advice on physical layout plans for new PFSsense router setup
-
I just got a new Protectli FW6D router to use for my home business. For the last 18 months or so I've been using a UniFi UDM and it's just not quite up to the task of all the real-time streaming work & video conferencing I need to do. There are too many traffic hiccups when going thru the UDM that don't exist when direct-connected to my ISP's cable modem.
I'm intending to cut over all the hard-wired and routing duties to the new Protectli router running PFSense, but keep the UniFi gear for the Wi-Fi side of things.
I've got 4 VLANs currently (management, private/safe, IoT/dangerous crap, and guest). The FW6D has 6 ports (WAN, LAN, OPT 1 - 4). I'd like to dedicate a port to each VLAN as well as dedicate one port to connecting back to the UDM for supporting the Wi-Fi side of the world (I have the UDM and two UniFi APs that I intend to keep using for Wi-Fi access).
My question concerns the best physical way to lay out this logical configuration. I was thinking of this:
WAN: Duh! ;-)
LAN Port: management VLAN
OPT 1: Private/Safe network VLAN
OPT 2: IoT/Unsafe network VLAN
OPT 3: Guest VLAN
OPT 4: link to UDMDoes this seem like a reasonable way to physically configure this?
Thanks for any and all replies!!
-
@alexeymohr If you're using physical interfaces, why bother with vlans at all? It's extra complexity for no real benefit.
How many devices on your network are cabled versus wifi?
-
First I want the VLANs to span the wired and wireless networks. Also, I’d like to establish a few firewall rules to allow select traffic across them (for instance I keep my printer on the IoT VLAN but want systems on the safe network to be able to print).
I have probably 20 wired clients and around 25 wireless clients in total.
-
@alexeymohr You don't need vlans to do any of that.
-
@kom How can I safely keep IoT devices from seeing systems on my safe network without VLANs, particularly when I do need some devices to be able to have limited access between the IoT network and Safe network?
-
You don't need VLANs in pfSense is I think what was implied here.
If you are using separate interfaces for each subnet you do not need any VLANs there. You may well still need VLANs across your switches and/or access points etc. It depends how you have these things physically distributed.
If you are using VLANs there you may be better off using VLANs in pfSense and not using separate interfaces. It's common to use a LAGG from pfSense to the switch and just run all the VLANs across that.
Steve
-
@stephenw10 Okay I understand that, but this requires at least one L3 switch right? Someone somewhere still has to do inter-VLAN routing right? Unfortunately I do not have any L3 switches in my setup.
-
No you can use a managed L2 switch as long as it is VLAN capable. Trunk all the VLANs to pfSense and route between them there.
-
@stephenw10 So in that case pfSense does need to have the VLANs set up, but you recommend just trunking them all through a single interface instead of dedicating individual interfaces per VLAN?
-
Either you setup VLANs in pfSense and use those as interfaces to route / filter between.
Or you use separate interfaces for each subnet. In which case any VLANs you might have would be all be handled in the switch.
If you have multiple switches and access points and are carrying multiple VLANs across them I would choose the VLANs in pfSense option. You only need one link between the switch and pfSense to carry all the trunked VLANs but that could be a LAGG of multiple Ethernet connections.
Steve
-
@stephenw10 Yeah I've got two Unifi USW-24-POE switches, a U6-Lite access point, and a U6-LR access point (all managed by a CloudKey Gen2) - the plan is to have all VLANs be available on each of those devices. None is an L3 device.
My initial plan was to have each NIC on the Protectli pfSense router dedicated to an individual VLAN, but it seems like maybe I'd be better off just aggregating a few of those ports and then trunking all the VLANs at once?
-
Yup, that's what I would do. Use two ports there to create an LACP LAGG to the first switch and trunk all the VLANs across that.
Steve
-
@alexeymohr said in advice on physical layout plans for new PFSsense router setup:
but it seems like maybe I'd be better off just aggregating a few of those ports and then trunking all the VLANs at once?
You loose control of which physical interface is actually used for traffic - and "depending" you could end up with hairpin traffic over the same physical interface for intervlan traffic.
I personally prefer more control and like placing vlans on specific physical interfaces so I am sure that intervlan traffic where there is a lot of it not possible to hairpin over the same physical interface.
If you have the ports not a problem doing this... Only thing lagg/lacp gets you is if 1 of the interfaces fail, cable fails or unplugged etc you don't loose connectivity.. I like control more than redundancy for interface failure..
-
Does anyone have any links/references to a step-by-step guide on how to achieve this setup using switches for VLANs (with/without LAGG)? Thanks!
-
There are a bunch of video walk throughs on YouTube. Tom Lawrence's probably the best. For example his LAGG tutorial: https://www.youtube.com/watch?v=VULKulpXBYU
-
@stephenw10 dude - bet you beer that is spammer.. Look at his other posts..
-
Meh, could be.
-
@stephenw10 thank you so much!
-
@johnpoz Was this intended for me?
-
@johnpoz said in advice on physical layout plans for new PFSsense router setup:
stephenw10 dude - bet you beer that is spammer.. Look at his other posts.
Just his question made me wonder if he's serious. Physical layout? Really?