Upgrading network to use VLANs

  • Hi everyone.

    First of all, English is not my primary language, so sorry if I don't make it well.

    I am planning to upgrade my home network. It's nothing special and it has been growing over the years. This is actually how it looks like:


    The left part is in one room, and the rest is basically on the living room. I would have liked to make things otherwise, but it is my parent's house and is not easy to fill it with devices. It is a problem with the distribution, the furniture and the space.
    Anyway, I would like to change the unmanaged switch, put the unifi us-8 in its place, and buy a cisco sg 350 to fill the space left by the unifi. My idea is to start using vlans. I know I can do something with what I have now, but I need inter-vlan routing and doing it through the netgate, with one nic for the lan side, I think it is going to be problematic, in terms of speed. My idea is to use the cisco to do the inter-vlan routing. For example, one of the virtual machines in the esx host is a plex server, which has to be reachable from the Tvs, Chromecasts and gaming consoles.

    What I thought is something like:

    VLAN xx --> Management (esx management, unifi switches and cisco switch... Nas and pihole only have one nic)
    VLAN xx --> Tvs and satellite receivers (Tvs with access to plex server through ACL from cisco switch)
    VLAN xx --> Nas, plex server
    VLAN xx --> Wifi (maybe guest wifi as well)
    VLAN xx --> Virtual machines lab

    I don't really know if this is a good approach or not sincerely, or if it is nonsense, so I hope you guys could help me a bit. Beyond all of this, I don't know where to place the pi-hole. I think in the same network that the port that links from cisco and the lan side of pfsense. And to access the management vlan, I had thought doing it through my PC, putting the nic to understand vlan tags, but again, I don't know if this is how is done. And could I have problems with nat?

    Thank you very much for your time guys.


  • @juliro said in Upgrading network to use VLANs:

    VLAN xx --> Wifi (maybe guest wifi as well)

    Normally, the main WiFi is on the native LAN and guests on a VLAN.

  • LAYER 8 Global Moderator

    Segmenting your network is not nonsense ;)

    Keep in mind if your going to use your new sg350 (nice choice btw) for your intervlan traffic - then the uplink to your psfense would need to be a transit network.. No hosts on this network that would need to get to any downstream vlans, if you do put hosts there - then you would need to host route for them to get to downstream networks - or you run into asymmetrical routing problems. So the best thing is to create a transit network between your upstream router/firewall (pfsense) and your downstream router (sg350)

    Keep in mind that controlling traffic between vlans is bit more difficult on something like the 350, then simple how easy it is to create firewall rules on pfsense. So you have to make a call on which is more important - the speed of routing at cisco switch, or the ease of simple to do firewall rules at pfsense.

    Since the sg2220 is limited on interfaces, and routing between your vlans sharing the 1 physical nic would be a hairpin and yeah be a hit on what speed you could get between vlans having to hairpin.

    You could put your pi on the management vlan or could call this an infrastructure vlan, and services like your pihole could sit there sure. Or you could create another vlan..

    As to tagging with vlans.. To be honest if your going to use a transit network to get to pfsense, and everything was behind your 350.. Tagging really wouldn't need to be involved other than using different vlans on your downstream switches from your 350.. pfsense wouldn't need to know anything about the tags because the transit/uplink from 350 to pfsense could just be native (untagged).

    Think of it this way for tags and non tagged.. When a wire is going to carry more than 1 vlan of traffic then vlans will have to be tagged. Either all of them, or 1 can be untagged (native) and the others tagged. But the tags allow the device on the other end to know which traffic is which. If your only going to have a single device attached to this port, and its only in 1 vlan then traffic would be untagged..

  • Thank you very much for your answers guys, and especially to johnpoz for his enlightening post.

    I'll probably buy the switch next month. I think more or less get the idea, although probably have a hard time setting it up :-)

    I've never use cisco switches so I don't know exactly how to make it. I'll start studying these days but, the steps I should follow could be something like...:

    1. Set the ip address for the lan interface on pfsense, that will be part of the transit network, and set it as well on the cisco port that will be the uplink to the pfsense. Make the ip from pfsense the default gateway on the cisco switch?

    2. Configure the VLANs and ports in the cisco and unifi switches. From the cisco switch, assing ip address and use dhcp in every vlan interface, and make acls to allow some traffic between vlans, like for example every host have to reach pihole to resolve dns. Is that right?

    3. I have two wires that have to be tagged, from the unifi switches (one for each) to the cisco switch. Do I have to included all vlans? For example, the switch on the left in the diagram it's not going to have any device in the management vlan. Do I have to include it because I want to reach that VLAN or it's not necessary?... I think is not, but I am not sure.

    4. Do I need to set up anything else on the pfsense side?... Is aware of the new networks?... Are my nat rules going to work just changing the network values from the rule?... The OpenVPN server is going to work as expected?

    5. About the native vlan... I understand that all ports not defined as a part of a vlan, are part of the native vlan, is that correct?

    6. Reading through the unifi documentation it says this about UAPs: "Currently, the only VLAN you can't tag to an SSID is 1, although that may change in the future, once we expand the ability to define a management VLAN to all UAPs"... what does it mean?

    Sorry for all the questions. As I was thinking about it, I have started thinking that maybe it's too much for me, but I don't know how to search for this specifics doubts.

    Thanks again


  • LAYER 8 Global Moderator

    So before unifi the IP that you managed the AP with, say, could not be a on tagged vlan it had to be native (no tag)... But this has changed recently and if your running current beta firmware and controller software you can run your AP on a tagged vlan.

    But in the big picture doesn't really matter all that much... all your ssid's can be assigned vlan and tagged, while the vlan you manage the AP on just has to be untagged.

    The smb cisco line gui is pretty easy to use if your not a cli sort of guy... Everything you will need to do on your switch you can do via the gui if so desired.

  • Ok, thanks a lot.

  • LAYER 8 Netgate

    Yeah I would just make the management VLAN the untagged/PVID on the switch ports with the Unifi APs/Controller on them. It's just what they want and expect. You can tag VLANs to other wireless networks there to your heart's content.

  • LAYER 8 Moderator

    I agree with @Derelict

    I'm currently rebuilding our home/lab network after moving into a new apartment and it has grown a bit from before. Nevertheless, I'm also running pfSense at the gates up front and behind an US-24 as "sort of core" with 3 US-8 attached. Also having an AC-AP-LR from before my setup is slightly bigger than yours but very similar (besides having more VLANs ;)). But as far as the Unifi Controller communication and AP setup goes, I definetly recommend to use their "any" profile on the AP and switch uplinks and run the designated Management VLAN as your untagged "base". If you add other things like radius-based VLANs and/or 802.1x radius-based MAC auth (so you can plug your device in anywhere and have the port either block the device if it is unknown or plug it into the right VLAN) later, then you have a pretty solid and secure approach for a home network ;)

    So, running FreeRadius on pfSense to accompany those Unifi things is really nice :) (check: https://twitter.com/J3Gr_/status/1179386082410029057)

  • Galactic Empire


    Don't forget WPA2 Enterprise with the Wi-Fi while your at it ☺

  • LAYER 8 Global Moderator

    WPA3 enterprise would be the new way to go ;) It is hopefully going to be viable here soon on the unifi stuff.

Log in to reply