Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    VLAN & 2 SSID

    Scheduled Pinned Locked Moved General pfSense Questions
    12 Posts 4 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      BLiNX
      last edited by

      Hi, I just knew about pfSense for a couple days from VPN Providers, and need some advices to built a system.

      I'm planning to setup a home wifi system like this:

      Internet <-> Router <-> Switch <-> APs (2SSID)

      *Router: pfSense box with 2NICs.
      1WAN, 1LAN -> 2VLAN (Normal & VPN)

      *APs: some UniFi UAP, broadcasting 2SSID.
      SSID1 Normal (for PCs, Macs, Mobiles, etc).
      SSID2 OpenVPN (for TV, Kodi, AppleTV, etc)

      *Switch: what kind of switch I should use? (Unmanaged/Smart/Managed)

      For the above schema, is it possible to use only Dual NICs on pfSense router, or it should 3NICs? And how about the switch?

      Thank you for your kind suggestions, and very sorry for my bad english.

      1 Reply Last reply Reply Quote 0
      • JKnottJ
        JKnott
        last edited by

        You only need 2 NICs on pfSense, one for WAN & 1 for LAN.  You configure the access point so that 1 SSID connects to the native LAN and the other to the VLAN.  You don't need a managed switch, unless you're planning to do other VLANs for other purposes, as modern switches should pass the VLAN frames without problem.

        PfSense running on Qotom mini PC
        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
        UniFi AC-Lite access point

        I haven't lost my mind. It's around here...somewhere...

        1 Reply Last reply Reply Quote 0
        • B
          BLiNX
          last edited by

          Great, I'll take the 2NICs then.

          Many thanks for the information.

          1 Reply Last reply Reply Quote 0
          • jahonixJ
            jahonix
            last edited by

            @JKnott:

            You don't need a managed switch, unless you're planning to do other VLANs for other purposes…

            Huh, and you want to distribute the VLANs to the APs with an unmanaged switch? That is … risky at best.

            Rule of thumb is that you're always short of one port/interface. Go with a managed switch and you're pretty safe. Stay away from those cheap switches with "108E" in its name (TP-Link, Netgear).

            1 Reply Last reply Reply Quote 0
            • JKnottJ
              JKnott
              last edited by

              @jahonix:

              @JKnott:

              You don't need a managed switch, unless you're planning to do other VLANs for other purposes…

              Huh, and you want to distribute the VLANs to the APs with an unmanaged switch? That is … risky at best.

              Rule of thumb is that you're always short of one port/interface. Go with a managed switch and you're pretty safe. Stay away from those cheap switches with "108E" in its name (TP-Link, Netgear).

              This is a home network.  Not a heck of a lot of risk.  If he has a VLAN on the pfSense LAN interface and the same VLAN on the AP, what does the managed switch do, other than keep the VLAN off the other switch ports?  How many other devices will be configured to access the VLAN?  Many devices aren't even capable of supporting VLANs.

              Please note, I'm not against managed switches and even think they're a great idea for a variety of reasons.  However, I don't see the point in replacing perfectly good hardware, when existing is up to the task.  For there to be a security problem on a home network, you'd need someone who understands VLANs and how to configure their computer for them, if that computer is even capable.  My ThinkPad isn't and I doubt my Android phone and tablet are either.  That leaves my main desktop computer, pfSense computer and access point as the only devices that can access VLANs and my AP (thanks TP) doesn't handle them properly.  So, how much risk would I have here, by running a VLAN on an unmanaged switch?  Incidentally, there are many, many networks configured for VoIP phones, where a computer plugged directly into the switch port will see both native LAN for computers and VLAN for phones on that port.  Is that a risk?  To avoid that, you'd need CDP/LLDP or MAC prefix recognition to enable the VoIP VLAN when necessary.  Many managed switches don't support those.

              BTW, my dog & cat haven't shown much interest in hacking my network.  ;)

              Also the TP-:Link TL-SG105E should be avoided, if you're working with VLANs.  It's fine for port mirroring though.

              PfSense running on Qotom mini PC
              i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
              UniFi AC-Lite access point

              I haven't lost my mind. It's around here...somewhere...

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                That's how JKnott rolls no matter how many times he is corrected. Use at least a "Web Smart" switch that understands 802.1q please.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • JKnottJ
                  JKnott
                  last edited by

                  @Derelict:

                  That's how JKnott rolls no matter how many times he is corrected. Use at least a "Web Smart" switch that understands 802.1q please.

                  I really don't understand why some people here think an unmanaged switch is a problem with VLANs.  Sure, if I were putting in a new network I'd use one.  I also believe they should be used in business environments, for a variety of reasons, including VLANs, But is one really necessary for a small home network with only a few devices attached?  Should someone throw out a switch that currently works fine, just because it isn't managed?  I am well aware of reasons such as reducing broadcast traffic, but is that really a concern in a home or even small office network?  As I asked above, what does a managed switch provide in such a small network?  Is it really such a problem that other devices might see occasional broadcast traffic from the VLAN?  Switches, with MAC forwarding, ensure those devices will see very little VLAN traffic.

                  You'd really love some of the networks I've come across in my work.  At several sites I've been to, they have 2 ADSL modems, configured for different subnets, connected to an unmanaged switch.  One is for general Internet access and the other for hosted VoIP connection.  They both run on the same network without problem and the users have no idea that both subnets are on the same wire.  Computers use DHCP and phones static config.  If I were designing the network, I'd use a managed switch & VLAN, but that wasn't my call.  As you may have noticed, I also like managed switches for use with port mirroring.

                  Bottom line, I'm not against managed switches, but don't think they're always necessary on a small network.  Also, I'd question if there's been a switch made in the past several years that can't pass VLAN tagged frames  Anything built for Gb likely supports jumbo frames, which are much larger than VLAN frames.  Even before that, switches were built for frame expansion to handle VLANs and other frame enhancements.

                  PfSense running on Qotom mini PC
                  i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                  UniFi AC-Lite access point

                  I haven't lost my mind. It's around here...somewhere...

                  1 Reply Last reply Reply Quote 0
                  • DerelictD
                    Derelict LAYER 8 Netgate
                    last edited by

                    Telling people how to design their networks incorrectly cannot be allowed to stand unchallenged because these things tend to linger forever.

                    Just because you can (maybe) does not mean you should.

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • B
                      BLiNX
                      last edited by

                      Currently the internet served by a standard router with some UAPs, which doesn't have good firewall. As long as the internet connection fast & stable, security is not really important here. Mainly for entertainment/streaming purpose only.

                      @jahonix:

                      … Stay away from those cheap switches with "108E" in its name (TP-Link, Netgear).

                      @JKnott:

                      … the TP-:Link TL-SG105E should be avoided, if you're working with VLANs.  It's fine for port mirroring though.

                      @Derelict:

                      … Use at least a "Web Smart" switch that understands 802.1q please.

                      I will avoid those SG105E & 108E, although they're support 802.1q. Just want to know why should I?

                      1 Reply Last reply Reply Quote 0
                      • DerelictD
                        Derelict LAYER 8 Netgate
                        last edited by

                        Because they are junk. Even though they say dot1q they have crap code that doesn't do it properly.

                        Get a D-Link DGS-1100-XX for about US$30.

                        Chattanooga, Tennessee, USA
                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        1 Reply Last reply Reply Quote 0
                        • JKnottJ
                          JKnott
                          last edited by

                          @Derelict:

                          Telling people how to design their networks incorrectly cannot be allowed to stand unchallenged because these things tend to linger forever.

                          Just because you can (maybe) does not mean you should.

                          I would really like to know what the issue is with having VLAN and native LAN availalbe on the same wire on a small network is.  What do you think is the problem?  As I mehtioned, you get precisely that whenever you have computers and VoIP phones sharing the same connection.  What great disaster will befall the network?  Please note, I am not advocating that managed switches not be used, I just want to know why you think they're so necessary.

                          I have often come across "common knowledge" that people insist is hard fact.  On digging, it often turns up that it was just an assumption that somehow got turned into fact.  One such example that was common years ago, was that you couldn't share a cable between a phone and Ethernet.  Well, that "fact" ignores that StarLAN, which evolved into 10baseT was designed to share 3 pair CAT 3 cable with a phone line.  Yet most people don't know that.

                          If you want, I can get into a discussion I had with one of my Electrical Engineering instructors that challenged the assumption that you can't have more that 100% modulation on AM.  Turns out you can, if you know how.

                          PfSense running on Qotom mini PC
                          i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                          UniFi AC-Lite access point

                          I haven't lost my mind. It's around here...somewhere...

                          1 Reply Last reply Reply Quote 0
                          • JKnottJ
                            JKnott
                            last edited by

                            @BLiNX:

                            Currently the internet served by a standard router with some UAPs, which doesn't have good firewall. As long as the internet connection fast & stable, security is not really important here. Mainly for entertainment/streaming purpose only.

                            @jahonix:

                            … Stay away from those cheap switches with "108E" in its name (TP-Link, Netgear).

                            I will avoid those SG105E & 108E, although they're support 802.1q. Just want to know why should I?

                            They leak traffic from the native LAN to the VLAN.  My TP-Link access point does the same thing, which makes it useless for having multiple SSIDs and VLANs.

                            PfSense running on Qotom mini PC
                            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                            UniFi AC-Lite access point

                            I haven't lost my mind. It's around here...somewhere...

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.