Hey folks, this is my first post so go easy on me ;)
I'm about to take the plunge and replace my ASUS router with a pfsense VM running under UnRaid. For WiFi I have just bought a Ubiquiti Unifi AP which I plan to use to provide standard WiFi as well as a guest WiFi network.
My plan is to have all my devices, including the AP connected to pfsense via a 24 port, unmanaged switch, which I have also just bought.
I have been reading about creating guest network with pfsense and I'm slightly worried at discovering the requirement for a managed switch in order to deal with VLAN trunking. Am i correct in thinking that this is only a requirement if I want a wired guest network? And that the switch in the AP will do what I need?
No your going to need a switch that does vlans if you want your AP to do more than 1 network. Ie a normal and guest.
If your taking your network to the next level with actual real firewall like pfsense, and real AP, you need a real switch ;) Something that does vlans at a min. Doesn't have to be an enterprise grade fully managed nexus 7k… But you do need the ability to vlan.
I would suggest if you just bought that dumb switch to return and get a smart switch. Or you could pick up a smaller port smart switch and use that for your isolation of your vlans. Then you just make the 24 port switch downstream and all those ports be in whatever vlan you want them in.. See attached.
Well explained, thanks dude. I've just ordered a smart switch and organised a return for the one I have.
Just because I am a curious sort of guy… What did you have, and what are you getting in return?
I'm returning a TP-LINK TL-SG1024D and have just ordered a TP-LINK TL-SG1024DE.
Saved myself 30 odd quid too because the black Friday sales started yesterday. The managed switch is only £5 more than the price I paid for the unmanaged :)
KOM last edited by
Wow, that's a pretty big switch for home. I was looking at the SG105E or SG108E myself. Where I am, that 24-port would be $160 vs $35 for the 5-port.
My brain is working here again, lol.
On a similar subject. Will VLAN trunking have any affect on whether I use a physical or virtual nic for my LAN interface? I have a dual NIC ordered but was planning on using the virtual connection to the br0 bridge within UnRaid for my LAN connection. Would it be easier just to use the second port on the physical NIC? Can't see any advantages to either tbh. The br0 virtual bridge does run at 10G but that's pretty useless to pfsense if my internet is only 200M.
I am not familiar with how the vm in unraid works.. I have to assume its a just a type 2 hypervisor.. What hardware are you running it on? It might be better to just run a type 1 on your hardware and then run your unraid and vm and pfsense an any other vms you need.
So your unraid only has single nic currently? Yeah your going to want at min 2.. If your ordering a dual port, your going to still have the one your using now. So that gives you a total of 3.
How you connect your vms to your phsyical network really come down to the details of your hypervisor your using. In esxi for example you create vswitches, and then the physical nic is just the uplink to your physical switch. Your vm's all have vnics connected to the vswitches you create. You can create port groups on these vswitches and place them in specific vlans with specific tags, or you can just use 4095 setting on the vswitch which is like having all ports on that vswitch in trunk mode. Or if you set 0 its like a dumb switch, etc.
How you setup your new local network would come down to how many segments you want and if they are native or vlans. And then how your networking works in your vm host. I can take a look at how the vm stuff works in unraid. What version are you running? 6.2.4 or the new 6.3 stuff that is in rc? But yeah I think you have to create bridges in the unraid. You could then assign these bridges to pfsense vm. They use the term bridge as just a term to "bridge" the vm to the physical nic..
Thanks for the reply, I've updated my Sig with my hardware. The VMs in UnRaid run on KVM. My UnRaid is connected to my current switch via onboard Dual Gigiabit connections running IEEE 802.3ad Dynamic link aggregation. I already have a "virtual" bridge created in UnRaid which my present VMs and Dockers all use.
Tbh, if there's no advantage to using the virtual connection I'll just use the second port on the new card, it's not like I'm going to be running short of ports on the switch ;)
How many devices do you have talking to your unraid? I am curious the point of your lagg. Is it for failover reasons only? link agg is not really 1+1=2, its 1 and 1. So while you can split your load across these links, any specific box would only ever create sessions to the unraid across 1 of the links. So the most any single box could ever see to your unraid would be the 1 gig.
To be honest with the limited number of devices in a home setup, lagg really serves little purpose. In a production network it can provide a fatter pipe for say an uplink with lots of devices talking to multiple devices on the other side of the uplink. The big reason for it is failover on the loss of a link or port, etc.
How exactly were you running lagg if all you had is a dumb switch? Did you have smaller port density switch, that you were going to replace with a 24 port dumb switch?
I understand the 1G limit per client thing. I run a Plex media server as a Docker in UnRaid which serves media to around 8 clients around the house, so the lag seemed like a good idea. Tbh it was more of a "because I can" thing :)
It's an 8-port un-managed switch that I'm using just now (TP-Link TL-SG108). It was my understanding that despite being un-managed it does support IEEE 802.3.
"It was my understanding that despite being un-managed it does support IEEE 802.3."
While yes it does support some of the 802.3 protocols and standards.. ad isn't listed as one of them.
Standards and Protocols IEEE 802.3 / 802.3u / 802.3ab/ 802.3x /802.1p
For a lagg to be setup it would be required to be done on the switch.. Your saying it has a setup in in the webgui to setup lagg?
I get you because you can sort of thing.. I run eap-tls for my wifi on my home network. Is something that is need for a home setup, no not really - but I can and its fun to setup, so I do ;) But there is also times where it makes no sense just because you can.
If you want to setup lagg, lacp, etherchannel, portchannel - many different terms when you get your new managed switch.. Then sure have fun, but its really unlikely you have need of it or that will be doing anything then complicating your network. I also stream to multiple devices around the house from my plex server. Gig is more than enough to handle even 1080p streams.. Even multiple devices over the same 1gig link, etc. I don't really see the need to try and load share that across multiple links.
Looking at the new switch your getting, while its feature set say link aggregation. It doesn't list 802.3ad.. So its not going to be LACP.. So not sure what type of aggregation your unraid box does?? But if that is something your after I would make sure your switch and unraid box are going to be talking the same thing ;)
Again, thanks for the info :)
Yep, my UnRaid is set up to use 802.3ad but I've never actually tested it to see if it's working or not, so probably not if the switch doesn't support it. Like you've said, probably no great loss and I'll happily just use the single link with the new switch.