Topology Question

  • Greetings,

    I'm a network and pfSense noob, but getting there. I've read a lot and this forum is by far the best source of good advice I've found.

    I have a home business and want to keep my biz and home stuff separate. I built a Qotom i7 router and installed pfSense without a hitch. I've setup pfSense for a dual-Lan configuration using two switches, one for each LAN. My home LAN is on the pre-configured NIC and matched the same basic rule set on the biz LAN to get it up.

    I created the attached topology diagram to help guide me along the way and to seek advice on what I might be screwing up. My home LAN is more complex with IOT devices that I want to block from WAN access (cameras and such) so I'm using a managed switch with a Ubiquiti WAP to serve up wireless access.

    The firewall rules on each LAN lie ahead as does the setup of the managed switch; those look pretty daunting to me. Before I get to those, I wanted to get some feedback on whether my topology is correct and doable, and how I should plan the next steps in terms of programming pfSense... pitfalls to watch for and things I need to ensure I get right.

    I would be very grateful for any advice on the layout and the order of tackling what lies ahead when implementing. Thanks in advance - hopefully the feedback will help others as well.


  • Hi @traderyoda - Overall, I think this will work. Looking at the home side of your network I had a couple questions though (things that weren't quite clear from the diagram):

    Are you planning on passing all tagged and untagged (regular) traffic through port 1 for your home network (i.e. VLAN 80 - 86), making port 1 essentially a trunk port? If yes, will VLAN 80 be untagged traffic and the rest tagged? Keep in mind that the Ubiquiti AP does not support tagged VLAN traffic for its management interface (at least this was the case a couple years ago; it may change changed since then). Using tagged VLAN traffic for the different wireless networks (SSID's) on the AP will work fine though. Also, make sure that any IoT devices you are planning on using supported tagged VLAN traffic - not all of them do.

    Hope this helps.

  • @tman222
    Thanks for the feedback - at least I'm on the right track.

    I did plan port 1 as a trunk. I was concerned about managing the AP with tagged traffic and found a lot of confusion, but I thought that Ubiquiti updated their controller software to add this feature last year. I don't have the 'Pro" version of the AP and my version might not permit this - it's a concern. Thanks for the tip about IoT devices - I'll check. My biggest concern are cameras; I have 3 Dahua units.

    Every time I convince myself that I understanding tagged/untagged I find myself quickly confused again!

  • @traderyoda - If you keep VLAN 80 (management) untagged, you would still be fine even if the Ubiquiti AP does not support tagged traffic on its management interface. When you setup the Ubiquiti switch just make sure to configure port 4 to pass VLAN 80 untagged traffic along with VLAN 81 - 83 tagged traffic. I assume you'll have the Unifi Controller sitting on VLAN 80 as well then?

    Hope this helps.

  • @tman222
    It sure does - helps a lot. Yes, I have a dedicated management PC with the Unifi Controller installed. I will be sure to set up Port 4 correctly. Cheers!

Log in to reply