Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    VLANs or Alias – Routing issue - Which one should I choose?

    L2/Switching/VLANs
    3
    4
    262
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      ThatGuy
      last edited by

      I’m a huge lover of pfSense and my company has been using it almost exclusively in the 100 or so Client offices we manage. It’s amazing all of the things you can do and always fun to learn more about networking.

      So, we’ve got an upcoming VOIP project for one of our clients and I found out that the two 48 port Unifi POE switches don’t support Layer 3 routing. Initially I couldn’t figure out why my VLAN 20 couldn’t access anything on the LAN. I put a floating rule in pfSense to allow traffic to route and thought, “OK, I got it.” Then after about 5 minutes I thought, “Wait a minute, pfSense shouldn’t be responsible for this, the switch needs to handle this. Well, let’s just find that setting in the Unifi Controller software and take care of that. Well Son of a ….!" The Unifi switches don’t support it. Keep in mind, we do love their WAPs. Controller software kinda sucks since it runs on Java but we’ve lived with that. We’ve found the Cloudkey is also pretty darn slow. But those WAPs are amazing and their switches are built like tanks. They are the Ronco Rotisserie Oven of networking equipment, "Set it and forget it".

      Biggest reason why I want the phones on a VLAN is so it’s easier to traffic shape. Plus, you can quickly tell looking in pfSense what’s a phone and what’s not. Simply look at the IP and if it’s a VLAN IP.

      I’m realizing now due to the switch limitations that I may just through everything on the LAN. I would then take all the MAC addresses of the phones, reserve them in pfSense, and then create an Alias called “VOIP phones” and use that Alias to traffic shape. My biggest beef with that, pfSense is the only routing software running DHCP where you cannot reserve an IP within the scope. I really hate that. So for 30 phones, this is gonna be a lot of typing out IPs and keeping everything straight.

      My concern with putting the phones on a VLAN is “If” for some reason the phones need to communicate with the computers running VOIP communicator software. The VOIP solution is a completely web hosted solution so I’d say that won’t be an issue. However, if we ever need to remotely access an interface of a phone via web GUI we’d have to have that floating rule in pfSense so it can route it.

      My concern is that if I have that floating rule I don’t want pfSense with its LAN port on the Unifi switch working overtime routing stuff back and forth. It’s one thing to just get to a web GUI of the phone. It’s another thing if the phones are chatty with the computers on the LAN. I could just keep the rule disabled until we needed to access a phone from the LAN. Again, more stuff to keep straight.

      Anyone have a better plan? Answers that are not permitted below [sarcasm intended]:

      1. “Get Layer 3 switches.” I’ve never had a Unifi POE switch fail on me. Things are built very well.
      2. “No seriously dude, get Layer 3 switches.” Nope, not in the budget.
      3. “You really need Layer 3 switches”. For the love of God and all that is holy, I know that! I’m just trying to think outside the box here.

      Thanks everyone!

      ThatGuy

      1 Reply Last reply Reply Quote 0
      • J
        jhavlat
        last edited by

        I would suggest VLANs. Setup pfsense as "router-on-a-stick" and trunk to UniFi switches. Check google there are plenty of guides on how to set this up. Unless you are working with some large sites I don't see the need for layer 3 switches.

        1 Reply Last reply Reply Quote 0
        • T
          ThatGuy
          last edited by

          Thank you so much jhavlat! I actually thought about doing this but wasn't completely sure how. Didn't even know it was called "router-on-a-stick". Yep, that's exactly what I'm gonna do. Thanks dude!

          ThatGuy

          1 Reply Last reply Reply Quote 0
          • I
            IT-FVCA
            last edited by IT-FVCA

            Probably too late on the party for this one, and seems like you got a solution anyways- but more than anything else I am a noob and wanting to learn, so this is as much for me as it is for you- but I digress.

            In the unifi controller, there is a built in option to allow passthrough of a VLAN for the specific purpose of a voip phone. In switch profiles, you can indicate a voice network (which can be a real network, or in this case, a VLAN that is configured as a network in the unifi controller). I think this is a relatively newer feature? But I may be wrong on that. Lawrence Systems on YouTube has a good video on this.

            Like I said, this may be a solution looking for a problem but thought I'd put it out there.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.