VLAN & 2 SSID



  • Hi, I just knew about pfSense for a couple days from VPN Providers, and need some advices to built a system.

    I'm planning to setup a home wifi system like this:

    Internet <-> Router <-> Switch <-> APs (2SSID)

    *Router: pfSense box with 2NICs.
    1WAN, 1LAN -> 2VLAN (Normal & VPN)

    *APs: some UniFi UAP, broadcasting 2SSID.
    SSID1 Normal (for PCs, Macs, Mobiles, etc).
    SSID2 OpenVPN (for TV, Kodi, AppleTV, etc)

    *Switch: what kind of switch I should use? (Unmanaged/Smart/Managed)

    For the above schema, is it possible to use only Dual NICs on pfSense router, or it should 3NICs? And how about the switch?

    Thank you for your kind suggestions, and very sorry for my bad english.



  • You only need 2 NICs on pfSense, one for WAN & 1 for LAN.  You configure the access point so that 1 SSID connects to the native LAN and the other to the VLAN.  You don't need a managed switch, unless you're planning to do other VLANs for other purposes, as modern switches should pass the VLAN frames without problem.



  • Great, I'll take the 2NICs then.

    Many thanks for the information.



  • @JKnott:

    You don't need a managed switch, unless you're planning to do other VLANs for other purposes…

    Huh, and you want to distribute the VLANs to the APs with an unmanaged switch? That is … risky at best.

    Rule of thumb is that you're always short of one port/interface. Go with a managed switch and you're pretty safe. Stay away from those cheap switches with "108E" in its name (TP-Link, Netgear).



  • @jahonix:

    @JKnott:

    You don't need a managed switch, unless you're planning to do other VLANs for other purposes…

    Huh, and you want to distribute the VLANs to the APs with an unmanaged switch? That is … risky at best.

    Rule of thumb is that you're always short of one port/interface. Go with a managed switch and you're pretty safe. Stay away from those cheap switches with "108E" in its name (TP-Link, Netgear).

    This is a home network.  Not a heck of a lot of risk.  If he has a VLAN on the pfSense LAN interface and the same VLAN on the AP, what does the managed switch do, other than keep the VLAN off the other switch ports?  How many other devices will be configured to access the VLAN?  Many devices aren't even capable of supporting VLANs.

    Please note, I'm not against managed switches and even think they're a great idea for a variety of reasons.  However, I don't see the point in replacing perfectly good hardware, when existing is up to the task.  For there to be a security problem on a home network, you'd need someone who understands VLANs and how to configure their computer for them, if that computer is even capable.  My ThinkPad isn't and I doubt my Android phone and tablet are either.  That leaves my main desktop computer, pfSense computer and access point as the only devices that can access VLANs and my AP (thanks TP) doesn't handle them properly.  So, how much risk would I have here, by running a VLAN on an unmanaged switch?  Incidentally, there are many, many networks configured for VoIP phones, where a computer plugged directly into the switch port will see both native LAN for computers and VLAN for phones on that port.  Is that a risk?  To avoid that, you'd need CDP/LLDP or MAC prefix recognition to enable the VoIP VLAN when necessary.  Many managed switches don't support those.

    BTW, my dog & cat haven't shown much interest in hacking my network.  ;)

    Also the TP-:Link TL-SG105E should be avoided, if you're working with VLANs.  It's fine for port mirroring though.


  • Netgate

    That's how JKnott rolls no matter how many times he is corrected. Use at least a "Web Smart" switch that understands 802.1q please.



  • @Derelict:

    That's how JKnott rolls no matter how many times he is corrected. Use at least a "Web Smart" switch that understands 802.1q please.

    I really don't understand why some people here think an unmanaged switch is a problem with VLANs.  Sure, if I were putting in a new network I'd use one.  I also believe they should be used in business environments, for a variety of reasons, including VLANs, But is one really necessary for a small home network with only a few devices attached?  Should someone throw out a switch that currently works fine, just because it isn't managed?  I am well aware of reasons such as reducing broadcast traffic, but is that really a concern in a home or even small office network?  As I asked above, what does a managed switch provide in such a small network?  Is it really such a problem that other devices might see occasional broadcast traffic from the VLAN?  Switches, with MAC forwarding, ensure those devices will see very little VLAN traffic.

    You'd really love some of the networks I've come across in my work.  At several sites I've been to, they have 2 ADSL modems, configured for different subnets, connected to an unmanaged switch.  One is for general Internet access and the other for hosted VoIP connection.  They both run on the same network without problem and the users have no idea that both subnets are on the same wire.  Computers use DHCP and phones static config.  If I were designing the network, I'd use a managed switch & VLAN, but that wasn't my call.  As you may have noticed, I also like managed switches for use with port mirroring.

    Bottom line, I'm not against managed switches, but don't think they're always necessary on a small network.  Also, I'd question if there's been a switch made in the past several years that can't pass VLAN tagged frames  Anything built for Gb likely supports jumbo frames, which are much larger than VLAN frames.  Even before that, switches were built for frame expansion to handle VLANs and other frame enhancements.


  • Netgate

    Telling people how to design their networks incorrectly cannot be allowed to stand unchallenged because these things tend to linger forever.

    Just because you can (maybe) does not mean you should.



  • Currently the internet served by a standard router with some UAPs, which doesn't have good firewall. As long as the internet connection fast & stable, security is not really important here. Mainly for entertainment/streaming purpose only.

    @jahonix:

    … Stay away from those cheap switches with "108E" in its name (TP-Link, Netgear).

    @JKnott:

    … the TP-:Link TL-SG105E should be avoided, if you're working with VLANs.  It's fine for port mirroring though.

    @Derelict:

    … Use at least a "Web Smart" switch that understands 802.1q please.

    I will avoid those SG105E & 108E, although they're support 802.1q. Just want to know why should I?


  • Netgate

    Because they are junk. Even though they say dot1q they have crap code that doesn't do it properly.

    Get a D-Link DGS-1100-XX for about US$30.



  • @Derelict:

    Telling people how to design their networks incorrectly cannot be allowed to stand unchallenged because these things tend to linger forever.

    Just because you can (maybe) does not mean you should.

    I would really like to know what the issue is with having VLAN and native LAN availalbe on the same wire on a small network is.  What do you think is the problem?  As I mehtioned, you get precisely that whenever you have computers and VoIP phones sharing the same connection.  What great disaster will befall the network?  Please note, I am not advocating that managed switches not be used, I just want to know why you think they're so necessary.

    I have often come across "common knowledge" that people insist is hard fact.  On digging, it often turns up that it was just an assumption that somehow got turned into fact.  One such example that was common years ago, was that you couldn't share a cable between a phone and Ethernet.  Well, that "fact" ignores that StarLAN, which evolved into 10baseT was designed to share 3 pair CAT 3 cable with a phone line.  Yet most people don't know that.

    If you want, I can get into a discussion I had with one of my Electrical Engineering instructors that challenged the assumption that you can't have more that 100% modulation on AM.  Turns out you can, if you know how.



  • @BLiNX:

    Currently the internet served by a standard router with some UAPs, which doesn't have good firewall. As long as the internet connection fast & stable, security is not really important here. Mainly for entertainment/streaming purpose only.

    @jahonix:

    … Stay away from those cheap switches with "108E" in its name (TP-Link, Netgear).

    I will avoid those SG105E & 108E, although they're support 802.1q. Just want to know why should I?

    They leak traffic from the native LAN to the VLAN.  My TP-Link access point does the same thing, which makes it useless for having multiple SSIDs and VLANs.