Inter VLAN Routing - Internet Access
-
Does your switch not allow for a management ipv6 address?
Yes your global IPv6 address is one that falls in 2000::/3, this is the current global unicast IPv6 space.. There is PLENTY more that can be assigned.. but that is what is current..
-
So if I am reading that correctly, they are using a Layer 2 switch as a Layer 3 NAT router to bridge additional vlans into a single VLAN??
-
If you have grown to the point that you need to do downstream routing, then its time to move to full time router or switch that actually supports full L3 to be honest..
Its a common problem to be honest.. There is really no way to use your firewall as your router and not have a hit to the speed at which packets can move.. When network is small, or you do not do a lot of intervlan traffic that needs full wire speed it very convenient to just use the one device to handle the routing between your segments and the firewalling, etc.
You need to make a decision.. If you need full wire speed between devices and can not put them on the same network then you can up your hardware to allow for the speed you want running through pfsense. You can move the routing decision downstream which normally comes at a loss of firewall control between segments. Depending the router/l3 switch you use may still have some ability to ACL but prob not going to be as easy as with the pfsense gui ;)
Seems your wanting to do more than your current switch can provide - time to update to something better. Port density with full L3 support comes at cost.. Depending on the number of devices and number of networks and room you have for hardware, etc. You could get a smaller density L3 switch or true full blow router and use access switches for the port density you need.
This really just comes down to a typical 3 layer model of access, distribution layer and core..
How many devices total do you have, how many devices in each segment - which segments need the fastest intervlan? You can not collapse the segments that really need to talk to each other at switching speed to the same layer 2?
-
I guess you are right, I may have to move to a managed L3 switch. Could you recommend a good solid L3 switch or a router?
I have well over 70+ devices on my network. SmartTVs, mediaplayers, PS4s, Xboxs, iPads, Tabs, laptops, gaming desktops, home automation devices all pretty much running at the same time. Hard wired all devices that support it with CAT6 cables. With 11 kids (8 of my brother.. ;D) in the house especially on weekends, my initial network in fact ran like a 10Mbps hub (remember those things back in the 90's). Plus there is a ton of data that needs to flow for nightly backups. Kids have way too much digital stuff they just can't let go. I have my own test network consisting of servers and workstations, which I didn't mention in my previous posts.
pfSense had become my central management for my entire network and it was becoming the bottleneck. Moving to inter vlan routing has provided significant improvement to my entire network as all pfSense does is provide access to WAN with some security (Snort, pfBlocker, SquidGuard).
-
so how many of these 70+ devices are wired? How are they distributed.. All comes down to budget if you ask me.. I have a cisco sg300 that I like.. cost me like $180 couple years back. Current model would be sg350, it does true L3 and is very feature rich.
There are the unfi switches, that have come long ways and are feature rich and can be managed from their controller software, etc.
Like I said before.. depending how you lay out the access layer and the distribution layer will determine if you need a LOT of ports at your core or distribution layer or only need all the ports at the access layer, etc. So something like a 10 ports L3 might be fine for your core or distribution.. So do you have everything wired to your current netgear or do you have some downstream switches to that.. We could prob still leverage it as access but put a L3 between it and your pfsense sense, etc.
I see a sg350-10 at $197 on amazon currently
https://www.amazon.com/SYSTEMS-10-Port-Gigabit-Managed-SG35010K9NA/dp/B01HYA36SGthere is 28 for $395
https://www.amazon.com/SYSTEMS-Sg350-28-28-Port-Gigabit-SG35028K9NA/dp/B01HYA38CAHere is a 8 port edgerouter for under $300
https://www.amazon.com/Ubiquiti-Networks-ER-8-Edgerouter-Router/dp/B00IA5M2ASYou might even take pfsense out of the equation with something like that, or you could still leverage pfsense as your edge firewall and use that as an internal router.. The Ubiquiti edgeswitch line does do layer 3, and their 24 porter starts at 215..
https://www.ubnt.com/edgemax/edgeswitch-lite/You have to be careful - their unifi switches only do Layer 2, etc..
So if you could give some more details of how all these devices are current connected and distributed throughout your house - where do you need port density? Downstream switches? etc.. And what sort of budget you have in mind then we could work what hardware and configuration might give you the best bang for your buck!!
-
All rooms have at least 3 cat6 cables going all the way to the basement 42U rack. Family room, office and media center room has 6 ports each. Plus there is a server rack which has 12 ports for my work. All cables terminate to a cat6a 10G patch panel on top of the 42U rack. Those cables are then patch corded to the 48 port switch below it. Cable modem also terminates in the patch panel and then routes to the switch. So I need to ensure I have a good quality and responsive 48 port switch since my current switch has barely any vacant ports.
The ubiquiti switches are good but looking at ubnt forums it seems the latest 48 port switch does not yet have the L3 functionality. They advertised it but never added the feature. Expected sometime after sept 2017.
-
I second John's favour for Cisco SG300/350 switches and have installed quite some already. Not a single failure. (will install another 12 next week in university lecture rooms: unpack, flash, use. Done.)
However, I hear good things about D-Link DGS-1510 series (smart) switches.
Stackable with SFP+ ports for quite reasonable prices. But I have no personal experiences with those devices. -
The Cisco 48 port switches are way overpriced and out of my budget. I will keep an eye on eBay for the dlink and netgear l3 switches.
-
Do yourself a favor and watch for Brocade ICX-6450s too. Cisco 3750s can be had as well, though they will likely only be 100M with gig uplinks.
You want an IPv6 L3 switch and don't want to spend any money? Really?
-
Do yourself a favor and watch for Brocade ICX-6450s too. Cisco 3750s can be had as well, though they will likely only be 100M with gig uplinks.
You want an IPv6 L3 switch and don't want to spend any money? Really?
I am not looking to buy overpriced switches. My current switch does have IPv6 L3 functionality but it's hidden and can only be enabled with an IPv6 license which will cost somewhere over the $450 price range. Hence I am looking for better options as I am not willing to pay that exorbitant price for un-hiding something already there.
-
You can easily get a new L3 switch for under $450. A brand new SG300-52 costs about that.
If you need the functionality they offer they are not overpriced.
-
Yup looking into them. Now do any of these cisco switches need additional licensing? Or have to pay yearly fees for functionality? the SG300 does IPv6 vlan routing right?
-
Yes the sg300 does ipv6 routing, and no you don't need to by any extra licensing for it.. I would look to the sg350 though, the sg300 is end of life..
http://www.cisco.com/c/en/us/products/collateral/switches/small-business-stackable-managed-switches/eos-eol-notice-c51-733213.pdf
The one I would be worried about is the end of sw support.. Which this doc says was april of 2015, but they just releasedSx300 Firmware Version 1.4.7.05 09-DEC-2016
Which I am running on mine.. I currently do not run my sg300 in L3, I have no use for it on my network as of yet. While I do have in works upgrade to my pfsense, its currently running on old HP microsever as a vm and can not route at gig.. Can only seem to get about 400-500mbps between segments. But for me that is fine.. I have all the devices I really need full gig between on the same network.
While you might be able to find some sg300 a few bucks cheaper.. They currently have announced end of software maint.. So you may never see another update that is not for a major security fix, etc. For example I would love to see it support chacha20 for its ssh.. But I don't think that is going to happen..
-
hmm end of software maint is not good. The sg350 is still pretty expensive. I will keep an eye on eBay for sg350, sg300 and sg500. I may get one if the price is hard to beat or will wait for the sg350 to drop in price.
-
What port density are you looking for? I saw and listed a sg350 for <200 on amazon.
-
Ah - your looking for 48 ports, yeah that can get a bit pricey.. You sure you can not just use a smaller port density L3 as your core/distribution layer to handle your routing and then a simple L2 switch for your port density? You can use uplinks per vlan to your L3 switch to your L2 so you do not hairpin or have to share bandwidth on interfaces for intervlan traffic.
"They advertised it but never added the feature. Expected sometime after sept 2017."
Keep in mind what specific switch your looking at with unifi, there are the "unifi" switches and then their are the edgeswitches and then teh edgeswitches-lite
From my understanding the ES have L3, but the unifi switches as of yet do not.. The unifi switches are cheaper per port density. But the edgeswitch lite 48 port lists for $400 and clearly its states L3 support on the product page.. If that is not the case they really should adjust their datasheet and product page..
-
https://community.ubnt.com/t5/EdgeSwitch/EdgeSwitch-L3-IPv6-Routing/m-p/1609932/highlight/true#M8056
Their current platform has no L3 IPv6 routing functionality.
-
Well that is show stopper then.. ;) They really should update their DS to state ipv4 routing only..
-
How did you setup your transit in the end? Trying to do the same and it isn't working. Currently using management as my transit. Are you able to describe how you setup the transit as I have contacted netgear and they don't seem to have a concept of a transit vlan and are asking me to create a vlan on pfsense for it.
Pfsense:
Pfsense lan default gateway 192.168.10.246Created gateway 192.168.10.1 Inc static routes etc on pfsense under routing.
Switch:
Created management vlan (15) 192.168.15.0
Ip: 192.168.15.2
Default gateway: 192.168.15.1 but it won't let me set it and defaults to 0.0.0.0Static route also changes to 192.168.15.1 rarther than 192.168.10.246
Created vlan (10) 192.168.10.0
Default gateway 192.168.10.1
Untagged a port for all vlans and set its pvid to 10. Plugged the pfsense lan port into this switch port (transit link)
I'm clearly not doing it right please help.
