Building my lan: do I need a managed switch for my VLANs?

valepe69

I'm setting up my new network at home and I'm new to pfSense.
Now I have an Edgerouter-X with an unmanaged switch to serve my lans.
I have three VLANs, the main one (untagged), a guest one (vlan2) and a iot one (vlan3).
All these three VLANs are trunked on a port of the ER-X to an Unifi AP with multiple SSIDs. Other switched ports of the ER-x serve the main lan only through unmanged switchs.

I'm setting up a pfSense box using a Firebox XTM5 with an upgraded CPU (Q9550) and 4GB of RAM. This unit has 6 1Gbit lan ports so I'll use two of them for WAN primary and backup connections.
My idea is to have one port with all VLANs (untagged, vlan2 and vlan3) that should go to the AP, then have cabled ports for every VLANs:

• eth0: WAN1
• eth1: WAN2
• eth3: trunk VLANs (untagged, vlan1 and vlan2)
• eth4: untagged port (main lan)
• eth5: vlan2 tagged (guest lan)
• eth6: vlan3 tagged (iot lan)

Can this layout work?

Any suggestions?

JKnott

@valepe69

You can get by without a managed switch only if all the devices for the VLANs can be configured for VLANs. Given your guest and IoT LANs, I'd say not. If you were, for example, setting up a guest WiFi and the AP was the only device that needed VLANs, then an unmanaged switch would be OK. Other devices would just ignore the VLANs.

Managed switches are cheap, so why not get one? I have one here that I use strictly as a data tap, in addition to my main switch.

valepe69

@JKnott No problem to add a managed switch.
But I have a doubt (I'm noob on lan management): with a managed switch all connections of my lan goes from switch to the pfsense box for DHCP, DNS, firewall rules, etc, right?
In this case this connection will be a bottleneck for lan speed?

johnpoz

dhcp and dns are nothing but tiny little packets.. That is not going to be any sort of hit on performance.

Where you could see issues would be if your routing between these vlans.. And users moving large amounts of data.. At gig speeds?

My idea is to have one port with all VLANs (untagged, vlan2 and vlan3) that should go to the AP, then have cabled ports for every VLANs:

that makes no sense... If you have the ports, then just use individual uplinks for each vlan.. This removes any hairpin for intervlan traffic.

You don't need both a trunk, and then specific interfaces in each vlan.. Pfsense really won't even let you do that - unless those are switch ports and not interfaces? And it would create a loop anyway.

edit: DOH!!! Read the post John ;)

Your trunk is to your AP... That is fine - duh!!! ;)

edit2: Man I need more coffee.. No you can not do that.. You would connect your AP to your switch.. And trunk that connection. Not an interface on pfsense. Pfsense is not going to let you put multiple interfaces on the same vlan.. Unless these are switch ports on your pfsense box?

JKnott

@valepe69

I'm assuming your LAN is 1 Gb, as that's been common for years. Will that be a bottle neck? As for the amount of traffic, there will be no difference with a managed switch or not. You're sending out exactly the same traffic, VLAN tags and all.

Perhaps you should read up a bit on VLANs so you have a better idea of what you're doing. A VLAN makes a network appear as physically separate networks. Sometimes, a VLAN is used to separate traffic on the same cable, such as the guest WiFi I mentioned. They're also often used with VoIP phones, where the phone and computer data are carried over the same cable. They are also used to separate networks at a different location. In this instance you could have a remote switch that splits off the different networks. So, you have to look at what you're trying to do and go from there.

valepe69

@johnpoz No, XTM5 hasn't switched ports

valepe69

@JKnott Apart VLANs, if two devices on my untagged lan should transfer large files, is this traffic checked by pfsense only at the beginning (firewall, etc) then the switch does the job or all the transfer traffic goes up and down from the switch and the pfsense box?
Any suggestions about a good managed switch for home use?
I prefer those without java.

johnpoz

@valepe69 said in Building my lan: do I need a managed switch for my VLANs?:

if two devices on my untagged lan should transfer large files, is this traffic checked by pfsense only at the beginning (firewall, etc)

Pfsense has zero to do with the conversation - no firewall rules will be checked...

As to switch - how many ports, what budget?

If pfsense box doesn't have switch ports - then no you can not connect your AP to 1 port, and then put other ports in the same vlan you send to your AP.

Connect your AP to your switch... Then you can either use a single line, or lacp for connection from you switch to your pfsense to carry the vlans. Or you could use specific interfaces as uplink for each vlan.

JKnott

@valepe69

When files or other data are transferred between VLANs, then they must go through pfsense, unless you have some other router or layer 3 switch to do that..

Any suggestions about a good managed switch for home use?

Avoid TP-Link. My main switch is a Cisco, but there are plenty of other decent brands.

johnpoz

There are many a smart switch that will work.. All comes down to what features you want/need, how many ports, and what your budget is..

But yeah with JKnott - I would avoid tplink, they don't really seem to understand how vlans are suppose to work ;) Many a thread on here even about that.

JKnott

@johnpoz

And I have stopped using my TP-Link AP that had that "feature".

johnpoz

Yeah, and your happy so far I take it - did you get your controller running how you want it?

One thing I would suggest with your switch.. If you think 5 ports is enough, get an 8 port model or higher. If you think 8 is enough, get 16 min, etc. Can never have too many switch ports ;) Always plan for growth and wanting to connect something extra now and then even, etc.

Also don't be afraid of too many features ;) Even if you plan on never doing L3 or advanced ACLs like multicast, etc. You never know what you might want to do 6 months or a year from now. So as long as your ok with the budget, get something that will allow you to grow both in ports and things you might do from a features standpoint.

JKnott

@johnpoz

Not yet. I have to take a few minutes to create a certificate for it. My one complaint is you can't specify which 802.11 versions are allowed, though you can block 802.11b. With my TP-Link, I only allowed n. I did set 5 GHz to 80 MHz channels and now see well over 300 Mb down. My TV, on 5 GHz, now gets around 60 Mb, but used to get around 11 on 2.4.

A Former User

@johnpoz said in Building my lan: do I need a managed switch for my VLANs?:

If you think 5 ports is enough, get an 8 port model or higher. If you think 8 is enough, get 16 min

Absolutely! Take this advice.

A good switch will last a long time. Get one with decent thermal properties (heat kills switches) and it will, for all intents and purposes, last forever.

JKnott

@johnpoz said in Building my lan: do I need a managed switch for my VLANs?:

Can never have too many switch ports ;)

Something like this might be adequate for a home user.

johnpoz

haha - that might be a bit of overkill.. For starters they LOUD as F!! And suck juice like you have a nuc reactor in your back yard ;)

And lets just say its a bit expensive for your typical home budget ;) hehehehe

valepe69

@johnpoz well, it should manage VLAN and help to speed up my lan traffic. Actually the main switch (unmanaged ) has 8 ports so I would go for a 16 ports one. As for the price, I prefer to no go over 200€ (I'm in the EU piece of the world :) )

valepe69

@johnpoz well, I have (but never used) a Nortel 5650td-48-pwr but I prefer one less power hungry

johnpoz

Not sure what you mean by help you speed up your lan traffic? If the switch is rated gig - it should pass traffic at wire speed, be it 40$ smart switch or a $200 model ;)

Unless your talking about routing the vlans at the switch, and not your pfsense? In that case you would want a L3 capable switch.

For 200, I would think you should be able to find something great.. Its a touch over your 200 budget.. And not sure how that might change for the EU market.. But for example this cisco sg350-28 would be a killer switch for home use... I have the sg300 (previous model)

https://www.amazon.com/Cisco-Sg350-28-28-Port-Gigabit-Managed/dp/B01HYA38CA

And they are easy on the juice as well!

My sg300-28 has a couple more years of support on it.. But lets say I spilled some beer on it or something, and it took a dump.. I would go with the sg350 line..

A Former User

@johnpoz I like my Cisco Small Business SG220-50P. Yeah, it's a bit noisy and not the most power efficient but it lives in the basement and just works. Get one like it not POE and replace the fans. I don't often recommend eBay, but in this case a used switch might be the thing to do.