Hardware for using pfsense as a managed switch?
-
Hello all.
I'm not sure how practical this is. I am looking for a managed switch for vlans and such and was wondering if pfsense could do this? I'm already using pfsense in a routing capasity but baught a prebuilt hardware solution for that. This time i'd like to build my own.
The questions i have are this.
1, is it a practical use of pfsense to use it as a managed switch OS?
2, if so, what would you guys recommend for an 8 port box? It should be future proofed for updates and be under $200 if possible.
The switch will be on the lan side so should have full gigabit speeds.Thoughts?
-
If you need a switch, get a switch.
-
pfSense does in software what a switch does in hardware. Guess what's better suited.
When it's available this could be of interest to you:
https://www.netgate.com/blog/lord-vader-your-firewall-is-ready.html
But it won't even have 8 managed ports and surely will be a couple of times above your price tag. -
It's a bad idea, don't do it. On top of that, it's more expensive than buying a managed switch.
-
Get a switch.
The cheapest OK managed switch i have is the DLINK 1100-8, fanless is a requirement for me.
The best managed switch i have is either the HP 1820-8G or the Linksys LGS308.
The HP is ultrastable , and receives updates several times a year , but is SNMP RO (ReadOnly).
The Linksys has more features (.1x , ACL's etc), is physically smaller , but haven't seen any updates in a long time.Due to the HP-1820 SNMP RO i got a DLINK DGS-1210-10P as my PoE switch , as i wanted to be able to turn off my AP's via SNMP.
Seems to have almost same feaures as the Linksys , but i's not "SuperCheap"I dropped the TP-Link TL-SG108E , due to the untagged Vlan1 problem. >:(
/Bingo
-
Check out the zyxel lines. They have some very attractive options in terms of price/performance.
-
watch in the mikrotik catalog
-
I'd suggest looking for a second hand HP ProCurve switch. They are cheap, very easy to get, and do most of the just Just Right. There are web-only versions (SNMP RO) but there are telnet/serial/web/SNMP RW models too, mostly the more expensive ones.
-
@johnkeates:
I'd suggest looking for a second hand HP ProCurve switch. They are cheap, very easy to get, and do most of the just Just Right. There are web-only versions (SNMP RO) but there are telnet/serial/web/SNMP RW models too, mostly the more expensive ones.
The HP (Now Aruba) 2530-8G series is fanless (Just the 8-port) , both the PoE & NonPoe
Still lifelong Warranty i think (for first owner).
https://www.amazon.com/HP-J9777A-2530-8G-Ethernet-Switch/dp/B00EAF7QRG/
https://www.amazon.com/HP-J9774A-2530-8G-PoE-Ethernet-Switch/dp/B00G2DLRUQ/That's a neat switch en'par w. most Cisco catalysts , & full CLI
I have a new customers that use this one , but it's outside my budget.But a nice switch.
Note it's a 1U height unit , might not fit in anywhere.
Make sure to get the 8G (Gigabit version) , as there is an 8' version too (Non Gb).
The Jxxxxx numbers are neat to use for searching, and matches both HPE & Aruba switches.HP 2530-8G (J9777A)
HP 2530-8G-PoE+ (J9774A)/Bingo
-
J9783A HP 2530-8
J9780A HP 2530-8-POE+Great, those have 8x 10/100 Base-TX Ports and 2x 10/100/1000 Base-TX.
Who buys FastEthernet in 2017 if you don't need a zillion ports cheap? -
J9783A HP 2530-8
J9780A HP 2530-8-POE+Great, those have 8x 10/100 Base-TX Ports and 2x 10/100/1000 Base-TX.
Who buys FastEthernet in 2017 if you don't need a zillion ports cheap?I don't know who wants FE , and i did corect the links & prod names to the -G version before i saw your post.
-
A CLI is probably not particularly useful for a home network.
-
A CLI is probably not particularly useful for a home network.
What does a CLI have to do with home networking ?
I'd prefer a CLI anytime, but that's a user preference , not where it's used.But the learningcurve for using the CLI could be challenging for some.
/Bingo
-
I'd take a CLI any day. Sure, it must not be a shitty CLI, but that goes for any interface.
-
A CLI is probably not particularly useful for a home network.
What does a CLI have to do with home networking ?
I'd prefer a CLI anytime, but that's a user preference , not where it's used.But the learningcurve for using the CLI could be challenging for some.
/Bingo
Cha ching !!
I'd prefer working in the CLI too. Most times I go the CLI route even if a GUI is available. Not because I am contrarian, but only because I feel more comfortable in doing what I am doing. Man pages and help options explain much more in detail than a tooltip in the GUI ever would.
-
A CLI is probably not particularly useful for a home network.
What does a CLI have to do with home networking ?
I'd prefer a CLI anytime, but that's a user preference , not where it's used.But the learningcurve for using the CLI could be challenging for some.
/Bingo
Cha ching !!
I'd prefer working in the CLI too. Most times I go the CLI route even if a GUI is available. Not because I am contrarian, but only because I feel more comfortable in doing what I am doing. Man pages and help options explain much more in detail than a tooltip in the GUI ever would.
On top of that, the 'interface' doesn't hide as much on the command line as text has to be either there or not there, it isn't graphically styled in some ambiguous way leaving it up to the user to figure out what it's supposed to do.
-
Sorry, let me correct my statement.
I was speaking from the point of view of your average home users who does not already know a switch CLI particularly well.
But I didn't specify that at all.For someone who doesn't already know it probably isn't useful for a home because they will likely spend 20-30 minutes setting it up on a GUI once then never or rarely touch it again.
CLI would be very valuable and worth learning even for the uninitiated if you had even a small to medium network compromising a number of switches where you would be spending a notable amount of time managing them.
In that case it would be miserable to repeatedly make changes via the GUI.I do agree that for anyone who is already comfortable with switching CLI, it's a very valuable feature.
The zyxel I recommended earlier operates primarily off web GUI, however there is a CLI you can access via either telnet or ssh (don't remember which) and a console header you can utilize if you're so inclined.
I think it strikes a very attractive balance commercial and home user. -
For a new basic managed switch for home use, the ZyXel works fine indeed. But if you want to go bigger, used HP switches (or new) are a fine choice.
-
I am searching for a cheap stackable switch for the WAN Side.
I have a HA CARP Setup with Multiwan (through AVM Fritzbox Routers).Any suggestions?
-
Are cheap and stackable the only requirements?
(Note that those terms are usually mutually-exclusive. You might also need to define the term cheap)
-
This discussion has gone far from the topic starter's question, hasn't it?
-
They always morph into "what should I do instead.?"
-
I need it on the WAN side to connect 3 VDSL Router. The existing VDSL Router have built in switches, actually directly connected to a Firebox, but it seems like they are causing trouble with the CARP failover. So, VLAN and spanning Tree, configurable ARP timer would be good. Did I forgot something? Do I need anything for CARP/VRRP support?
Are cheap and stackable the only requirements?
(Note that those terms are usually mutually-exclusive. You might also need to define the term cheap)
-
I think getting a bridged modem is a better option. CARP/VRRP is problematic if it happens too often since most providers do MAC throttling to prevent draining the lease pool too quickly.
-
CARP on WAN generally does not play nice with residential-type WAN connections.
You need a static /29 there. You can usually get away with a static /32 on the secondary WAN but it is sub-optimal.
-
@johnkeates:
I think getting a bridged modem is a better option. CARP/VRRP is problematic if it happens too often since most providers do MAC throttling to prevent draining the lease pool too quickly.
A CARP failover happens very seldom, maybe once a month, but it has to work.
What do you mean with bridged modem? PPPoE? Does this play with CARP?
Actually, I am using a private IP net only as transfer net between the PFSense und the router, doing double NAT (in the PFSense as well as in the router) . No, I am not using SIP ;-)
Would probably a OpenWRT routers (without an extra switch) work better, as far as I know, you can configure ARP timeout with OpenWRT? -
CARP on WAN generally does not play nice with residential-type WAN connections.
You need a static /29 there. You can usually get away with a static /32 on the secondary WAN but it is sub-optimal.
I know that´s sub optimal, but that is the use case. We are replacing expensive company Internet lines with low cost residential VDSL lines, plus adding additional HA with LTE lines (LTE is not available together with public IP in Germany).
So I am doing double NAT, with a private IP net between pfsense and the router. Shouldn't that work, it is pretty much the same as on the LAN side?
-
Yes. If you want to do double NAT and put a bunch of potential points of failure in front of the firewalls it will work fine.
As long as both primary and secondary can access the internet while the CARP VIPs are in the BACKUP state it should work.
-
Hello all.
I'm not sure how practical this is. I am looking for a managed switch for vlans and such and was wondering if pfsense could do this? I'm already using pfsense in a routing capasity but baught a prebuilt hardware solution for that. This time i'd like to build my own.
The questions i have are this.
1, is it a practical use of pfsense to use it as a managed switch OS?
2, if so, what would you guys recommend for an 8 port box? It should be future proofed for updates and be under $200 if possible.
The switch will be on the lan side so should have full gigabit speeds.Thoughts?
At first get a switch that owns 8 GB LAN Ports! And if you need Layer3 Routing, VLANs, LAGs (LACP)
CLI and a real serial console port get a Cisco SG300-10 or Cisco SG350-10. They are often able to
get at amazon.com for ~$110 (SG300-10) or ~$200 (SG350-10) if more ports and other things such
SFP/SFP+ Ports or 10 GBit/s abillity is another point you will be fine with a D-Link DGS1510-20 for
around ~$270 but with much more power and ports. They are also other solutions out!Netgear Layer2
Netgear GS108E
Netgear GS108Tv2
Netgear GS110TCisco Layer2 & Layer3
Cisco SG200-08
Cisco SG300-10
Cisco SG350-10Layer3 more ports
D-link DGS1510-20 -
We are replacing expensive company Internet lines with low cost residential VDSL lines, plus adding …
What the hell does this have to do with "using pfsense as a managed switch"? Create a new thread for your topic.
-
Hi all.
Thanks for all the thoughts. This just goes to show how inexperienced i am that i even asked the question. I like tinkering and i figured that if i could find something with 4 to 8 ethernet ports i could load an OS on it and away i go. Guess such hardware isn't available the way this sounds.
Anyway, my origional question was answered. I baught the (TL-SG108E) before reading this so will work with it and see if i run into issues. Someone mentioned a possible vlan issue with this unit. Could you elaborate? Do vlans not work at all? or just certain types?
I'm new with vlans so will probably struggle a bit once i get this configured but that's fine, i like a good challenge.
As for the cli, I am familiar with junos, but nothing much else. I'd love to buy a junipor switch but they're to expensive for what i'm doing.
Curious, does pfsense have a good cli? The one time i logged in via ssh i didn't see one but i may have missed something.Thanks again for all the help.
-
250-post thread here:
https://forum.pfsense.org/index.php?topic=76022.0
-
I'd prefer working in the CLI too. Most times I go the CLI route even if a GUI is available.
Ditto. I've found most easy to get around in. If you're familiar with the cli in a Cisco switch it's hardly a jump at all to manage a Dell switch, for example. They're that close.
-
For some little edge switch, I really don't care as long as the web interface actually does what you tell it to do. A proper management VLAN capability for the web interface is also nice.
CLI all the way for real work.
-
as long as the web interface actually does what you tell it to do
And just as important is that it's clear that what you think you're doing is what you're actually doing. I've never really dealt with the web interface in a fully managed switch, always used the CLI, but in the "prosumer" (I hate that term, but it actually seems applicable here) realm the hardest part IMO (for someone otherwise comfortable managing a switch) is that translating what the interface says to what is actually happening can be less than intuitive. Obviously it's not rocket science, but I don't fault anyone for not initially realizing that "PVID" = "native VLAN" for example.
-
Right - and that is specifically one of the areas the switch in question falls on its face - the PVID.
-
Right - and that is specifically one of the areas the switch in question falls on its face - the PVID.
I know. I have two of them. They'll get replaced pretty soon but it's mostly because I need more ports. For my uses they've actually been fine, and the PVID issue that has been discussed extensively is largely academic for me in my home environment.
-
I baught the (TL-SG108E) before reading this so will work with it and see if i run into issues. Someone mentioned a possible vlan issue with this unit. Could you elaborate? Do vlans not work at all? or just certain types?
I use 2 of these at home right now and the PVID issue aside, they work fine.
In a nutshell, the issue is that no matter how you assign VLANs, VLAN1 is always available on any given port and that leads right to the management IP. That's a big no-no for the office, but in real world home use, it won't affect how the switch actually works with VLANs. If you already have it, use it. It's fine for home use. All the VLAN stuff that you would want with pfSense will work.
-
I use 2 of these at home right now and the PVID issue aside, they work fine.
In a nutshell, the issue is that no matter how you assign VLANs, VLAN1 is always available on any given port and that leads right to the management IP. That's a big no-no for the office, but in real world home use, it won't affect how the switch actually works with VLANs. If you already have it, use it. It's fine for home use. All the VLAN stuff that you would want with pfSense will work.
Thanks for the explanation.
For me here, having access to vlan 1 isn't a problem, I get why you say it would be a problem in larger office networks though, although, if i was working on such a network i'd not use home equipment at all which kind of takes care of that. -
"if i was working on such a network i'd not use home equipment at all which kind of takes care of that."
You would be surprised on the VAST amount of "home" line equipment you find in a "office"… It really just blows my mind... You see an office running some linksys home router for their wifi and or even internet connection router/firewall.. Cheap dumb switches all over the place, etc.
To be honest the tp-link even with its horrific vlan 1 issue and the errors they show on tagged traffic in their counters, etc. Would be a major upgrade for some "offices" I have seen over the years ;)
I picked up one of these tplinks awhile back - saw it on sale, and lots of thread here it comes up. So wanted want to play with to be able to validate what people were saying/asking/etc I think I got the 8 porter for like $25 to the door.. Its sitting on the floor in my computer room with a few pi's connected to it, and the smarthub for my garage door connected in the iot vlan while the pi's are in the dmz vlan.. I have zero worries about someone plugging into a port and getting to the management of the switch.. So yeah as others have said for such a use, its CHEAP and you can tag vlans with it..
But if you have a few extra bucks to spend there are far better options... Next on my list of play switches that I have been seeing lots of questions on (mostly other forums) is the zyxel 1900 line, which is very reasonable priced.. And has way more of a feature set than bottom of the line tp-link switches. I hear the "business" line is way better, etc.
