Recommended smart switch for Unifi AP? Easy interface, inexpensive, secure

Velcro

Wanted to see if there are any recommendations for a managed switch for my pfSense and Unifi AC Pro setup?

My wish list would be:

1. super easy interface that can be easily configured…I was using one for a while but it was massively complex with way too many features. Really hoping for an easy interface with only bare bone features.
2. Inexpensive
3. Secure

What I am trying to do is have a dedicated interface to manage my pfSense and Unifi AC Pro(Controller needs to be on same L2), this interface would have no internet access and would be restricted to managing these devices only.

I am assuming a simple dumb switch would not work and would broadcast VLANs on the other ports on the switch?
I think the Unifi Cloud Key also needs a switch?
L3 adoption seems fairly complex...is it? I do have the ability to run VMs if this is a better route?

I am running an SG2440 and don't really need the extra ports, however I need to access the AP. The plan is to secure my devices with certificates when possible using a radius server.

Any thoughts?

Thanks for any recommendations on a switch or suggestions on a different setup...

Grimson

https://forum.pfsense.org/index.php?topic=136848.0

JKnott

I am assuming a simple dumb switch would not work and would broadcast VLANs on the other ports on the switch?

First off, don't go with the TP-Link switch mentioned in that other thread.  They don't handle VLANs properly.

Also, you seem to have a misunderstanding of how switches work.  They don't broadcast anything other than actual broadcasts/mulitcasts and frames where they don't know where the destination is.  Beyond that, switch forwarding is based entirely on MAC look up to determine the appropriate port.  VLANs do not change that.  On an unmanaged switch, a VLAN frame will only go where it's destination is.  Nowhere else.  However, an unmanaged switch will not allow you to isolate VLANs as logically separate LANs (this is where TP-Link also falls down), so it becomes necessary to configure the Ethernet port on the device for a specific VLAN..

To answer your question, there are many inexpensive managed switches. Take your pick according to your needs.  Just avoid TP-Link.

Here's one from Cisco that I have been looking at:
https://www.cisco.com/c/en/us/support/switches/sg200-08-8-port-gigabit-smart-switch/model.html

johnpoz

Yeah stay away from the tplink… They are suppose to be working on fix for their very very flawed take of vlans... But still have not seen it..

The dgs1100 from dlink has easy to use interface... Seem like the 5 port model would be enough for you..

https://www.amazon.com/D-Link-EasySmart-Gigabit-Ethernet-DGS-1100-05/dp/B00AKRTLXA

That will save you couple of $ over the 8 port.. If me I would get the 8 port, never know when an extra port will come in handy..

NogBadTheBad

Wouldn't the 8 port POE be a better model to purchase as the 5 port isn't POE.

JKnott

@NogBadTheBad:

Wouldn't the 8 port POE be a better model to purchase as the 5 port isn't POE.

Do you have a need for PoE?  I see one access point.  Does it support PoE?  Some, such as the one I have, come with a PoE injector.  Do you have VoIP phones that need PoE?  A single PoE injector might be less expensive than the price difference for a PoE switch.

johnpoz

When you buy unifi AP alone and not in a pack they come with the injector.  The 8 port model has a non poe model as well.  Which specific AP are you getting?  Their lite and LR models are not standard poe and you really need to use their injector or buy a adapter..

If your getting the pro then sure it should work with the poe version..  But those are more expensive - since you should already have the injector just use that..

Velcro

I already had a Unifi AP pro…I bought the DGS1100 (5 ports) at my local store. Thank you all...

mwp821

Just to throw another idea out there, why not connect the UniFi Cloud Key directly to an unused interface on the SG-2440 (you may need to use a crossover cable) and bridge the interfaces? It would not be appropriate for high-performance applications, but it should be fine for a management device.

You could also ditch the Cloud Key and run the UniFi Controller directly on pfSense.

Finally, since you're already in the UniFi ecosystem and you have a small PoE+ requirement, maybe consider a US-8-60W (or even a US-8-150W). It's a little pricier than the other options mentioned but it'll integrate nicely and eliminate the need for an injector to feed the AP.

JKnott

(you may need to use a crossover cable)

Crossover cables are passé.  Gigabit and many 100 Mb ports are auto MDI-X and so don't need a crossover cable.

occamsrazor

@mwp821:

You could also ditch the Cloud Key and run the UniFi Controller directly on pfSense.

I'm thinking of taking the plunge into a Ubiquiti switch, possibly the 48-port Unifi non-POE, to be connected to my Qotom i5 router. I don't need that many ports, but would like the SFP+ ports for future expansion. How well and easy does running the Unifi controller on pfSense work? How easy is it to upgrade - you are limited to what the maintainer of that script updates it to, right? Thanks

johnpoz

How many ports would you need - 48 is a lot of freaking ports.. And its not even L3..

Why would you not look at say sg300 line, all of which have combo ports for sfp+

Once you have ports out your know what - why would you not just run the  cloudkey for your controller vs putting it on pfsense?  If your going to run it on the same hardware then I really would just run VM hosting on your box and then run your controller and pfsense in different vms.

occamsrazor

@johnpoz:

How many ports would you need - 48 is a lot of freaking ports.. And its not even L3..

Yes I don't need 48. Need about 16-20 at the moment. But the only Unifi switch with SFP+ is the 48.
I'm not sure I really need full L3 functionality. I haven't segmented my network with VLANs yet but am hoping to experiment in the future. If I needed to do routing between the VLANs couldn't that be done at the pfSense level? Sorry, I'm still learning….

@johnpoz:

Why would you not look at say sg300 line, all of which have combo ports for sfp+

I actually have been looking at the Cisco small business line. But from what I could see amongst the dozens of models, the SG300 series do not have SFP+, for that you need the 350x or 550x….. or am I wrong?
Always hard to know from online reports/reviews, but I read mixed opinions about the small business line.

@johnpoz:

Once you have ports out your know what - why would you not just run the  cloudkey for your controller vs putting it on pfsense?  If your going to run it on the same hardware then I really would just run VM hosting on your box and then run your controller and pfsense in different vms.

What would be the advantage of the cloudkey over running the Unifi controller on my pfSense router or simply on my laptop? If I'm the only admin. I should add this is all for a home/homelab type situation.

Grimson

@occamsrazor:

If I needed to do routing between the VLANs couldn't that be done at the pfSense level? Sorry, I'm still learning….

Yes, but with a lot less performance and more load on the pfSense device.

@occamsrazor:

What would be the advantage of the cloudkey over running the Unifi controller on my pfSense router or simply on my laptop? If I'm the only admin. I should add this is all for a home/homelab type situation.

In that case you can also use an RPI2 or 3 to run the controller on. Maybe you have one collecting dust somewhere.

Running the controller on the pfSense OS can have unforseen issues when pfSense upgrades or a controller upgrade installs conflicting packets. If you absolutely need to run both on the same hardware I'd strongly agree with johnpoz, put each into it's own VM.

johnpoz

What specific are you wanting to use with the SFP?

All of the sg300 lines even the 10 port model come with 2 combo ports, so you can use just standard copper or you can use a SFP module in place of using the copper port

Shoot they even sell a 10 port SFP only model in the sg300 line.

You can view what sfp are compatible here
https://www.cisco.com/c/en/us/products/collateral/switches/small-business-smart-switches/data_sheet_c78-610061.html

occamsrazor

Correct me if I'm wrong, but all those combo ports are SFP, not SFP+. i.e 1G not 10G.

johnpoz

Yes they are sfp not sfp+

So what your looking for is 10ge uplink?

occamsrazor

@johnpoz:

Yes they are sfp not sfp+

So what your looking for is 10ge uplink?

Yes, copper gigabit ports with at least 2 SFP+ uplink ports. Initially to run at 1G speed with SFP modules but later to upgrade my 2nd switch in another room and swap-in SFP+ modules to enable a 10ge link between the two.

johnpoz

Yeah if you want 10ge uplink You would have to go with the SG500X or 350X I do believe..

Sorry about that I didn't catch you wanted the ability to go to 10ge uplink - I overlooked the + on your sfp ;)

Yeah pricepoint the unifi 48 prob your best best to allow you to go to 10ge uplinks in the future.. How much in the future are you thinking?  Like something your going to do in next year or so - or just wanting to future proof?  For some unknown date down the road?

occamsrazor

@johnpoz:

Yeah if you want 10ge uplink You would have to go with the SG500X or 350X I do believe..

Sorry about that I didn't catch you wanted the ability to go to 10ge uplink - I overlooked the + on your sfp ;)

Yeah pricepoint the unifi 48 prob your best best to allow you to go to 10ge uplinks in the future.. How much in the future are you thinking?  Like something your going to do in next year or so - or just wanting to future proof?  For some unknown date down the road?

No worries, and thanks. The "future" would likely be within the next year. Really I'd like to now, but I want to take it a bit step-by-step. On switches with 10ge uplinks there is a great and very long thread here (just in case it's of help to anyone else):

https://forums.servethehome.com/index.php?threads/gigabit-10gb-switches-under-550.6921/

At the more consumer end the TP-Link T1700G-28TQ:

https://www.tp-link.com/us/products/details/cat-40_T1700G-28TQ.html

is pretty great bang for the buck with 24 x 1GB RJ-45, 4 x 10ge SFP+, is completely fanless and goes for around $300 in the US. But I haven't been entirely happy with the firmware on the TP-Link router I use as a pure access point, so I'm not sure I want to go with them. Netgear GC728X…

https://www.netgear.com/business/products/switches/insight-managed-smart-cloud/GC728X.aspx

is also interesting hardware [ignore the cloud aspect, it has a normal Netgear web GUI as alternative].

10ge gear is getting a lot more affordable these days. But the whole user experience is also important for me so…. more research to do first I think :-)