General Questions from a Noob

SammyWoo

At first, I don't know why a firewall and NAS need to be spoken in the same breath, to me they are separate function items that you simply pair them, like you need a ethernet switch somewhere, and probably a WIFI access point somewhere and….

Then aha, you want this FW box to also do this and that... which I don't recommend, you are making things more complicated, and harder to upgrade in the future.

Let FW be JUST a FW.  You throw in say a WIFI thing in there, and when things break, you have no idea whether the problem is with the WIFI or the FW, plus a FW most likely sits in a closet corner while the WIFI needs to be centrally located.

An all-in-one box, you are have make multiple decisions and limitations because everything is in one box.  Separate boxes, the decisions become simpler, and when, say WIFI get outdated by a new 802.11 blah-blah, you simple switch out the WIFI box wo having to touch the other stuff.

RandomUsr

Right.

No one suggested any 4 port switch, or Wifi devices. So I'm guessing that my software Firewall will just end up being a magical box with no connection at all… Do people typically forego installing a NIC or Wifi adapter all together?

Also, I'm not opposed to virtualizing the NAS and having the PFsense the host, or vice versa; depending on what works better.

SammyWoo: Wifi box? are you referring to an access point?

JKnott

No one suggested any 4 port switch, or Wifi devices.

2. Avoid TP-Link
3. Avoid TP-Link

Raffi_

I'm not saying you didn't already try searching the forum, but the hardware section of these forums have many recommendations on smart switches and WiFi hardware.

The general consensus seems to be that you should avoid setting up WiFi on pfSense itself since apparently it doesn't work very well. I believe the WiFi troubles are a FreeBSD issue since that's what pfSense is based on. Oh that reminds me, don't make the mistake of calling FreeBSD Linux, you might get scolded for that on these forums :)

The most common WiFi recommendation I see is to setup a separate WiFi Access point which connects to the LAN on pfSense. If you check the hardware section for WiFi access points, some recommend Ubiquiti, some recommend Ruckus, and there are many others. If that's too expensive, you can go for an off the shelf WiFi router, turn off the router functions and setup it up as an access point only. Go for what suits you.

Regarding a NAS, you mentioned FreeNAS. I have no experience with that but you may want to check FreeNAS specific forums for better information on it. I can say that I love my Synology Diskstation though which is Linux based. This is my second generation box so I loved it enough to get another.

Raffi

johnpoz

Tell you for sure that the synology nas is way more user friendly than freenas or nas4free, etc. Running their DSM 6.2rc currently…  No brainer simple stuff..  Running virtual machine manager on it - easy to setup some VMs so running unifi controller on a ubuntu vm, and domotoz on a vm.. They have a package for synology but don't see how you can do vlans with that so just run it on ubuntu vm.  Also run some docker stuff on there..

You could for sure prob run pfsense on there - but have not gotten around to playing with that yet.

I ran pfsense on esxi for many years.  On the same esxi host I ran my nas, etc. plus many other vms..  And I do love running pfsense as vm - makes no brainer to play with snapshots since you just take a snapshot of the vm before you do anything - so click to rollback, etc.

But then again with your router on your esxi host - when you have to say upgrade esxi, your whole network is down..  When the older esxi host couldn't keep up with my new faster internet speed moved to pfsense on hardware - got the sg4860.. Loving IT!  And broke out my nas to a synology ds918+ which very happy with.. Kind of wishing I would of went with more bays and should of gotten something I could go 10ge with.. Next one ;)

You did not give any sort of budget.. You can get your basic smart vlan capable switch for under $40 for sure 8 port gig.  Or you could spend drop a couple hundred on more ports and more features.  I am huge fan of the cisco small business sg300 line have 28 port and 10 port.. Love them...  But I concur with jknott stay away from tp-link.  They suppose to have fixed their 108e model v3 with firmware on the vlans... But previous v2 has no firmware update and vlans are borked on them..  I believe same thing with their AP they don't actually do vlans correctly.

For AP I run unifi and they are very nice and very home budget friendly for the feature set.. $130 gets you the AP pro model, or 80$ gets AC lite model..  I have 3 in my house and they support pretty much anything you would want to play with home network.  Recently added dynamic vlans via mac address on PSK ssids - can hand them out via freerad running on pfsense ;)

If you want to build a VM host for your router and nas that is fine - but do yourself a favor and break out your wifi to real AP..

While your VM host if you do one for sure 4 ports a good start, your still going to want a vlan capable switch..  POE 4 port nic?  Don't think I have ever heard of such an animal..

gzorn

I'm guessing that the OP was looking for recommendations on a POE switch, rather than NIC. I'm building an IP camera setup behind my pfsense router. I use a Netgear GS108PEv3 (8 ports total, 4 have POE) and a GS110TP (cannot remember version number - used from ebay, 8 port POE + 2 SFP). They seem to work, though they get warm (no fans) and the mgmt webserver on the GS110TP is quite slow. It's more than sufficient for powering a bunch of cameras (usually no more than 6W each). Both are VLAN capable, though it takes some experimentation to make that work right.

A few bits of unsolicited advice - I was initially thinking about doing something similar to what you're planning. However, I decided to buy an old, cheap Dell desktop off ebay ($150 for a used 3020 under warranty + $40 multiport NIC) to dedicate to the router. I think that's a better choice for manageability (updates to the NAS, cameras, or VM server don't take your entire intranet down) and security (new variants of spectre have already surfaced).

Although it sounds like a small thing, what you're planning is potentially a big, complicated project. Dividing it into separate, manageable chunks will dramatically reduce your workload and the consequences of making a mistake. If you're a *nix newbie, there's a LOT to learn.

Waqar.UK

@jknott said in General Questions from a Noob:

No one suggested any 4 port switch, or Wifi devices.

2. Avoid TP-Link
3. Avoid TP-Link

I use TP link switches across my house as well as my cousins. No problems so far.
Router as AP, yes totally agree as I bought a TP link router two years ago, it needed to be re-booted every few days. I spoke to their friendly tech support and they could not solve it. Bought an Asus, works perfectly and I think their firmware is open source. Also third party firmware are also available.

johnpoz

@waqar-uk

So you use those tplink switches with vlans? If not then sure they are fine - the problem with the tplink 105e and 108e versions is they do not actually do vlans correctly. They do not allow removal of vlan 1 from ports you want to put into a different vlan. So every interface is in vlan 1 be it you put in in a new vlan 10 or not.

So its not any better than a dumb switch running multiple layer 3 on.

JKnott

@waqar-uk said in General Questions from a Noob:

I use TP link switches across my house as well as my cousins. No problems so far.

As johnpoz says, some TP-Link switches don't handle VLANs properly. I also have the same issue with my TP-Link AP. However, other than that, it works well.

Waqar.UK

@johnpoz said in General Questions from a Noob:

@waqar-uk

So you use those tplink switches with vlans? If not then sure they are fine - the problem with the tplink 105e and 108e versions is they do not actually do vlans correctly. They do not allow removal of vlan 1 from ports you want to put into a different vlan. So every interface is in vlan 1 be it you put in in a new vlan 10 or not.

So its not any better than a dumb switch running multiple layer 3 on.

I don't use VLANS, but I use them as 'dumb' switches that work fine for me.

johnpoz

@waqar-uk

Yeah they are fine for dumb - but why would you have purchased a smart if all you wanted wanted/needed was dumb. Was your future plan to use them as vlans? If so the v2 version has not gotten a firmware update while the v3 models seems to have a firmware update out that is suppose to fix their mishandling of vlans.

JKnott

@waqar-uk said in General Questions from a Noob:

I don’t use VLANS, but I use them as ‘dumb’ switches that work fine for me.

One thing you can do with managed switches is port mirroring. This allows you to use a separate computer, running Wireshark, to monitor the traffic. I have one of those VLAN challenged TP-Link switches, but it works fine in the port mirroring role. I carry it in my computer bag, so I can use it when necessary to monitor an Ethernet connection.

johnpoz

Yeah it would work for that because its like a hub ;) heheh with everything in vlan 1 ROFL hehehe So all broadcast/multicast is going to every port anyway. Your mirror just going to add the unicast traffic so it doesn't have to do much hehehehe

JKnott

@johnpoz said in General Questions from a Noob:

Yeah it would work for that because its like a hub ;) heheh with everything in vlan 1 ROFL hehehe So all broadcast/multicast is going to every port anyway. Your mirror just going to add the unicast traffic so it doesn't have to do much hehehehe

You set it up so that one port monitors another. I have mine configured so port 1 monitors port 2. I plug the computer running Wireshark into port 1 and pass the connection through port 2 and any other port. It does not turn a switch into a hub. The non mirror ports continue to work as a regular switch.

johnpoz

Dude I know what a span port is ;) I was freaking joking..

JKnott

@johnpoz said in General Questions from a Noob:

Dude I know what a span port is ;) I was freaking joking..

Some less knowledgeable may not know that.

Waqar.UK

@johnpoz said in General Questions from a Noob:

@waqar-uk

Yeah they are fine for dumb - but why would you have purchased a smart if all you wanted wanted/needed was dumb. Was your future plan to use them as vlans? If so the v2 version has not gotten a firmware update while the v3 models seems to have a firmware update out that is suppose to fix their mishandling of vlans.

I just bough a TP link 8 port switch to use as a way to pass my Pfsense LAN to many of my devices, be they a wireless AP, power line networking and my main desktop direct Ethernet connection.

JKnott

@waqar-uk said in General Questions from a Noob:

@johnpoz said in General Questions from a Noob:

@waqar-uk

Yeah they are fine for dumb - but why would you have purchased a smart if all you wanted wanted/needed was dumb. Was your future plan to use them as vlans? If so the v2 version has not gotten a firmware update while the v3 models seems to have a firmware update out that is suppose to fix their mishandling of vlans.

I just bough a TP link 8 port switch to use as a way to pass my Pfsense LAN to many of my devices, be they a wireless AP, power line networking and my main desktop direct Ethernet connection.

They're OK as a regular switch or even for port mirroring. However, you can forget about using them for VLANs.