VLAN setup for IOT
I'm new here, and hoping to find some advise.
I have pfSense up and running with some packages, all running fine. It's a steep learning curve, but I've been reading a lot here and that has helped me through.
Now I would like to ask you all for some help in designing my network.
Topology: WAN - pfSense - VLAN capable switch (Netgear GS108E, so management interface can't be on a management VLAN...) connected to:
- 1 switch (GS105E) - 1 unifi AP (our appartment) and some wired IOT
- each other appartment has a router/AP/modem device, currently used as switch/AP combi (can be upgraded to VLAN capable switch with unifi)
- 1 AP (unifi) in the garden
- some wired IOT
pfSense runs on an i3 with 8GB RAM, so capable enough. I'm happy to upgrade the (intel) dual port NIC to 4 port if needed.
I have one WAN in my house. My house has 3 apartments (I live in one, 2 are rented out). So each apartment has a switch and AP and shares the internet connection.
I have thought about a "connection matrix" and came up with this:
For instance, IOT needs access to Domoticz, but I don't want that to access my NAS. For the camera's it's the reverse.
Ideally I want to separate the computers from all the renters (private VLAN?).
To make matters more complex, the renters and us are fairly close and hang around in each other's apartment quite a bit, so there should be wifi accessible to all in all apartments (not the same wifi per se, a "landlord", "renter" and "guest" wifi is an option).
So my question is: how to cater for all these "rules"? Having each (group of) devices in its own VLAN would solve that, but since the unifi's "only" allow 4 SSIDs I guess that limits my VLANS to 4 or 5 in practise (each SSID in a separate VLAN).
I have thought of restricting access through IP and/or MAC, but both can be spoofed.
I read this thread but I did not really understand it: https://forum.netgate.com/topic/131801/how-to-access-iot-device-vlan/2
Semi-separate topic: I have a receiver with airplay capability. I installed avahi, and it becomes visible to all users, but once I want to start streaming nothing happens. Only when I open everything (across its VLAN) it works?
Thanks for any help! (if there is a better forum for this topic I'm happy to be redirected).
No one has any ideas?
but since the unifi's "only" allow 4 SSIDs I guess that limits my VLANS to 4 or 5 in practise (each SSID in a separate VLAN).
Not sure where you got that idea - they can do 8 ssids.. And with dynamic assignment of vlans you are really unlimited.
Allow configure 8 SSIDs per radio (on supported devices).
If each apartment has their own AP what does it matter how many SSID each AP could support... Just use different ssid on each AP that is assigned to different vlans, etc. etc.
You do not have to broadcast the same SSID on all AP connected to a controller - this is what wlan groups are for.. To be honest the ssid limit is per radio actuall - so you could really do 16 ssid on the same AP 8 or 2.4 and 8 on 5.. But really lots of SSIDs is not a good idea.. If you have need of lots of different vlans for different wireless devices all on the same AP then look into dynamic assigned vlans, or called radius controlled vlans. You could have 100 different vlans all the same SSID in theory.
@jeecee How many physical network ports does your pfsense box have on it?
You technically only need 2 - WAN and LAN. But, if you only have 2 ports, you have to get fancy (kinda) with using VLANs. You have pretty much spelled out the solution already - at least 3 VLANs: landlord, renter, guest.
I would personally get the unifi wireless access points and ditch anything else that's already installed across your network. The AP AC Lites can be had for as little as $80 US, and add a controller. Put 1 of these APs in each apartment, and 1 in the garden. The unifi gear can speak VLAN stuff, so add all 3 VLANs into the controller and enable VLANs on both your pfsense box and smart switches. Done. You have to get smart switches, at least 1, for this to work. I see you already have 1, so that should work fine.
Don't give the other apartments physical access to any of the actual smart switch ports, unless you want to program them accordingly. I would skip that just to avoid the extra work. Make the renter apartments go wifi only.
Where it gets a little goofy is the airplay streaming stuff. That tech really likes to only work in 1 subnet, and the moment you enable and program VLANs across your network, streaming stuff across subnets starts to break. It's all over this forum, search and you will see. I don't know if the problem has actually been solved or not. To keep it simple, I would just limit airplay streaming to your own landlord subnet/VLAN.
Hope that helps some...
It's an old topic but my mum taught me to thank people who help ,)
I forgot about this topic until I needed help again, how typical.
Tnx John, I realized that indeed not all apartments need the same SSID, the grouping function is really handy.
Radius was not an option due to the requirement of enterprise WPA and headless clients.
akuma1x, thanks, I did indeed replace all APs with unifi. I bought a cisco smart switch which enabled me to selectively route the VLANs over the wires into the apartments. I only realized too late that these modern PlayStations have wifi as well ;)
Streaming, yeah, work in progress.