Looking to learn, any advice appreciated

wilsouk

Hi all,
I am currently a few months into learning about networking using PFsense as an excuse, and community has been massively helpful. I am now onto VLANs, switches and subnetting which is a STRUGGLE. Bear in mind the below is part me setting up a useful network in my house, part overkill/project to learn more.

I have a router with x4 physical NIC running PFsense now. So far I have been using x1 NIC to WAN, x1 NIC to LAN, which has an unmanaged switch, which goes into my NAS, then two further unmanaged switches; one upstairs and one downstairs.

I now want to see if I can put the other two physical router NICs to use (call them OPT1 and OPT2). First of all, my NAS has x2 NIC also and is running Proxmox with plex, webserver, samba shares etc on differing VMs. Promox supports bridging to either NAS NIC (say NAS1 and NAS2) and VLANs (tagging I presume). Therefore (and please educate me if I am wrong) I could have my samba VM to NAS1 and my plex to NAS2. I could connect physically NAS1 to OPT1 and NAS2 to OPT2. If my LAN is 192.168.1.1, I could set OPT1 to 192.168.2.1 and OPT2 192.168.3.1, then settling Samba VM to 192.168.2.x and Plex to 192.168.3.x. Is this “subnetting”? Would making a VLAN say “Samba”, then assigning it to OPT1 provide more security? I would aim to ensure my Samba VM could only access LAN for example, but doing subnetting this could also be accomplished doing the same interface rules?

Another query I had was – I also want to set up a guest SSID and also have Nest thermostat and similar to only access WAN only, not my network. I get the sense the best way of doing this is my set up is by VLANs? I also presume I would need managed switches. Are unmanaged switches of any use in VLANs? For example, it I set a VLAN called “Downstairs” with no ID/tag to OPT2, plugged an unmanaged switch in, would also devices/traffic go through this “Downstairs” VLAN?
Regarding VLANs and multiple NICs, can, and is there is advantage to crossing multiple NICs. For example, I could have downstairs and upstairs plugged into a managed switch, which this goes into both OPT1 and OPT2, but have a VLANs “IOTs” where devices are both upstairs and downstairs, but just allocated to OPT1, and say “streaming” VLAN allocated to OPT2. Would this share the bandwidth between the two NICs? It seems logical in my head but may be absolute rubbish! Basically, I am saying say if I had 7 VLANs in my house, is it beneficial to share these across the 3 NICs. Or is it just easier to have NAS on its own subnet and not use VLAN at all. Or should I mix the two.
Sorry for the long read. Layer 2, layer 3, subnets, VLANs has been a lot to get my head around…

johnpoz

You can physically create networks sure.. So your other interfaces on your router plugged into another device and or dumb switch could and would be a different network than devices connected to your lan interface and those dumb switches.

Dumb switches can be leveraged downstream of a smart/managed switch that understands vlan tags. But everything on that switch would be on whatever vlan you put the port you plugged into on.

Here is my suggestion if you want to start playing with vlans - you need to get some smart/managed switches. The entry level models are very cost friendly.. You can get a 8 port gig switch that understands vlan tags for like 30-40.. Really the same price range as their dumb cousins..

Creating different networks 192.168.2.x/24 and 192.168.3.x/24 is not really "subnetting" unless your talking about subnetting the parent network 192.168/16 to smaller networks 192.168.x/24 for example then yes 192.168.x/24 is a subnet of 192.168/16

Subnetting is the process of taking a larger network and breaking it up into smaller networks. So for example you could take a 192.168.2/24 network and create 2 networks from that

192.168.2.0/25 = 192.168.2.0 - 192.168.2.127
192.168.2.128/25 = 192.168.2.128 - 192.168.2.255

Those 2 networks could be broken into 2 more networks by using /26, etc.

wilsouk

Thanks very much for your help. On that note, it was seeing a lot of your advice going back 6 years or more that sparked me to look into VLANs. You have mentioned in the past organising VLANs by device i.e. WLAN, LAN, IOTs; therefore using appropriate firewall rules for each. A lot of pictures you have posted previously regarding this have been lost (I presume in the move to netgear forums), do you still have access to them?

I have a 8 port managed switch on the way. Ill mess around with for one NIC interface which supplies my house. With the other two NICs I will use one for the NAS, and one to proxmox which supports VLAN for VMs.

Am I right in saying this - if I have NAS on OPT2 and the managed switch on OPT3, and create a VLAN called "Devices", I need to attach it to a interface? So I assign "Devices" to OPT3, I presume that NAS on OPT2 can not be part of this VLAN?

More to the point, if the NAS is a solitary device off the OPT2 interface, it being in on its own network (and accessible to the other networks by firewall rules) confers no disadvantage compared to it being in a VLAN?

Also, I presume you can also daisy chain managed switches, being specific about which VLANs you send to the next switch?

JKnott

@wilsouk said in Looking to learn, any advice appreciated:

Also, I presume you can also daisy chain managed switches, being specific about which VLANs you send to the next switch?

First off, daisy chaining switches is a bad practice. Create a tree structure, with one root switch. That root switch would likely be where most of the data is going, such as the Internet connection, servers etc. Second, switches supporting VLANs are commonly connected with trunk ports, not access ports. Trunk ports pass all VLANs or as configured. Access ports are normally on one VLAN, though there are exceptions, such as Cisco switches, where a 2nd VLAN supporting VoIP might be used on an access port.

wilsouk

@jknott Cheers. For my education, why is daisy chaining bad practice? In my case would (or could) the PFsense box act as the root switch?

I dont think I could get around daisy chaining in my set up how things are physically wired wise:

PFSENSE -> NIC1 -> SWITCH hall -> SWITCH living room -> SWITCH kitchen (terminates)

And if used some VLANs would have devices attached to all of these switches...

JKnott

@wilsouk said in Looking to learn, any advice appreciated:

For my education, why is daisy chaining bad practice?

When you daisy chain packets have to travel hop by hop to get where they need to go. That means more hops than a tree structure and more hops means more latency, so it would slow down the network a bit. In large networks, a tree structure is what you'd normally use.

Hierarchical internetworking model

johnpoz

Lets not confuse users with terms they do not understand ;)

Having a downstream switch is not a problem.. Nor is latency going to be a problem even if you had 4 or 5 switches in a daisy chain..

What you have to be aware of when you daisy chain switches is not the latency but the bottleneck you create in the uplink..

If your router

router --- switch1 --- switch2 ---- switch3 --- pc

In such a scenario the latency is not going to be an issue - your taking maybe 1 ms.. But the problem is those uplinks are going to be your choke points.. To either get to internet or another network or other devices..

While sure ok its gig from router to switch1, but keep in mind you have all devices on switch1, 2 and 3 all going to go through that 1 gig pipe to the router to get to the next network. All the devices on switch2 and 3 will share the uplink talking to devices on switch 1, etc.

Its not the latency that is going to be an issue - switches do not add any significant latency unless your talking about doing high speed trading in the stock exchanges, etc. In such a case you would be using cut through switches vs store and forward, etc.

In your typical enterprise/soho/home network its not the latency of daisy chaining that is ever going to be an issue. Its he choking of the bandwidth you should be worried about.

So if you want to hang a dumb switch off your smart switch to add a few devices in vlan X - that is more than fine and not an issue.. But down't think its ok to have

router --- dumbswitch - smartswitch -- dumbswitch - pc

That is going to be an issue.

But you can do

router -- smartswitch - dumbswitch - dumbswitch

As long as you understand that all devices that are connected to the dumbswitches are all in the vlan you assigned to the port the on the smartswitch you connected the dumbswitch too. And that the bandwidth will be shared as you move up your true to the router.

Derelict

The real issue is if the first switch in the chain dies, your whole network is down.

This is why enterprises invest heavily in "core" switching fabrics that everything else connects to.

Core switching cannot go down. Ever. Especially when millions of dollars go unearned (or millions of payroll is being spent with no work done) when it stops forwarding frames.

In your house, who cares.

JKnott

@derelict said in Looking to learn, any advice appreciated:

In your house, who cares.

Maybe we should help him set up Shortest Path Bridging.

wilsouk

@johnpoz Great, thanks - lot clearer now. Your right, as 90% of traffic will be going through switch 1, with two smaller switches off this. Would setting LAGG between two NICs from router going into the main switch help combat bandwidth issues? Or am I going against the KISS princple?!

@derelict Cheers, yes very much just wanting to understand the theory behind. I'm conscious of not overkilling it for a home network!

Derelict

@wilsouk said in Looking to learn, any advice appreciated:

Would setting LAGG between two NICs from router going into the main switch help combat bandwidth issues?

Are you routinely seeing more than about 400Mbit/sec sustained inside? If not, don't sweat it.

JKnott

@wilsouk said in Looking to learn, any advice appreciated:

Would setting LAGG between two NICs from router going into the main switch help combat bandwidth issues?

Unless you have more than 1 Gb bandwidth from your ISP, it won't make a bit of different. Your local LAN is not likely to be a bottleneck.

johnpoz

could make a difference if he is doing intervlan routing at pfsense be it his internet is 10 or 10ge, etc.

lagg not going to really help unless you have lots of devices talking to lots of other devices across the uplink.