Should I use my available ports to connect multiple switches?
-
Hey everyone, I'm getting ready to build my first pfsense box, and I had a question on how to best utilize the 4 ports available from the HP 4-port nic I bought as part of the build. I currently have 2 TPLink 8-port switches in the house that I'd like to continue using. What makes sense in my head is this:
Port 1: WAN
Port 2: 8-port TPLink switch wired to living room entertainment
Port 3: 8-port TPLink switch wired to office
Port 4: Wireless APHowever, I read on this forum that you shouldn't use pfSense to do any switching, so should I daisy-chain the switches instead?
Port 1: WAN
Port 2: 8-port TPLink switch wired to office, one of its ports connected to living room switch
Port 3: Wireless AP
Port 4: UnusedI also have an on-board Realtek nic, but I'm guessing I should just leave that unused, based off popular opinion on this forum.
Thanks!
-
In your first setup why do you think that is switching?
Do you want stuff in your office on a different network than your living room? Does it matter if they are? Shouldn't then this would be good setup.
When you daisy chain switches all the devices on the far end switch are sharing the uplink speed to the closer switch.. Then all your devices are all sharing the uplink to pfsense. This may or may not matter depending?
I take it these tplink are dumb and not smart? What is the model number of them?
What devices use the most bandwidth between each other?
-
In your first setup why do you think that is switching?
Do you want stuff in your office on a different network than your living room? Does it matter if they are? Shouldn't then this would be good setup.
When you daisy chain switches all the devices on the far end switch are sharing the uplink speed to the closer switch.. Then all your devices are all sharing the uplink to pfsense. This may or may not matter depending?
I take it these tplink are dumb and not smart? What is the model number of them?
What devices use the most bandwidth between each other?
I didn't originally think pfSense was doing any switching in my first config, but I thought I read a post (trying to find it) where a member suggested something similar, and one of the replies was not to connect it in that manner. I could absolutely be mis-remembering. If you're saying it's a good config, that's what I'll go with.
I need all my devices to be on the same network. The heaviest traffic seen is streaming hi-def movies to my FireTv in the living room from my server in the office. Currently, my server is on one switch, connected to my ASUS router, and my living room FireTv is on my other switch, also connected to my ASUS router. I also have a backup server. The two servers are both in the office right now, and are both connected to the same switch.
These are the switches I have currently, I don't think they are "smart": TL-SG1008D Amazon is now showing the "newer" version of that product, but I'd guess the specs are the same since the model number didn't change.
-
I wouldn't Bridge your interfaces together to put them on the same network.. That is what you prob read.. Seems it's common misconception understanding the difference between a interface and switch port. Trying to leverage an interface on pfsense as switch port via software bridging is not a very good idea no.
If you need all your devices on the same network, then you would would daisy chain your switches.. You could maybe leverage your other interface in a lagg. But if your switches are not smart then no you can not do that.
If you need your devices on the same network then connect them to the same switch connected to interface on pfsense. Device you can put on another network then you can connect them to other switch on other interface.
So interface 1 could be say 192.168.1/24, interface 2 would be 192.168.2/24 - you do understand in your setup with AP on interface 3 it would not be on same network as your other interfaces. So it could be say 192.168.3/24
The only time devices really need to be on the same layer 2 (broadcast domain) is they are doing something with broadcasting or multicasting that has a problem across segments. Unless you are doing something that requires broadcasting for connectivity there is normally zero reason they can not be on different networks.
Now if pfsense can not route/firewall at wire speed this might be a reason you would want those devices that need full gig speed between them to be on the same network. But streaming moving is not going to fill up your gig pipe..
If you want the ability to put any devices on the same network as another device then get some smart switches that will allow you to put any port on any vlan(network) you want and you just tag to pfsense via uplink from your switch, which can be lagged even..
-
I wouldn't Bridge your interfaces together to put them on the same network.. That is what you prob read.. Seems it's common misconception understanding the difference between a interface and switch port. Trying to leverage an interface on pfsense as switch port via software bridging is not a very good idea no.
If you need all your devices on the same network, then you would would daisy chain your switches.. You could maybe leverage your other interface in a lagg. But if your switches are not smart then no you can not do that.
If you need your devices on the same network then connect them to the same switch connected to interface on pfsense. Device you can put on another network then you can connect them to other switch on other interface.
So interface 1 could be say 192.168.1/24, interface 2 would be 192.168.2/24 - you do understand in your setup with AP on interface 3 it would not be on same network as your other interfaces. So it could be say 192.168.3/24
The only time devices really need to be on the same layer 2 (broadcast domain) is they are doing something with broadcasting or multicasting that has a problem across segments. Unless you are doing something that requires broadcasting for connectivity there is normally zero reason they can not be on different networks.
Now if pfsense can not route/firewall at wire speed this might be a reason you would want those devices that need full gig speed between them to be on the same network. But streaming moving is not going to fill up your gig pipe..
If you want the ability to put any devices on the same network as another device then get some smart switches that will allow you to put any port on any vlan(network) you want and you just tag to pfsense via uplink from your switch, which can be lagged even..
Ah ok, this clears things up. The software bridging is what I want to avoid.
I guess I generalized too much when I said "I need all my devices to be on the same network". I don't necessarily need that for broadcast capability. I just need them to be able to locate each other. Basically I need to be able to talk to my servers from any device connected to pfsense.
My pfsense build should have no issues routing at gig speeds. I'm building based on an embedded asrock board (j3455B-ITX), HP intel-based 4-port nic, and 4 gig RAM left over from a macbook pro upgrade.
Thanks for the info, things are starting to get clearer now!
-
You do want to use PFSense to firewall or route but not to bridge.
-
Well in "general" terms you could say they are all on the same network - your network ;) They would just be on different segments. Be it vlan or physical segments. I have 7 different network segments in "my" network ;)
And then 4 of those segments are enabled for ipv6..
All of the devices can talk to each other, as long as it is allowed in the firewall of pfsense. Since they are not all on the same L2/Broadcast domain then no they can not broadcast for names or see multicast traffic from devices not on the same network segment. But I have zero issues with devices talking to each other.
-
Thanks again for the info, I think I'm tracking now. The only issue I could see with lack of broadcast capability is using the chromecast devices. If my phone is casting, it'll be on the wifi network but the Nvidia shield would be on one of the switches. Not the end of the world.
-
Take the first set up and let it like it is. Or connect the WLAN AP to one of the both switches perhaps, but nothing else.
Set one LAN port from the pfSense up with 192.168.1.0/24 (255.255.255.0) and the other one with 192.168.2.0/24
and that would be my way to configure it out. There must nothing be bridged together because routing is the way
to go here. -
So, I hit a couple snags regarding not all my devices being on the same layer 2.
First, my ADT security system. It has a base station that I have installed on the living room switch (192.168.2.X), but the included wifi tablet connects to my access point, which is on the office switch (192.168.1.X). In this configuration, the tablet cannot see the base station.
Second, similarly, my Sonos system. The Sonos system requires that 1 device be physically connected to a network. The only convenient location for me to do that is in the living room. Similar issue though, the Sonos Android app on my wireless devices can't see the Sonos speakers because they're on different l2's.
Given issues like this, how would y'all set it up? I could always be lazy and daisy chain my 2 switches together so that everything is on the same network, but I have to believe this isn't the best way to go about it. Is there a way to allow the networks to see/talk to each other? I'm willing to buy smart switch(es) if that is a requirement. I'd like to set up my network using "best practices" if I can.
Thanks again.
-
daisy chain the switches would be better than trying to bridge interfacs… A far as your ADT.. so what does it use to discover the base station? Can you not just enter an IP of the base station?
but your base station on the same network as you wifi network then.. pfsense - switch - AP with your base station connected to that switch
Or you can try running avahi package that allows for mdns across segments - which it might use?
Seems like you have devices that need to be on the same L2 as your wifi - so just connect your AP to that switch.. Or better get smart switches and real AP that does vlans.. Then you would be cooking with gas! ;)
-
A far as your ADT.. so what does it use to discover the base station? Can you not just enter an IP of the base station?
but your base station on the same network as you wifi network then.. pfsense - switch - AP with your base station connected to that switch
Or you can try running avahi package that allows for mdns across segments - which it might use?
That stupid ADT system is totally and completely closed off. Settings, especially advanced ones, do not exist. For many reasons I HATE it, and can't WAIT to get rid of it.
Seems like you have devices that need to be on the same L2 as your wifi - so just connect your AP to that switch.. Or better get smart switches and real AP that does vlans.. Then you would be cooking with gas! ;)
Well, my UniFi AC Pro came in yesterday, so I'm on my way! I got the UniFi software running in a docker container on my server but I haven't actually set it up yet. I want to do this the right way (ie, the more complicated way), to force me to learn. As I've seen it, 8-port smart switches aren't terribly expensive. If you have a recommendation I'm all ears. I'll google around and try to pick a good one for the money.
I'm not familiar with VLANs so I'll have to do more research. I don't want to be the "how do you do this, how do you do that" guy. You make it sound like with the right equipment, I can use NIC2, NIC3, and NIC4 for LAN1, LAN2, and Wifi, and everything can "virtually" share L2 using VLANs. If this is the case, that's the "route" (nerd pun) I want to go.
-
no you can not use nice2, 3 and 4 for lan 1.. But you could could lagg them so its 1 connection to your switch and run whatever vlans your using over the lagg.. Or you could use opt2 for network lan, and opt3 for wlan, and opt4 for some other network and each of those would have a uplink from your switch.
And then you can put whatever ports you want on an whatever network you want, and then depending on what vlan you assign to your different SSID physical ports could be on those same vlans so that you have wired and wireless devices on the same layer 2.
With smart switches you could use a lag between switches so you have more bandwidth between the switches. Or depending on the switch you get you could use a sfp+ module and fiber to get more than 1gig on your uplink.
Keeping in mind that 1+1 does not =2 in a lagg, it just means you have 2 1gig connections and you can load share different connections over, etc. But any specific mac talking to another specific mac over that lag would only still go over 1 of the connections so you could still hit your 1 gig limit on the connection.
How fast is your internet? What do you have that needs to talk to each other at full gig speed - you put those devices on the same layer 2 so your not routing/firewall them through pfsense. And if possible you connect them to the same switch so your not using up your uplink between switches since the uplink is shared by all devices on that switch trying to get to the other switch/internet/etc..
Proper design of a lan requires understanding of traffic flow to provide max possible bandwidth, etc. But in a home setup unless you have multi gig internet, the ability to just vlan and place devices on whatever vlan you want no matter what port they are on will be big improvement.
In larger lans this is why you have different layers the access layer, the distribution layer and then the core, etc.. And even larger lans with more bandwidth requirements you see even downstream L3 switches doing the routing between networks vs doing it at your edge/firewall (pfsense in this case)
Uplinks between switches normally in a real lan are 10gig or more while you have devices connected at gig, etc. etc..
There are plenty of smart 8 port gig switches for very cheap.. What kind of budget are you thinking? You could spend as little as 30$ or 200.. or into the 1000's depending on what port density you want/need and feature set. But a starter home switch that gives you the basics, vlan, port mirror, rate limiting, etc.. your looking at like 40$ Netgear and TP-link have these switches for right around the 40$ price point.
https://www.amazon.com/TP-Link-8-Port-Gigabit-Ethernet-TL-SG108E/dp/B00K4DS5KU
$33https://www.amazon.com/dp/B00M1C0186/ref=twister_B01AKLC5NI?_encoding=UTF8&psc=1
$45Then you could go fancier with something like sg350 10 port with sfp+ support on 2 ports for like 300$
https://www.amazon.com/SYSTEMS-Sg350-10P-10-Port-Gigabit-SG35010PK9NA/dp/B01HYA36RMOr if you like the unifi AP you bought they make switches that are in the 200$ range and even poe to power your AP..
This 150W poe that does passive.
https://store.ubnt.com/unifi/unifi-switch-8-150w.htmlThis is smaller poe 1 that only can do 60W, but doesn't support passive - so if you have your pro AP your good, but if you have a LR or Lite model that needs passive you would need passive converter for 20$ each
For only 110$
https://store.ubnt.com/unifi/unifi-switch-8-60w.htmlOr a non poe 1 for 99$
https://store.ubnt.com/unifi/unifi-switch-8.htmlThe nice thing about those - is you would manage them from your controller your going to run for your AP anyway.
-
Wow man, thanks for all the info. I only understood about half of it, but it gives me a GREAT start to research.
Honestly, I definitely don't NEED a super awesome, optimally configured network. I only have 40/20 at my house, so I'm not blazing fast by any means. I WISH I could get faster, but unless I go with Comcast (NOT HAPPENING), 40/20 is the fastest available. The most bandwidth-intensive task I perform is using Gamestream from my W10 VM to my android devices, but it's always just me. I'm either streaming 1080p video somewhere, or gaming, but it's not like I need the infrastructure to do a bunch of simultaneous bandwidth-intensive tasks. I'm sure I could daisy-chain the dumb switches, put everything on the same LAN, and never notice an issue. But, where's the fun in that?
Regarding the managed switch, I was looking in the <$100 range. That UniFi 8-port PoE looks like a great fit, since I already have that AP.
-
John is definitely the man, totally helped get my complicated setup with Vlans and trunk ports working. Thanks again John.. It takes a bit to get your head around it but in the end it is worth it to have a robust network that grows with you.
