Pfsense network recommendations/questions?
-
The SG-3100 is good little box if you know you only going to use the minimal and basic functions. As soon as you start to tinker, you will want more.
The SG-3100 has two "router interfaces" meaning you can only directly connect two networks (WAN and LAN) without using vlans (this is totally fine and normal for people to work with). The catch is that all VLANS on that port will share that ports bandwidth.
The upside is the price. It's cheap and if you only have a few devices, you may not need a switch.
Personally, I got the SG-2440. I love it. I'm running suricata (like snort but multi threaded), bandwidthd, OpenVPN, and a few other smaller packages. I have no issues hitting 160 Mbits down.
If you want lots of room fro growth, get the sg-4860. The faster CPU will help with faster connections and IDS/IPS.
The other consideration is if you have DSL. If you have DSL and want to run the modem in bridge mode, you will be running PPPoE on the router and that is single threaded so clock speed is critical.
-
curtisgrice thanks for your opinions and thoughts. You are definitely right I am sure the 3100 would be great for me initially but as I start to learn and tinker I will probably wish I had gotten something a little bit more robust. I think I will probably end up biting the bullet and either get the 2440 or 4860 (probably the 4860) just so I know I would be good for some time.
What VPN service provider are you using? I have been using PIA but was wondering if there are ones that are better than the others or will they all really have the pass-through for me and not really be an issue? My service is only 150mbps down and 20mbps up so not like I am looking for gigabit transfer speeds since I am unfortunately not able to get any faster service at all.
So with the 2440 and 4860 I would be able to configure all the ports/interfaces and have more options to configure things. That sounds like it would have a lot more advantages and something that would be better.
So for wifi I will be limited to which ever router I am using and what modes I am able to configure it in order to connect it to my device correct? Would I be better off looking to upgrade or change out my wife from my Luma or Orbi to something else?
-
Personaly, I use the SG-2440 and a Ubiquiti AP-AC-LR for wifi. I'm not familiar with the Orbi or Luma. On the wifi end of things you can use any old wifi router/AP that works but not all support vlans. I got the Ubiquity for the price/vlan/AC/range, but if you already have something that works well and you don't have a need for segregated wifi networks (vlans) stick with it.
I use a segregated wifi for all IoT things, cameras, smart lights, google hub, etc.. this way I can profile what the minimum ports/address needed for them to function and block all other traffic to and from the internet and my main network. Eventually I'd like to start doing some traffic analysis and write custom "snort" rules fro every time they phone home for no reason.
I'm not using a VPN service at the moment. I use the VPN to connect back to home remotely and securely.
-
Orbi and Luma are user wifi mesh setups. They have no power - they do not even support vlans.. Those are nothing more than expensive toys for users that don't have a clue.. And just want to plug shit in and get on facebook from their tablet..
If you want to do anything from a security standpoint for wireless your going to want something that does vlans so you can have different wifi networks.. And your also going to want wpa-enterprise support so for your devices that support it you can use that to auth with, etc.
Unifi is prob the most feature reach wifi at the lowest cost.. While you can drop some coin as well.. new UAP-AC-SHD has "Wireless Intrusion Prevention System (WIPS)" on a dedicated radio - and also has radio for doing spectral analysis… This is not your $100 AP ;) Right now they are in beta store for $350..
https://store.ubnt.com/collections/beta/products/unifi-ap-ac-shd
I would love to pull the trigger on one - but budget committee (wife) is on the war path of late ;)
I currently have a Pro, LR and lite in my house for AP... Running 4 different wlans on wifi - and will prob isolate a bit more the nests from alexa which are currently on the same ssid and vlan, etc.
-
Hi all,
when will the SG - 4860 have one of the Inet C3000 chips like C3850. I was going to buy SG - 4860 but it has the C2558 CPU that has a problem, I know there is a work around for it. but I am not buying something that has a known problem.
Thank You,
-
curtisgrice and ManuelA thanks for the information I do appreciate it.
But if funds are tight and dont have option or ability to change out my wireless and have to for the time being stick with what I have for cost savings. I could use technically use the Luma on one port for VPN wireless and Orbi on another port for NON-VPN, correct? However it would just be generic setup where you would not be configuring or have more advance features, it would just be adding wireless for that port for whatever I would have connect to it? Or could you still add groups and other things more generic for some control with that setup?
BTW I do agree with you, they are more plug and play and for the time it worked for me and I liked it. But since been introduced to pfsense and what it can do definitely something I would look into just dont have the funds to get and change everything all at once unfortunately.
Unifi and Ubiquiti are the same or are they different companies/products correct? One is just the company and the other is just there product line, right?
So for the Ubiquiti you need to have physical connection for each one in the house? The thing is and the reason I have the Luma and Orbi was because the mesh network allowed me to get wifi to all ends of my house and get rid of the dead spot I was having with traditional wireless routers. So I am trying to figure out how Ubiquiti would help me out in my situation if I would need more than one in order to make sure that my house was good and I did not regress in the coverage aspect? The security and advance features I have no doubt hands down put Luma and Orbi to shame (but also geared towards different customers). Would I need to buy multiple units and have them hard line back into the switch/pfsense box for connection for them to work I assume?
If you were going to recommend something what would you recommend in my situation?
I could not check out the link for the UAP-AC-SHD since it said it was for beta users only.
Thanks
-
ManualA,
What is the issue that the SG-4860 chipset uses? And what is the workaround for it?
I haven't heard of this until your post so now I am curious what it could be.Thanks
-
So quick question for you all if I were to buy the UAP-AC-SHD or even the UAP‑AC‑HD or the UAP‑AC‑PRO, how do you power the devices? Since it is not like your typical AP where you plug the power source into the wall.
It says I need a 802.3at PoE+ support and can be powered by any 802.3at PoE+ compliant switch.
Since I am new to this whole commuity and more robust networking devices, I was not sure if any real switch has that feature really or if it is only special ones or only Unifi switches that I need to look at getting.
Thanks
-
Any of the AP from unifi are poe yes.. What flavor they use depends on the model.. the -lite and -lr are not really standard poe compliant.. And use a 24 passive mode..
802.3af/A PoE
24V Passive PoE (Pairs 4, 5+; 7, 8 Return)While Pro is
Passive Power over Ethernet (48V), 802.3af/802.3at Supported
(Supported Voltage Range: 44 to 57VDC)And HD
The UniFi AC HD
AP can be powered by an 802.3at PoE+ compliant switch.So while it can be a bit confusing to those not familiar with POE.. shoot even those that are ;)
The good thing to know is that unless you are buying them in multi packs they all come with an injector.. This allows you to inject the power onto the ethernet cable you run to the AP.. You can always buy the injectors from them.
https://www.ubnt.com/accessories/poe-adapters/Now if your going to be running multiple AP and or phones and or camera's etc.. Where your going to run multiple POE devices then it might be good idea to buy poe switch either a one that meets poe standards and use with the AP you get.. Or you can get switches from unifi that can power their different devices. They also sell inline converters that convert standard meeting poe to their odd ball stuff ;) without having to actually inject the power.
If your just buying single AP units - they should come with the appropriate injector you can use.
Does this picture help in understanding poe?
Or maybe this attached one?
-
johnpoz thanks for the diagram and information. It definititely is confusing I did not know it was that complex and everything. I thought it was just as simple as it had POE or did not and I did not know there was differnt standards for different voltage requirements. A lot learned thank you so much.
So if I were to get the UAP-AC-SHD I would need a 48V POE injector adapter? The same for the Pro?
Pretty much all of them could be powered by a 802at PoE+ compliant switch like the US-16-150W?
Also do you have to use specific CAT cable CAT5 or CAT6? I was not sure if it needed to be CAT6 or if what I already have run in my walls CAT5 would be fine.
Thanks
-
when will the SG - 4860 have one of the Inet C3000 chips like C3850.
Who was telling this and when around? Its absolutely new to me that they want to use that SoC´s from Intel
but it will be nice if I see what the Supermicro SYS-E300-9D and SYS-E200-9D are offering!I was going to buy SG - 4860 but it has the C2558 CPU that has a problem, I know there is a work around for it.
but I am not buying something that has a known problem.It can be coming to an problem under some circumstances, but not all units will have one!!!
Personaly, I use the SG-2440 and a Ubiquiti AP-AC-LR for wifi. I'm not familiar with the Orbi or Luma. On the wifi end of things you can use any old wifi router/AP that works but not all support vlans. I got the Ubiquity for the price/vlan/AC/range, but if you already have something that works well and you don't have a need for segregated wifi networks (vlans) stick with it.
To build a WiFi network it might be more easy to realize as in former days to the available equipment on the market
but there are also some differences between some configurations.- A WiFi network with some older or used routers and perhaps let us say DD-WRt or OpenWRT (lede) will be
good to realize a cheap WiFi network, but mostly the hand over or also called "roaming" is not given. - Realizing the roaming will be nice and more matching if hardware from only one vendor will be in usage
such as MikroTik or UBNT will offer at these days. - A real mesh network is often using the HWM protocol, but they are not even compatible under each other
to use it like everybody want to do.
- MikroTik is using the HWMP (HWMplus) protocol
- UBNT is using the HWM protocol
So if you want to realize a real mesh you will need also equipment that is able to play nice together.
- A WiFi network with some older or used routers and perhaps let us say DD-WRt or OpenWRT (lede) will be
-
BlueKobold & johnpoz thanks for the information really helping me out and everything.
For POE I would just need to make sure that I am using Cat5, Cat5e or Cat6 cables correct? Was not sure if there was a difference other than throughput speed or if there was more to it than that.
So more or less if I end up with UBNT UAP-AC-SHD or Pro, I would probably need more than 1 for my house I would assume correct?
Also for the Unify software that you run on your machine in order to monitor or install or setup. Are you able to run and install that software on pfsense as a package or would I have to install it on my windows desktop or laptop and have that be the location for the install for the controlling software?
I also saw that they have mobile apps but not sure if they are more for just monitoring and viewing and not really used for setup of a new device.
BTW I ended up getting the SG-4860 box and it has been an interesting few days to try and get it setup. Have not gotten it totally running since only can have 1 computer online working it seems like it. So have to get the wifi APs in the mail and setup and then maybe I can set it up and leave it setup. It is definitely a neat system and software but man oh man it is robust and definitely taking some time to learn and understand and tinker with. But have been getting great help from the community.
-
For POE I would just need to make sure that I am using Cat5, Cat5e or Cat6 cables correct? Was not sure if there was a difference other than throughput speed or if there was more to it than that.
For 1 GBit/s you will need CAT.5e and if you ware willing you can also go with CAT.6(A) if you want to,
for PoE is nothing else better then good shielded cables in my eyes.So more or less if I end up with UBNT UAP-AC-SHD or Pro, I would probably need more than 1 for my house I would assume correct?
This pointed to the WLAN AP itself and the whole ground of your house.
Also for the Unify software that you run on your machine in order to monitor or install or setup. Are you able to run and install that software on pfsense as a package or would I have to install it on my windows desktop or laptop and have that be the location for the install for the controlling software?
The software is able to do the internal routing too, if so, and you let that WLAN Controller do that internal routing,
you should be ending up with a small low power box, if not, you will be able to use a small RaspBerry PI 3.0 too.
The RaPi would be my choice.I also saw that they have mobile apps but not sure if they are more for just monitoring and viewing and not really used for setup of a new device.
Could be nice but I prefer that software WiFi controller.
BTW I ended up getting the SG-4860 box and it has been an interesting few days to try and get it setup. Have not gotten it totally running since only can have 1 computer online working it seems like it. So have to get the wifi APs in the mail and setup and then maybe I can set it up and leave it setup. It is definitely a neat system and software but man oh man it is robust and definitely taking some time to learn and understand and tinker with. But have been getting great help from the community.
Its a cool device and strong enough to realize more then all you want, so you will get also some headroom for future
upgrades from your ISP line.The other thing is with running the SG-4860 how much of a hit would I hit on my connection for speed when using VPN? Only have one choice for internet service provide (Comcast) and my current connection is 85mbps down and 10mbps up.
The SG-4860 will be able to route (without PPPoE) ~900 MBit/s on a symmetric 1 GBit/s Internet connection
and around ~470 MBit/s over IPSec VPN!!! -
BlueKobold thanks for the info. Yeah the SG-4860 is probably an Overkill for me right now and even in the future possibly. Gorget I didn't want to be constrained in the future and figured I would just spend now and get something that will be future proof.
I do have a Raspberry Pi box didn't even think about using it at all.
If you have more than one Unifi AP say SHD and Pro or 2 Pros, do they act together so same password and ssid so it is a seamless connection when walking around the house? Or do they act independent so you would have to connect and save multiple saids and passwords?
-
@BlueKobold:
For POE I would just need to make sure that I am using Cat5, Cat5e or Cat6 cables correct? Was not sure if there was a difference other than throughput speed or if there was more to it than that.
For 1 GBit/s you will need CAT.5e and if you ware willing you can also go with CAT.6(A) if you want to,
For 1000baseT you need cat5, which is the cable the 1000baseT spec was designed for. Some additional tests were added to the cable standard and the result was cat5e. The differences mainly involve crosstalk tolerance, and had more impact on connector/punchdown assembly than the cables themselves. Most factory built cat5 cables would pass the cat5e spec but weren't tested/certified as cat5e. (Field terminated cat5 was a mess, as 100baseTX didn't push the specs as hard as 1000baseT, and only used 2 pairs like 10baseT–so some installers back in the day didn't even bother to terminate all four pairs.) In practical terms, any decent cable you buy new today will work fine at 1000baseT. You won't find any cat5 for sale in 2017, and If you're looking ahead to 10GbaseT there's no reason to buy cat5e rather than cat6 (if there's a huge price difference, find a different source.) If you already have cables, they're probably fine--just try them. If you run into problems (like the link takes a long time to come up, or won't get above 100Mbps, or starts at 1000Mbps and then steps down) it's probably the termination--but unless it's a really long run it's not worth fixing rather than tossing it.