VLANs on the LAG.
Tagged or untagged makes no difference security wise, your Ubiquity devices will need their Mgt in an untagged VLAN.
If you added VLANS onto your LAN interface the current LAN interface would be untagged.
A VLAN is no different package wise than an interface, snort & ntopng is a little different as if you place it on an interface with VLANS it puts the parent interface into promiscuous mode.
Get a cheap managed switch and have a play on one of the unused interfaces as jahonix mentioned.
-
@all
- Is there any advantage/disadvantage for me to use the physical OPT ports here as opposed to just using the LAN port and tagging the VLANs there ?
Thanks Chti for elegantly asking this question - love the diagram.
I have the same question as above, and a possible answer. "Is there any advantage to Trunking all the physical OPT ports directly to the Switch, or is it preferable just to use VLAN tags?"
The only reason I can see is if the combined throughput of all VLANs were to saturate the port, whereas using OPT physical ports offers an opportunity to multiply that.
I'll leave it to someone with the real knowledge to clarify or deny.
Thank you.
-
-
1. Is there any advantage/disadvantage for me to use the physical OPT ports here as opposed to just using the LAN port and tagging the VLANs there ?
1. Multiple VLANs on one physical interface have to share this port's bandwidth (1Gbps nowadays) whereas a dedicated interface is always full bandwidth.
2. haven't used squid in a long time but IIRC you can select which interfaces it serves.
3. that's more philosophical than technical but something different is always something better. :P
-
1. Is there any advantage/disadvantage for me to use the physical OPT ports here as opposed to just using the LAN port and tagging the VLANs there ?
1. Multiple VLANs on one physical interface have to share this port's bandwidth (1Gbps nowadays) whereas a dedicated interface is always full bandwidth.
2. haven't used squid in a long time but IIRC you can select which interfaces it serves.
3. that's more philosophical than technical but something different is always something better. :P
-
Many thanks for all this additional information!
And apologies for not responding earlier. Had some account issues and my access has just been restored.I think I will try a hybrid model:
Use some VLANs on the LAN port
Setup the guest network on an OPT port. This will also allow me to play a bit with Squid and SquidGuard.
If all goes well then I'll move some VLANs on their own OPT port.Again thanks for all the feedback