Home setup network architecture



  • Hi!

    I'm new to the pfsense community. I've just gotten my brand new Qotom Q355G4 (i5 with 4 intel nics) and
    I'm going to base my home network around it (running pfsense of course)

    My question is if my thoughts about my home setup seems ok?

    I have around 40 clients (RPi:s, TV, Sonos etc) so I'm going to try and use VLANs as well as dedicated interfaces for some of it.

    Any feedback would be appreciated.



  • I would not plug a switch to  the  AP and I also would use 1 24 port managed switch


  • Rebel Alliance Global Moderator

    If your going to use dumb switches and actual physical interface they would not be tagged vlans.  so your 100 and 843 don't make a lot of sense.

    So is your ASUS rt-68u running dd-wrt, openwrt or something?  The native firmware does not do vlans afaik.. You really would be better off getting a real AP that for sure supports vlans..

    The suggestion of a smart switch is good one along with possible poe support as well if your planning on doing camera's and the like.

    Even if you don't want to use a larger port density switch, 16+ ports, etc.  Where you list "dumb" switches I would use smart switches.  There are many models to choose from that are very cost friendly that provide different levels of feature sets.  The zyxel gs1900 line seems to be very feature rich for the cost point.



  • I believe that you can enable vlan by ssh in Asus-wrt firmware for rt-68u but not in gui.



  • Asus does not support vlan tag ports  to a ssid, what it can do when in router mode tag ports to  the ssid's  vlan  example guest ssid and ports 2 will be on same vlan, but not in AP mode pass pfsense vlan tags to ssid. Btw you can do it using ssh and scripts  but that is a nightmare that sometimes does not even survive  reboots, Just get a unifi AP and sell the  Asus



  • Thanks for the feedback.

    Yes I' planning to get a 24P layer2/3 smart swtich more about getting the money for it.

    I'm using my ASUS RT AC68U with dd-wrt, I thought it would work to use vlan features for it?
    https://coertvonk.com/technology/networking/dd-wrt-heading-two-networks-asus-rt-ac68u-11717

    I've been looking to invest in an Unifi AP Pro as well, but feels more important to replace the unmanaged switches first.

    Regards, D


  • Rebel Alliance Global Moderator

    Serious doubt you need a Layer 3.. Doesn't hurt to have the ability to do that - but even a very large home network need of a downstream router from your edge is unlikely..



  • Actual you may try out to connect on each LAN Port a dump switch, so you might be able to set up for each LAN Port another
    subnet (CIDR) with its own IP address range (private) and its own DHCP server too! So you don´t need to set up VLANs, and
    for the entire WiFi network you may only need to install or connect two WiFi routers acting in the so called WiFi AP mode.

    But is you want to set up and work with VLANs you should be buying a Layer2 switch with enough ports matching to the number
    of your devices, and as second it will be fine to get a real WiFi AP that is supporting VLANs and multi-SSIDs too.

    And a small Layer3 switch will be only needed if you have many big files that must be transported likes backups or other
    greater workloads, that must be not really passing each time the pfSense firewall and narrows down the entire throughput
    and agility of your firewall. Together with VLANs and QoS you may better sorted with a small Layer3 switch because you get
    the guaranty that the entire traffic will be routed with "wire speed".

    Good switches will be in my eyes;

    Layer2 (SOHO/SMB)
    Cisco SG200
    Cisco SG220
    Cisco SG250

    Layer3 (SOHO/SMB)
    Cisco SG300
    Cisco SG350
    Cisco SG500
    Cisco SG550
    D-Link DGS1510



  • How to article does not cover setting AC68U trunk port to pfSense opt0.

    I would be up to the challenge to get 'er done with existing hardware. My personal preference would be AsusWrt because it supports hardware acceleration, dd-wrt does not. Sometimes a nightmare situation can become the excuse needed to run out and get a unifi AP and Cisco SG200.


  • Rebel Alliance Global Moderator

    "you may better sorted with a small Layer3 switch because you get the guaranty that the entire traffic will be routed with "wire speed""

    But at the loss of control.. Depending on the hardware he is using for his pfsense - its quite possible he will not notice any loss of bandwidth between local segments due to routing/firewall rules.

    With design of network to put devices he moves large files between on the same layer 2 you remove any performance hit on the routing/firewall at all.  Comes down to what is desired more control with ease of rules that pfsense allows or faster routing.  Even with my pfsense being in vm on older microserver I still see approx 400mbps between segments.  But then again my storage/plex is on the same L2 as my main workstation - wireless devices are on a different segment along with my wired roku, but they only ever stream stuff from the plex so have not run into any sort of bandwidth issues.

    Putting multiple vlans on the same physical interface that require intervlan traffic at high speeds is normally where you see the biggest performance hit.  This can be configured around - especially if you have a pfsense box with 4 physical interfaces.



  • @gjaltemba:

    How to article does not cover setting AC68U trunk port to pfSense opt0.

    I would be up to the challenge to get 'er done with existing hardware. My personal preference would be AsusWrt because it supports hardware acceleration, dd-wrt does not. Sometimes a nightmare situation can become the excuse needed to run out and get a unifi AP and Cisco SG200.

    hardware acceleration in AP mode???



  • Yes. Asuswrt running in AP mode. Tools->Network->System information->HW Acceleration shows Enabled (CTF + FA). It is not clear to me what is your question.



  • Asus hw acceleration is hardware NAT so you do not need that in AP mode and also WTH does he need HW Acceleration for as a dumb AP and not to mention the  good  processor that Asus  has



  • I get it. Your point is Asuswrt HW acceleration Enabled (CTF + FA) does nothing in AP mode. You only mention HW NAT but what about Flow Acceleration enabled?

    My model is a BCM4708 800MHz CPU



  • Aldo it  shows enable it has  no effect in AP mode and the CPU you have is great for Ap mode  8)



  • Are you going by actual test results when you state that Asuswrt HW Acceleration Enabled (CTF + FA) has no effect in AP mode or just speculating? Well at least you are not saying that it is a liability.

    Some hardware revisions of AC68U have BCM4709 1GHz CPU



  • First in AP mode there is not much seance for hw acceleration as all a dumb AP  does is  pass packets  that CPU is fast enough and also Eric (Rmerlin)  said the same thing in a    post on smallnetbuilder