So what I would like to achieve is the following to allow monitoring…

rfinch23

@jknott the goal is to be able to better monitor the internet traffic. but still use the UDMP to manage the unifi estate that consists of Unifi switches, AP's ans some cameras.

johnpoz

@rfinch23 what is the point of pfsense? If you want to leverage UDMP? Seems like your throwing in another complexity and just something else that could fail?

And those switches you show are they part of the unifi infrastructure?

Where exactly are the AP going to connect? You are most likely going to have hairpinning or have to deal with L3 adoption if being controlled by the UDMP..

edit: Is your goal to have pfsense monitor traffic, so your not wanting to leverage DPI on the UDMP? If that is the case there is no reason to route through it.. If your going to leverage dpi on udmp - what is the point of pfsense?

rfinch23

@johnpoz yes all the switches shown are under the UDMP.

Currently there are 75 cable connection and 61 WiFi connections

Mixture of PC’s, servers, tablets ,some IoT’s, phones, intercoms and cameras.

JKnott

@rfinch23

Your network is so messed up, I missed that 3rd router @johnpoz mentioned. You need one, count 'em, one router for a network. The way you have it, you now have at least 3 single points of failure.

but still use the UDMP to manage the unifi estate that consists of Unifi switches, AP's ans some cameras.

I run the Unifi software on my main desktop system. Regardless there are other ways, such as the Unifi controller or a Raspberry Pi running Ubuntu Linux and the Unifi software. You could also run it on any Windows systems you have handy.

johnpoz

He can still leverage the UDMP to manage his unifi stuff, but there was another thread where that user was trying to route through the udm, when really there was no reason to..

Just because something can route, doesn't mean it has too ;) Just like a layer 3 switch that can do routing.. You can just use it as layer 2, or you could use it as combo where it routes some stuff but only layer 2 for other vlans.

Same goes for this udmp - you don't have to leverage its routing if you don't want too.. They don't go into this over on the unifi forums and docs - because why would anyone ever want to do that ;) heheh

Are you trying to leverage the DPI monitoring you can do with the UDMP - or are you wanting to use the pfsense to monitor. I get using the udmp for your unifi infrastructure. But if your going to leverage it at the edge - just not seeing what is the point of pfsense?

I don't believe the udmp supports lacp, so is that what your wanting leverage pfsense for? Just seems like this overly complex without any clear direction of exactly wanting to accomplish..

Since it seems pretty impossible to leverage the udmp for any sort of HA, something that has been requested for some time over on the unifi forums.. So if HA is your goal - I would just use the udmp for your cameras and other unifi infrastructure and not try and leverage its routing or dpi.. But I don't get all the desire of HA when you clearly have multiple single points of failure upstream, especially if you try and use the udmp at the edge.. If your going to be ok with spare swap box for the udmp.. Why not just have a swap switch as well - and then just take pfsense out of the picture?

rfinch23

@johnpoz This sounds good removing the UDMP from the routing and using it just as a controller. So would I then be better also offloading the DHCP to the pfsense as well? It will however be a shame loosing the DPI as a layer of protection.

If I concentrate on the pfsense would it be possible to use a vigor 130 modem and use the pfsense to authenticate to the ISP? Then turn on the pfsense firewall and NAT to control traffic and any NAT that is currently used?

How would I configure the pfsense interfaces to connect to both the top switches and support all the internal networks?

This sounds like it would all help to simplify the network. I could then look at using HA with the pfsense.

Many thanks for both your suggestions to date
As you can see from all my question I am new to the pfsense.

So really appreciate all your help.

stephenw10

@rfinch23 said in So what I would like to achieve is the following to allow monitoring…:

If I concentrate on the pfsense would it be possible to use a vigor 130 modem and use the pfsense to authenticate to the ISP? Then turn on the pfsense firewall and NAT to control traffic and any NAT that is currently used?

Yes. Assuming it's a PPPoE connection, which it almost certainly is with that modem.

Do those switches support stacking with cross-chassis LACP?
If so you should use that for redundancy.

Steve

JKnott

@rfinch23

I just came across this video, which might give you some ideas.

rfinch23

@stephenw10 Hi, Yes the ISP will be using PPPoE
And No Multi-chassis Link Aggregation Group (MLAG). Support on the switches

https://help.ui.com/hc/en-us/articles/360007279753-UniFi-USW-Configuring-Link-Aggregation-Groups-LAG-

rfinch23

@jknott Thanks, very interesting.