segment wifi traffic (guest, IoT, trusted)
-
@farmerjohn
I totally agree w. @johnpoz here.
Get a cheap managed switch for the job.
As a "bonus" you could use the 6 other ports for other vlans, and treat it as an additional 6 Lan interfaces.@jknott
Just because you could ... Doesn't mean you should.
And certainly not for saving $50/Bingo
-
I suppose you're thinking about dd-wrt
Hw-Rev A1
https://wiki.dd-wrt.com/wiki/index.php/Asus_RT-AC66UHw-Rev B1
https://wiki.dd-wrt.com/wiki/index.php/Asus_RT-AC66U_B1 -
There might be some "Trickery" in connecting the managed switch to the Lan IF , and enable tagging , wo. loosing Lan (that you need for configuring).
I suppose you could keep Lan as untagged.
Maybe one of the others have trued to run untagged & tagged on a pfS IF.
I haven't yet/Bingo
If you find my answer useful - Please give the post a š - "thumbs up"
pfSense+ 23.05.1 (ZFS)QOTOM-Q355G4 Quad Lan.
CPUĀ : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
LANĀ : 4 x Intel 211, DiskĀ : 240G SAMSUNG MZ7L3240HCHQ SSD -
@bingo600 said in segment wifi traffic (guest, IoT, trusted):
Maybe one of the others have trued to run untagged & tagged on a pfS IF.
I run one of my interfaces with native (untagged) and then vlans on it.. There really isn't anything tricky about ;)
You can see that native network my wlan is untagged and on the igb2 interface. While then 2 other networks (vlans) are on that physical interface igb2
-
@bingo600 said in segment wifi traffic (guest, IoT, trusted):
Maybe one of the others have trued to run untagged & tagged on a pfS IF.
I haven't yetThat's what I have here. My guest Wifi is connected via VLAN3 and the main Wifi is on the native LAN. This is quite common with things like VoIP phones and office computers. On the pfsense end, once the VLANs are enabled, there's no difference with a native LAN when configuring them.
-
I suppose you're thinking about dd-wrt
That was my original plan, but also considering a Ubiquity UAP-AC-PRO - not sure if flashing and configuring the Asus router will be as simple as buying a Ubiquity.
-
I like the UAP AC Pro
I have 5 sites with that model installed.Then i also assume that $50 for a Vlan switch isn't an issue.
/Bingo
-
There is one correct answer to want to run vlans on a switch - the switch should understand the tags ;)
I currently have 3 unmanged switches in the house
one: trendnet TEG-S80G
two: HP procurve 1410-8GI'll be attaching the VLAN capable AP into one of the HP procurve switches - until I save up for a managed switch ;)
Are there advantages of replacing the other two dumb switches if I don't intend to run VLAN tagged traffic through them?
if so, I may go with a 3-pack of these Ubiquiti USW-Flex-Mini for $28 each.
-
@farmerjohn
I'd go for 8-port switches ...
Not that 5 wouldn't do , just that w. a 5 , you only have 4(3) for user ports , as the other 1(2) would be used for uplink(s)The advantage of Vlan enabled switches around your house.
Would be that you could , "pull out" ie. a Guest or "IOT" ethernet port on any switch , if needed. Or you could attach a new "AP AC Pro" on "that" remote switch , if you need better coverage in that area.I'd only buy managed switches today, price diff is too small not to.
You could reuse your old "dumb" switches , if you have the need for many ports of the same type (vlan) - Just make one port on the managed switch a member of vlan xx , and connect the "dumb" switch to that port.
Now every port on the dumb switch will be a member of vlan xx./Bingo
-
You could reuse your old "dumb" switches , if you have the need for many ports of the same type (vlan)
Good to know - I'll probably go with 3 of the 5-port flex mini's and if I need to add more devices (same vlan), I'll attach one of my 8-port dumb switches.
But, found this in the unifi datasheet:
USW-Flex-Mini uses port-based VLANs only and does
not support SSH, STP (forwarding only), 802.1X, DNS
suffix, or experience in the controller.SSH is not an issue for me, but not sure about the other limitations.
-
Re : Ubi switches ...
While cheap .. I'd drop them , looks like an el-cheapo model.D-Link just released a new 1100-08V2 (V2 is new)
https://us.dlink.com/en/products/dgs-1100-08v2-8-port-gigabit-smart-managed-switchDS
https://us.dlink.com/-/media/obu-content/us/datasheets/dgs/dgs-1100-v2-series_datasheet_v_100_dus.pdfGuide
https://support.dlink.com/resource/PRODUCTS/DGS-1100-08V2/REVA/DGS-1100-08V2_REVA_MANUAL_v1.00_WW.pdfBuy
https://www.amazon.com/dp/B08P2C2GXFI have used the old 1100-08 and 1100-08P (Non V2) , and that is my goto switch when needing something small & effective.
Seems like the PoE V2 has a bit of issues , but $35 for an 8-port & $30 for a 5-port, not that bad.
But they mention some GUI issues
But I'd get one , and try it out , if it were me.Datasheet actually shows a lot of value for the $$
My choice would be D-Link or Netgear
/Bingo
-
@bingo600
thanks for the recommendations - I will check them out. One appeal of the ubiquity, was that if I went with the wireless AP and switches, it would be easier to manage them all under their unifi controller software. I was hoping the reduced features of the flex mini would not be an issue for my use case. -
If you read what you wrote above about the UBI switches
USW-Flex-Mini uses port-based VLANs only and does
not support SSH, STP (forwarding only), 802.1X, DNS
suffix, or experience in the controller.I read that as it's too cheap to play w. the controller.
So no advantage in going for those cheapo's -
So while the $29 mini look interesting and I could seem them in specific use case..
But for my switch I was going to put on my network as just a general purpose switch. No - wouldn't look at those even with the nice price point.
Switching is quite often over looked at the importance in your network - just connect this one there, that one there.. you find daisy chained, etc. etc..
A proper laid out and configured L2 is a huge portion of overall network health and performance for sure.. Always overlooked.. Don't just buy xyz because its cheap.. think about what your wanting to do and what you may "want" to do in the future..
For example - being able to filter multicast doesn't always come to mind.. Tell you what with the broadcast monsters you put on your network.. Its a major thing I do and filter at my L2.. Just noise machines!! Filter them at the port vs that noise going everywhere..
-
My choice would be D-Link or Netgear
ok, given the small price difference (8-port vs. 5), I'll go with 8-port, either:
- Ubiquiti UniFi Switch 8 60W, $99
- Netgear ProSafe Plus GS108E, $48
- Dlink DGS-1100-08V2, $35
It doesn't make sense to go with ubiquity (if buy 3 switches) just for their unifi controller software. So appears Dlink is the way to go. Makes we rethink the ubiquity wireless AP now since no advantage of using their unifi controller software for just one device.
-
@farmerjohn said in segment wifi traffic (guest, IoT, trusted):
Netgear ProSafe Plus
I bought a used 16 ports one on eBay $30 freed shipping last year ... FYI. Still using it also, no problem; however, on my LAN, I have a Mikrotik RB450x2 5ports ($149 shipped) so I can separate guest, cameras, etc, plus the managed switch attached to it... many ways to feed a Cat ... I don't skin or kill Cat.
-
@farmerjohn said in segment wifi traffic (guest, IoT, trusted):
@bingo600
Makes we rethink the ubiquity wireless AP now since no advantage of using their unifi controller software for just one device.I'd still consider AP-AC-Pro , in fact i would still get it (them).
I would just see the unifi controller sw as an "AP Config tool" , and you don't even have to have it running, once the AP is set up.My controller at work , is permanently running in a Debian10 VM (because i have a VMware environment already).
But if i has just one AP and no "Always on server" , i'd prob just install & configure the AP , and stop the controller until next configure/update.
At home i'm using Cisco AP's (autonomous) , but that's because i got some for free. Else my budget (or power use / & Noise-level) isn't for "Enterprise" ....
If/when the Cisco's goto "Silicon heaven" i will be getting Unifi AP's.I might have gone a bit overboard w. SSID's on the Cisco's , i have 6 active and are using 4.
I have no idea what else there is besides Unifi , in the upper "home" price range.
/Bingo
Edit:
@JP .... Yes i know , many SSID's , management frames etc .yada..yada
But it's nice to have the "Phones" & "Mmedia" boxes in their own Vlans.
I can give the wife "Read-Only" to the pictures on the server , based on the phone ip range. And make sure the ATV's & other boxes arent used as jumphosts for poking around (if/when DHS wants that).And i like to be able to have a VPN "SSID" , that points to whatever my Deb10 ExpVPN GW is pointing at.
I can be "Cloaked" at will ..... -
have no idea what else there is besides Unifi , in the upper "home" price range.
ok, I'll stay with the unifi AP
My controller at work , is permanently running in a Debian10 VM
i have a raspberry pi 4b running ubuntu server that is always on, so I'll probably install the unifi controller on that, but a bit concerned about the write frequency on the 32GB sdhc. As you say, I can just stop the 'unifi service' and start when needed if write activity is too much.
-
@farmerjohn
I have Raspi's running on year 4..5 , using Sandisk Extreme & Sandisk Ultra.
Life is to short for cheap SD-CardsMy "backup" DNS/DHCP server is a Raspi3 - running on 4'th year , on a 32GB Sandisk Extreme.
/Bingo
-
My controller is running on my main Linux desktop system. This computer is up 24/7.
