Home Router Recommendation
-
Traffic wise, I'm the only user that puts a burden on the network. Streaming, large file transfers, locally and remotely.
and
I wanted VLAN's at some point,….
Why pumping all traffic through the pfSense box?
Why pushing large files not from one VLAN to another one directly?
By changing the pfSense box hardware in some or many years the Cisco SG300 will be fine running anymore!
For nearly wire speed between the VLANs it should be a Layer3 switch or a really strong pfSense hardware. -
@BlueKobold:
Why pumping all traffic through the pfSense box?
Not sure what you mean. I don't want to pump any traffic unnecessarily through anything. I'm trying to figure out the best way to do this.
Why pushing large files not from one VLAN to another one directly?
Again, not sure you mean exactly. I don't have plans to push large files from one VLAN to another, probably just on same one. They'd be mostly computer image backups and some other backups as well.
By changing the pfSense box hardware in some or many years the Cisco SG300 will be fine running anymore!
For nearly wire speed between the VLANs it should be a Layer3 switch or a really strong pfSense hardware.If I didn't need wire speed between VLAN's and only needed it within the same one, does that change anything?
-
I'm wondering if a Layer 3 Switch if really necessary for my needs. It seems like a piece that is above my needs for such a small network that I have. I want at or near Gigabit LAN transfer speeds, but I have such little traffic. Most of it is from me. No more than a dozen or so devices at any given time, most of them not really doing anything. Simultaneous usage would be just a handful of devices at one time. One man can only do so much. Would a Layer 2 Switch suffice? Are there certain demands my switch must need to deliver Gigabit-ish speeds?
A Layer 3 switch is the fastest, but not only option. A Layer 2 switch will force your pfsense box to handle inter-VLAN traffic. With a decent CPU and NICs this won't be a problem. I actually prefer the latter solution in many cases because you don't have to maintain multiple ACLs; all your rules are on the firewall page of the pfsense box. If you worry about saturating your LAN interface on pfsense with inter-VLAN traffic, this is where link aggregation can help. Since you're already using VLANs, you can aggregate the two (or more) physical interfaces into a single logical interface. Any single connection will still only use one NIC, but subsequent connections will balance out over the group, allowing, say, a large file transfer between VLANs to saturate one NIC while internet connections from other machines use another NIC and thus aren't affected speed-wise. Even the cheapest "smart" switches support this. It's not a bad way to go, especially for a home network, and will work just fine provided your pfsense hardware can handle the load. Essentially you'll just need to size it for gigabit throughput, as you would if you had a gigabit WAN.
-
If I didn't need wire speed between VLAN's and only needed it within the same one, does that change anything?
Yes, absolutely. I responded to an earlier post of yours before I saw this one. You'll be fine with a Layer 2 smart switch. They're cheap and work well.
-
A Layer 3 switch is the fastest, but not only option. A Layer 2 switch will force your pfsense box to handle inter-VLAN traffic. With a decent CPU and NICs this won't be a problem. I actually prefer the latter solution in many cases because you don't have to maintain multiple ACLs; all your rules are on the firewall page of the pfsense box. If you worry about saturating your LAN interface on pfsense with inter-VLAN traffic, this is where link aggregation can help. Since you're already using VLANs, you can aggregate the two (or more) physical interfaces into a single logical interface. Any single connection will still only use one NIC, but subsequent connections will balance out over the group, allowing, say, a large file transfer between VLANs to saturate one NIC while internet connections from other machines use another NIC and thus aren't affected speed-wise. Even the cheapest "smart" switches support this. It's not a bad way to go, especially for a home network, and will work just fine provided your pfsense hardware can handle the load. Essentially you'll just need to size it for gigabit throughput, as you would if you had a gigabit WAN.
Thanks. This sounds good to me. For the link aggregation, I'd be connecting 2 LAN ports from my pfSense box to 2 LAN ports on my Layer 2 Switch? If indeed so, obviously, I'd need a pfSense box with more than 2 total Ethernet ports.
-
Thanks. This sounds good to me. For the link aggregation, I'd be connecting 2 LAN ports from my pfSense box to 2 LAN ports on my Layer 2 Switch? If indeed so, obviously, I'd need a pfSense box with more than 2 total Ethernet ports.
Not necessarily. If you're using VLANs from the start, your internet connection can reside on one of them as well. In that case you'd plug your modem into a switch port on the VLAN you've designated for internet. This is how I do it with all my pfsense installs at work. In the one case where we're using a physical machine rather than virtual, the box has 2 NICs, aggregated into a single LAGG. Then, we define VLANs on top of that, and the internet router is connected to a switch port that is configured to the corresponding VLAN (the WAN interface on pfsense). What you end up with is a pfsense box with one logical physical connection but VLANs on top of that. It sounds more complicated than it is, but it's really pretty simple. Glad to provide help if you need it.
Quick edit: In short, you really only need 2 physical NICs for the scenario I'm describing. Downside is that you lose a switch port for your cable modem or whatever internet equipment your ISP provides.
-
Not necessarily. If you're using VLANs from the start, your internet connection can reside on one of them as well. In that case you'd plug your modem into a switch port on the VLAN you've designated for internet. This is how I do it with all my pfsense installs at work. In the one case where we're using a physical machine rather than virtual, the box has 2 NICs, aggregated into a single LAGG. Then, we define VLANs on top of that, and the internet router is connected to a switch port that is configured to the corresponding VLAN (the WAN interface on pfsense). What you end up with is a pfsense box with one logical physical connection but VLANs on top of that. It sounds more complicated than it is, but it's really pretty simple. Glad to provide help if you need it.
Quick edit: In short, you really only need 2 physical NICs for the scenario I'm describing. Downside is that you lose a switch port for your cable modem or whatever internet equipment your ISP provides.
Okay, let's make sure I understand this. Modem will plug into switch, then another cable will go from another port on the switch to the router WAN port. Now is there another cable coming from LAN port on router back to switch?
In regards to the quick edit, the downside is having one extra port being taken up on switch? If so, that's fine. Clarify the 2 physical NICs needed, as this setup is something I'm still trying to grasp, being new to me. Thanks again.
-
Not necessarily. If you're using VLANs from the start, your internet connection can reside on one of them as well. In that case you'd plug your modem into a switch port on the VLAN you've designated for internet. This is how I do it with all my pfsense installs at work. In the one case where we're using a physical machine rather than virtual, the box has 2 NICs, aggregated into a single LAGG. Then, we define VLANs on top of that, and the internet router is connected to a switch port that is configured to the corresponding VLAN (the WAN interface on pfsense). What you end up with is a pfsense box with one logical physical connection but VLANs on top of that. It sounds more complicated than it is, but it's really pretty simple. Glad to provide help if you need it.
Quick edit: In short, you really only need 2 physical NICs for the scenario I'm describing. Downside is that you lose a switch port for your cable modem or whatever internet equipment your ISP provides.
Okay, let's make sure I understand this. Modem will plug into switch, then another cable will go from another port on the switch to the router WAN port. Now is there another cable coming from LAN port on router back to switch?
In regards to the quick edit, the downside is having one extra port being taken up on switch? If so, that's fine. Clarify the 2 physical NICs needed, as this setup is something I'm still trying to grasp, being new to me. Thanks again.
Yeah, I realized after I posted that the last time I did this on pfsense I actually had to do some manual config file editing because there was no LAGG setup in the console. I haven't set up a box from scratch with a build newer than 2.1 in a while, but the last time I set up a FreeNAS machine I was able to do it all from the console so maybe pfsense has followed suit. I'll have to fire up a VM and have a look.
Anyway, basic idea is this:
Let's say your pfsense box has 2 Intel NICs using the em driver. em0 and em1. Without LAGG, when you assign VLANs to one of those NICs (the parent interface), you get a new logical interface. I'll use VLAN 20 in this example (the actual ones you use are arbitrary for the most part; you have over 4000 to choose from). So VLAN 20 with parent interface em1 becomes an interface in pfsense called em1_vlan20. You can then assign that interface as your LAN, WAN, whatever you want. Rinse and repeat with as many VLANs as you like. The cable plugged into em1 will carry tagged traffic from any VLAN that has em1 as its parent interface. The switches job is to interpret this traffic and send it to ports in the same VLAN. So, if em1_vlan20 is your WAN interface, an untagged port on your switch in VLAN 20 plugged into your modem will function the same as if the modem was plugged directly into a physical interface on pfsense.
With me so far? Now, we add one more layer of abstraction to the config. LAGG (link aggregation group) turns a group of NICs and switchports into a single logical connection. It can increase bandwidth, be fault tolerant (traffic keeps flowing, for example, if one link goes down). So, In pfsense em0 and em1 are used to create a LAGG, which then becomes another interface in pfsense, lagg0. If you define your VLANs with lagg0 as the parent interface, you get (again using VLAN 20 as an example) a new logical interface called lagg0_vlan20. You can assign that as your WAN port. As long as the switch is configured correctly, you can plug either or both em0 and em1 into either or both of the corresponding LAGG ports on your switch and the end result is the same as the former scenario except now you've got redundancy and twice the bandwidth, at least in a scenario where you have multiple connections. A single file transfer, for example, could consume up to 1Gbps while still leaving the other physical NIC free to handle any other traffic on the network. It's a type of load balancing.
Whew. And after typing all that i realize it may be way overkill for a beginner, and definitely not for the faint of heart if the pfsense initial config console still doesn't have the LAGG stuff in it. But when you see it work, it's pretty rad.
And an edit. The TL;DR on all of this is that if you're using VLANs from the start you really only need one physical NIC. Adding LAGG on top of that setup will increase potential bandwidth and add a layer of redundancy, at the expense of switchports.
-
Here's what it looks like in practice, and please excuse the messy naming conventions, this is one of my oldest and most hacked up installs. But it works great!
The config problems I alluded to in my previous post are because, as you can see, you can only add unassigned interfaces to a LAGG. This box only has two. Without one configured as a LAN port, management of the box is from the console only. But that can be worked around. In my case, I set up all the VLANs on bce0 first, got the box up and running, then used a VM to see what the LAGG config looked like in the config file. Downloaded my config file, added the LAGG config, and then changed every interface definition from bce0_vlanx to lagg0_vlanx. Uploaded the modified config, rebooted, and it just works. It might be easier now. I know FreeNAS has added that ability into their console based setup. If pfsense hasn't, they should :D
-
Okay, let's make sure I understand this. Modem will plug into switch, then another cable will go from another port on the switch to the router WAN port. Now is there another cable coming from LAN port on router back to switch?
To answer this specific question, all traffic to and from the pfsense box will be handled by two cables, on the switch side they are plugged into a LAG port group, and on the pfsense side they are plugged into two NICs configured in a LAGG (the terminology is LAGG, LAG, LACP, and maybe some others depending on the vendor). We're using VLANS, so all the traffic, WAN included is trunked over those cables. With the LAGG setup you can unplug one of those two cables from either the switch or pfsense and traffic will be uninterrupted. The two cables is just to increase the potential bandwidth of the connection between your networks.
-
A quick question before responding to everything else.. What's the workaround for management access? Not just locally, but I'd want to be able to login to router remotely, so how would I do that in this configuration?
-
One other question. Why wouldn't there just be 1 cable from modem to router WAN port, them 2 other cables in 2 LAN ports lagged together to the switch? There must be a valid reason. I would just like to understand what it is. Thanks.
-
A quick question before responding to everything else.. What's the workaround for management access? Not just locally, but I'd want to be able to login to router remotely, so how would I do that in this configuration?
Your LAN interface would be on a VLAN. So in my previous example your WAN is on VLAN20. So let's say your LAN is on VLAN10. Your computer(s) are plugged into switchports in this VLAN. The computers don't care what the VLAN is; the switch does the work. So let's say your pfsense box has its LAN interface as lagg0_vlan10, with an IP address of 10.233.233.1/24. Any computer plugged into a switch port on VLAN 10 that has an IP address in that same network will be able to communicate with pfsense.
EDIT: and for remote access, which some may frown upon, I forward port 8080 to 443 from my WAN to my LAN. I'm not entirely comfortable with that and wouldn't do it in a corporate environment (I'd use VPN instead) but it's an easy way to gain remote access while not using a common port, which are generally more susceptible to attacks from the internet.
And one more edit, haha: The example I posted above is not from my home network. I live alone and have absolutely no need for that kind of setup. I do use pfsense at home but not in that kind of scenario.
-
One other question. Why wouldn't there just be 1 cable from modem to router WAN port, them 2 other cables in 2 LAN ports lagged together to the switch? There must be a valid reason. I would just like to understand what it is. Thanks.
What I posted is just an example of a way to have pfsense set up with a single logical connection (regardless of whether it's LAGG or just a single NIC; they're both a single logical interface with VLANS on top). You could very easily have 4 physical interfaces with 2 in a LAGG to connect to your LANs and a single physical interface connected straight to your cable modem.
I realize I'm providing TMI for a home router build. Apologies. I just love talking about it, and you must be at least a bit curious if you're even considering pfsense :). Just stick to the basics, buy some hardware that will last a while, and come back and ask questions when you're ready. The reason I even brought this up is that a) you mentioned VLANS, b) some were suggesting you buy a L3 switch which is nice but not strictly necessary. I'm simply providing a scenario where you can do inter-VLAN routing on a L2 switch with less of a performance hit.
-
What I posted is just an example of a way to have pfsense set up with a single logical connection (regardless of whether it's LAGG or just a single NIC; they're both a single logical interface with VLANS on top). You could very easily have 4 physical interfaces with 2 in a LAGG to connect to your LANs and a single physical interface connected straight to your cable modem.
I realize I'm providing TMI for a home router build. Apologies. I just love talking about it, and you must be at least a bit curious if you're even considering pfsense :). Just stick to the basics, buy some hardware that will last a while, and come back and ask questions when you're ready. The reason I even brought this up is that a) you mentioned VLANS, b) some were suggesting you buy a L3 switch which is nice but not strictly necessary. I'm simply providing a scenario where you can do inter-VLAN routing on a L2 switch with less of a performance hit.
Regarding implementing the VLAN's; it wasn't something I planned on doing initially. I could, but I'd like to be setup for it anyways. Let me ask you this. Is there a reason you mentioned modem-to-switch-to-router as the way of connecting versus the more straightforward modem-to-router-to-switch direction? Is that way better for some reason?
With VLAN's, would only the inter-VLAN traffic go through router? I believe that is yes, even with a layer 2 switch, just wanted clarification. Any other traffic that would stay off router?
I wouldn't typically have Gigabit speed traffic going through network while I was doing anything else, at least not much else at all to the point of caring. Those high speed large file transfers almost only happen while I sleep.
Even with VLAN's, there would hardly be any inter-VLAN traffic that I would need to travel at Gigabit speeds, at least none that I'm aware of at this time. Those transfers would be on same VLAN.
-
The more I research VLAN's and think about it, the more I wonder whether I should bother implementing them, especially at the additional cost. Realistically, I'd probably never have more than 40-50 devices, even if I did complete my dream of an advanced smart home, although perhaps closer to 75-80 if I did. Many of those wouldn't always be on or transmitting or receiving traffic, so I don't know that's it worth even doing.
-
For the scenarios you're describing, VLANS let you separate your network into different subnets (that pfSense can manage effectively) without having to have a different NIC and switch for each subnet.
Without seeing all the intricate details, I would guess you could benefit from perhaps 3 "internal" subnets LAN (most stuff), WiLAN (WiFi stuff) OLAN (Other stuff you want kept separate).
To implement without VLANS, you need 4 NICs (or one 4 port NIC) - WAN, LAN, WiLAN, OLAN and three switches to connect the different devices.
With VLANs, I'd suggest two NICs - WAN and MLAN. MLAN can support as many VLANs as you like (depending on the switch usually up to 4095). In addition you need only one switch, often making cabling a little cleaner. The "downside" is the switch needs to be configured and documented so you know what ports service which network.Cost wise, the VLAN approach will be moderately higher (although there's tons of good used gear available). Fixed NICs make the design "simpler" to visualize at a glance, but can get more cumbersome if and when you expand to more subnets.
You can always plan big, but start small - implement a simple 2 NIC WAN,LAN setup and expand it as necessary.
-
" especially at the additional cost."
What the few bucks more a smart switch cost? I don't quite yet have your 40 devices, but getting close with 29 that I can count off the top of my head. Not counting guest wireless devices that might come on and off the network.
But as more an more things get connected, iot as we now call it not segmenting your network seems pretty lack view of security. Does that smart thermostat really need to be on the same network as computers? Does the dvr made in china need to be on that same network? What about the game console? Segregation of your network becomes more and more important when you start adding more and more type devices that may or may not have the best security, and or maybe phone home, etc..
Now if you had only devices that you control and put the OS on, etc. What about billy bobs laptop that comes over and wants to use your wifi - you sure that thing is not infected with something bad? Why would you not want that isolated from all your other devices. Devices that join my guest wifi, I will hand them an IP via dhcp. And they can ping the gateway to validate they have connectivity. But other than that they can not talk to any of my other segments, they don't even use my dns - they get handed the isp dns.
I have another wifi network for my iot devices that do not support eap-tls, I then have my wifi network where I connect my devices via eap-tls. But even this is restricted and does not have full access into my actual lan network where my workstation and servers and services run. It has limited access to use my printer, hit my plex server on the plexserver port, etc. I currently have 7 different segments/vlans on my home network. This allows me to isolate and limit different types of devices to what they need access to and group them with like devices, etc.
When it comes to vlan support, you don't need a 1000 $ enterprise class switch to do this. I just picked up a 8 port gig netgear smart switch for $30 for my av cabinet to replace the aging switch that was in there that had been locking up on me, etc. Pretty disappointed with its feature set, but it does what I needed it to do was the ability to understand vlans. So in that sense it is fine. I would like to have been able to monitor it via snmp, etc. But this works for vlans.
-
Regarding implementing the VLAN's; it wasn't something I planned on doing initially. I could, but I'd like to be setup for it anyways. Let me ask you this. Is there a reason you mentioned modem-to-switch-to-router as the way of connecting versus the more straightforward modem-to-router-to-switch direction? Is that way better for some reason?
With VLAN's, would only the inter-VLAN traffic go through router? I believe that is yes, even with a layer 2 switch, just wanted clarification. Any other traffic that would stay off router?
I wouldn't typically have Gigabit speed traffic going through network while I was doing anything else, at least not much else at all to the point of caring. Those high speed large file transfers almost only happen while I sleep.
Even with VLAN's, there would hardly be any inter-VLAN traffic that I would need to travel at Gigabit speeds, at least none that I'm aware of at this time. Those transfers would be on same VLAN.
Regarding the LAGG setup, where you'd have the modem connected to a switchport rather than directly to the router, that was just me rambling about ways to speed up inter VLAN traffic without using a Layer3 switch, which is a kind of router in its own right. No need to implement that at all. Just one of many options.
With VLANs, traffic originating from a host in a VLAN will not hit the router unless it leaves that VLAN, either to go to another VLAN or to the internet. In other words, a large file transfer between a workstation and a NAS will never hit the router unless the workstation is in a different VLAN than the NAS.
With pfsense and a $30 smart switch you'll have all the hardware and software you need for a simple network, or a more advanced one.
All that said, I'll go ahead and make an admission: I have the hardware, software and knowledge to use multiple VLANs and even multiple wireless SSIDs in different VLANs for guest networks and the like at home. But I don't, yet. Why? I live alone, for one. I don't share my network with many guests at all, and those I do, I know well. I have a few devices (my Airport Express devices that I use to stream audio around the house) that don't like to be on a different network than the devices they're receiving audio from. But that's just my use case. The post from johnpoz just below the one I'm replying to is a different use case, and a very good example of where network segmentation with VLANs in a home environment is desirable.
-
Okay further careful consideration, I'm going to go with a powerful enough pfSense router that will be capable of handling VLAN's and the inter-VLAN traffic at high speed when it comes up, whether sooner or later. I'll go with Layer 2 Switches.
I'm going to build my own. I'm getting something mostly comparable to the SG-4860. I'll have great power to handle anything I'll throw at it, future proof with the AES-NI and QuickAssist as well. I wasn't opposed to official hardware when I was thinking maybe Layer 3 Switch, but I can't spend over $700 for the router, but I can build a solid equivalent for $375-400 it seems.
Supermicro Mini ITX A1SRI-2558F: $243
4GB ECC RAM: $33
120GB SSD: $30 (Already had one, probably no other use for it until now)
M350 Case with 80w Pico PSU/60w Pico Power Adapter: $69
=$375I am missing anything else I'd need, besides a SATA cable? I have a number of those.
