VLAN setup with more than enough physical network ports
-
Hi, I am sure I will demonstrate a complete lack of understanding of the concept, but hey, look at my screen name ;)
I would like to update my home network and create a bit more secure environment with all the IoT stuff, CCTV, and other crap being on my network.
In my setup, I used to have an ASRock Rack mobo with two Intel LAN ports and 3 Netgear GS108Tv2 switches stack on top of each other. I also happen to have an Intel Pro 1000 4-port NIC which I decided to throw into the mix to set up a segmented network. I also have a Hikvision 100Mbps PoE switch with 5 ports (1 uplink) for the CCTV cameras. So I have now 6 physical LAN ports at my disposal with three 8-port switches and the Hikvision. I also have an Unifi AP for wifi with the controller running on my FreeNAS box.
I'd like to create the following network environment:
LAN: desktops, laptops, Macs, FreeNAS server on 192.168.20.x - Netgear GS108Tv2 #1
VLAN30: VOIP phone on 192.168.30.x (could be connected directly to one of the Intel Pro 1000 ports as we have only one phone)
VLAN40: CCTV cameras on 192.168.40.x - Hikvision PoE - Netgear GS108Tv2 #2
VLAN50: all other crap, TV, some IoT devices on 192.168.50.x - Netgear GS108Tv2 #3
VLAN60: guest WiFi network for wireless clients only on 192.168.60.xThere are some more decisions to make:
- Kodi box - it needs internet and it also needs to access the media dataset on FreeNAS
- CCTV cameras connected to the Hikvision PoE switch but need to access cctv dataset on Freenas to store the footage
- Samsung network printer which I'd personally put on VLAN50 but the LAN devices need to access it
- Could VLAN60 only exist on the Unifi AP or do I need to set it up on pfSense as well?!?
Feel free to give me advice on the network layout but the question which bugs me most is this:
All tutorial on VLANs say go to Interfaces/Assignments/VLANs and create a VLAN
then go to Interface assignments and create an Interface for this VLAN
As I have enough physical network port what would be the difference if I just do this:
I know, it's not a VLAN setup but what would be the pros and cons having this instead of the VLANs on parent interfaces in relation to pfSense setup/rules/security/etc?
Thanks for all the input :)
[Edit] Typos and some more detailed explanation
-
@makesnosense said in VLAN setup with more than enough physical network ports:
I know, it's not a VLAN setup but what would be the pros and cons having this instead of the VLANs on parent interfaces in relation to pfSense setup/rules/security/etc?
No difference at all, if those ports are all connecting to the same switch, other than perhaps a bit of a performance improvement. Even that will be limited by the rest of your network.
-
@makesnosense said in VLAN setup with more than enough physical network ports:
I know, it's not a VLAN setup
Unless those interfaces are all going to different physical switches, then yes it is a vlan setup - your just not doing tags on pfsense. But those go to the same switch, then yeah you must have vlans setup in your switch(es) that correspond to those networks.
If you have the interfaces on your router and ports on your switch then sure this is going to be optimal setup for inter vlan traffic - since none of your traffic between vlans would be hairpinned or sharing the same physical interface speed.
I have combination sort of setup - I have uplinks from my switch to some networks via native and only the one network on the interface. And then another uplink that has vlans on it. The wireless vlans are the one that share the same physical port as the uplink from switch to router is because they are normally limited in speed anyway by the wireless, and they have little to zero intervlan traffic anyway between those vlans.
-
Thank you guys for the quick reply.
So why not even the pfSense book mentions this? Is it because this isn't the most "economical" way to use your physical resources? I mean instead of using 3 Netgear switches I could use 2 with tagging and port mapping and also with tagging I would not need a 4-port Intel NIC as I could use my LAN port as a parent interface? Obviously, when speed is not an issue on a small network.
That means my setup should look something like this:
No VLAN tags at all:
And all interfaces assigned to different physical ports:
Which leaves me one spare till :)
-
The book is not everything there is to know about networking and more and how to best leverage interfaces based upon your specific networks requirements ;) The book is about pfsense, and sure it goes over how to setup vlans, and it goes over how to setup an interface on a network. And sure touches on some basic concepts where required to explain how something work in pfsense, etc.
To be honest this is basic 101 network management and understanding... The very nature of a vlan means that they share the physical constraints of the interface they will be on.
How you setup router and switches to best suite your needs/wants is up to you... Sure if the 1 physical interface can handle your traffic - then yeah you get by with 1 physical interface for all of your networks. Be it 100, gig or 10+ gig interface, etc.. etc..
Or maybe you want to setup all your physical interfaces as a lagg and then run your vlans on the lagg..
If the book went into all the possible things - it would be as thick as old school encyclopedia, and still be missing out on vast amount of information ;)
-
@johnpoz The more you learn the more you realize you know very little. I'm consistently amazed by people who can drag some obscure bit of experience out from something they did years ago.
On the other hand you can learn how to find the information you need quickly when needed. Google foo or whatnot...
-
@johnpoz said in VLAN setup with more than enough physical network ports:
If the book went into all the possible things - it would be as thick as old school encyclopedia, and still be missing out on vast amount of information ;)
It is already thick :)
@jwj said in VLAN setup with more than enough physical network ports:
@johnpoz The more you learn the more you realize you know very little.
My line exactly!
-
@makesnosense said in VLAN setup with more than enough physical network ports:
Is it because this isn't the most "economical" way to use your physical resources?
Unless you have physically separate networks, there's no real point in using multiple ports. The whole idea with VLANs is to logically separate virtual networks, while running them over the same wire. So, you might want to provide higher priority for VoIP, while using the same LAN connection as a computer. Or, you'd use VLANs if you had multiple SSIDs for the same access point, perhaps for guests that only connect to the Internet, etc..
-
@jwj said in VLAN setup with more than enough physical network ports:
The more you learn the more you realize you know very little
So true... I have been in this field professionally like 25 years.. There was some cross over years where I was paid to do engineering on the mechanical side but also did IT related stuff.. But about 25 years ago or so went full time into IT.. My title changed and got new boss, etc.
But have been overall interested and playing with IT, and all things nerdy before there was even computers as we understand them today..
And yes I can say for sure that I learn something new every single day in my own field..
And yup - how to find info is very underrated skill ;)
Unless you have physically separate networks, there's no real point in using multiple ports
Sorry dude but that is just utter nonsense... We just went over why you might want to use physical interfaces... If I have box on vlan A, and box on vlan B and I want to move data at 1gbs between these networks/vlans... I sure and the hell can not put both those vlans on 1 physical interface that is only 1 gig.
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.7.2, 24.11 -
@johnpoz Thanks for sharing. I can recall more than one time over the last year or two when you gave me the push to learn not just what order to push the buttons to get the desired result but why that is so. Good stuff!
-
@johnpoz said in VLAN setup with more than enough physical network ports:
If I have box on vlan A, and box on vlan B and I want to move data at 1gbs between these networks/vlans... I sure and the hell can not put both those vlans on 1 physical interface that is only 1 gig.
I believe I already mentioned improved performance in an earlier post, but the OP said with a small network, that wasn't an issue. Also, in your example, wouldn't LAGG be better? After all, why have a NIC just for VoIP, when it uses so little bandwidth? Also, what's on the WAN side? If there's only a 100 Mb connection, multiple 1G interfaces to the switch won't do much.
-
@JKnott said in VLAN setup with more than enough physical network ports:
@makesnosense said in VLAN setup with more than enough physical network ports:
Is it because this isn't the most "economical" way to use your physical resources?
Unless you have physically separate networks, there's no real point in using multiple ports. The whole idea with VLANs is to logically separate virtual networks, while running them over the same wire. So, you might want to provide higher priority for VoIP, while using the same LAN connection as a computer. Or, you'd use VLANs if you had multiple SSIDs for the same access point, perhaps for guests that only connect to the Internet, etc..
Wiring is not really an issue as that's how it looks like in a CoolerMaster box...
Please, appreciate the effort that I had to disconnect almost everything :D
-
@makesnosense said in VLAN setup with more than enough physical network ports:
Wiring is not really an issue as that's how it looks like in a CoolerMaster box...
What I meant by "wire" is the cable connecting the various locations around a home/office/factory etc. Instead of running multiple Ethernet cables to each location, you just need one to carry whatever virtual networks.
-
@JKnott said in VLAN setup with more than enough physical network ports:
@makesnosense said in VLAN setup with more than enough physical network ports:
Wiring is not really an issue as that's how it looks like in a CoolerMaster box...
What I meant by "wire" is the cable connecting the various locations around a home/office/factory etc. Instead of running multiple Ethernet cables to each location, you just need one to carry whatever virtual networks.
I know what you meant that's why I pointed out that it's not the case :)
Everything is within a metre of the router except 1 PC, the Unifi AP (actually the PoE power supply is next to the router) and the CCTV cams -
Well, as the main question is pretty much sorted - I will have separate VLANs without tagging on separate interfaces and separate switches - could you help me out on some structuring, please?
So that's how it would be:
- Should I just create one more VLAN on my spare LAN port and call it WIFI and move the Unifi AP from the LAN switch to there?
And then I can create two or three separate WiFi VLANs on the Unifi controller?
Question is if I did that should I rather create those WiFi VLANs on that spare LAN port with tagging?!? - Is the Kodi box and the printer okay on crap network?
I think I can create a firewall rule to access the printer from the LAN and that's fairly straightforward.
But what about the kodi box? If I create a rule for the kodi box to access the file server (and only the fileserver) then is there any way to restrict it to only access the media dataset and nothing else on the FreeNAS box?
- Should I just create one more VLAN on my spare LAN port and call it WIFI and move the Unifi AP from the LAN switch to there?
