Looking for some help and suggestions
-
Hi,
I'm looking to replace our current WIFI router with something else, since the firmware is no longer being updated anymore and also because I want a much more customizable firewall & something that has VLAN support.
This is for just a basic home network. We have 3 ethernet ports used on our router now. PC, VOIP, Xbox. The WIFI connects to 2 devices - tablet and a streaming device. Our internet download speed is sub 100 mbps.
I would like to isolate all traffic and broadcasting between the devices for security.
My current router I learned I can actually install FreshTomato on it to get VLAN support for the WIFI. So I figured I can just reuse it and turn that into an AP.
Anyways, I've been looking at both the Netgate SG-1100 and SG-2100. I'm not sure if the SG-1100 would be a good option or not with only 1 GB memory and 8 GB storage. I would like to play a little bit with pfBlockerNG and maybe some of the other add-ons without having problems. Don't need IDS obviously for a home network.
Now I don't currently have a managed switch. So if I went with the SG-1100 I would have to buy a cheap low power 5 port managed switch to configure and use.
With the SG-2100 it looks much better having at least 4 GB memory and having the option to upgrade the storage. Plus it has 4 LAN ports.
I'm just not sure how that would work with port based VLAN mode for the LAN port that my current WIFI router would have to be plugged into and how you would set that up exactly in the VLANs table. I've never setup VLANs before, just have done a TON of reading and watching videos on Pfsense and VLANs is general lately.
I figured with using the switch in SG-2100 and using port based VLANs I'd be able to then not have to buy and setup a managed switch. Which would save some time that way and maybe make things a little simpler by taking advantage of the switch that's already in the SG-2100.
If anyone has any suggestions or ideas to help me out on deciding what to do, it would be greatly appreciated.
-
After doing some more reading. It sounds like I'd have to enable 802.1q VLAN mode instead and not use port based VLAN mode in order to set VLAN tags for my WIFI router that will become my AP.
-
You could technically do either. In port based VLAN mode all traffic is passed to the internal port, including any tagged traffic that arrives so if you had VLAN interfaces defined it would arrive there.
However it's generally accepted that you should use 802.1q mode if you can to better define where traffic goes (and does not go). And you certainly could do that in this case.Steve
-
Ok. I guess originally I was confused about the two - port based and 802.1q VLAN mode. I was thinking more along the lines of which mode sounds best in terms isolating the devices traffic from one another, especially for devices that you plug in that aren't VLAN aware. Port based mode from the way I read at first or I guess misread it (sorry I'm still learning), sounded like it might be the best way to go (except for my WIFI AP).
So if I were to use say the SG-2100, I would just setup 802.1q mode and create VLAN ID's for all the internal ports. The port I plug my WIFI AP into would have two ID's, since I'm running two WIFI devices off from it. I would then just tag those two to the port it's plugged into. All the rest would be untagged, but would still all have unique VLAN ID's. I wouldn't need to buy an additional switch unless down the line I run out of room and need more ports to plug into. All the traffic from all the devices is totally isolated from one another, as long as I setup firewall rules and block traffic to one anothers ports.
Do this sound about right and would be a better way of doing it?
-
Yes, that sounds about right. Some APs require an untagged connection for at least one thing. Sometimes the management interface is only available untagged for example. sO in that case whatever port the AP was connected to would be untagged for the management subnet (whichever you decide that to be) and tagged for other VLANs for the SSIDs configured on it.
However it's better to avoid having tagged and untagged traffic on the same connection if you can as it can prevent problems later.
https://docs.netgate.com/pfsense/en/latest/vlan/security.htmlIt's not as complex as it first seems!
Steve
-
That's really good to know about how that works with some AP management interfaces. So in those situations where you have to have tagged and untagged traffic together, you really should be using a switch.
What if I don't create anything for the management interface and just have the two tagged VLANs for the SSIDs and say just access the AP interface when I need to (which will be very rarely) by plugging it directly into a computer. Would that be alright or would you still recommend getting and using a managed switch?
Sounds like the recommendation is to usually use two switches - one for the internal networks and one for the external networks. But I wasn't sure in my situtation and if I only had tagged traffic coming in from the AP if it still would be recommended or not.
Oh no, it's still a little complex to me.
I'm a total noob at this stuff. I didn't even know what a VLAN was just a couple of weeks ago lol All I've ever used before were just basic consumer grade routers. So all this is still very new to me. Hopefully one day I will be a little more competent though when it comes to setting up VLANs for various situtations.I really appreciate all your help and knowledge on this.
-
You can connect an AP directly to the SG-2100. It's LAN ports are, effectively, a managed switch anyway.
But even if it wasn't you could still just connect directly to pfSense port. You only need a managed switch there if, for example, you had several access points using the same VLANs and needed to connect them all to one pfSense interface.Steve
-
Alright, thank you Steve.
