Questions about my ideal setup

JT40

Hello,

I came to the end of this journey of spending a fortune to set up my network :D , well, almost at the end of it.

I've decided to use PfSense because it's opensource, it makes me feel safer for future upgrades and support.
I also have a little experience with it.

My plan is this:

1. AP for WIFI devices, which one? I don't see any from Netgate.

2. L2 Switch (I need more than 3-4 ports), which one? I don't see any from Netgate.
   I basically need different VLANs, mainly to avoid the devices to communicate or to be discoverable each other, unless specific cases, so there should be that chance to set it up.

3. Router - NETGATE 2100 (performance are more than enough, but I'm gonna run things like Surricata and Snort minimum. I've read that it handles both very well, not sure at full load though)

4. ISP Modem/Router (nothign to say about it)

How do you see it?
I need to spent tons of money for this setup, so I appreciate even the less relevant observation, it may be important as well!

Router aside, if Netgate really doesn't have switches or AP, then I appreciate recommendations on other brands that don't cause conflicts.

Thank you.

JKnott

@jt40

I suspect Netgate is just a router/firewall company selling hardware that runs pfsense. You can use whatever AP and switch brands you want, though some here like Unifi APs. I have an AC Lite from them and a Cisco switch. A caution, some TP-Link switch and AP models have issues with VLANs, so you may want to avoid them.

Sergei_Shablovsky

@jt40 Please write more about Your goals. You write a lot about hw but just nothing about WHAT RESULT You need.
Better to attach Your net draft connection scheme.
Which country/state, number and type of uplinks, devices in LAN behind pfSense...

JT40

@jknott said in Questions about my ideal setup:

@jt40

I suspect Netgate is just a router/firewall company selling hardware that runs pfsense. You can use whatever AP and switch brands you want, though some here like Unifi APs. I have an AC Lite from them and a Cisco switch. A caution, some TP-Link switch and AP models have issues with VLANs, so you may want to avoid them.

Thank you.
I'd buy PfSense, and then buy the rest of the hardware, I don't see choices from them. Which is fine but just saying.
If I had more switch ports for an accessible budget, I'd have only PfSense router and an AP.
What I understood is that it has VLAN capabilities an all the ports are "switchable", but the number of ports is not enough for me, so I need to add a L2 switch afterwards.

JT40

@sergei_shablovsky
Thanks.
My network diagram could be so simple than you would not require it :D.
In the future it could get much more complex though, but let me start with the plan first, then I'll see :D .
I'm pretty confident that this rough setup can bring me far.

Why do you need to know country/state, number and type of uplinks?

This is my home network, so the common devices of home networks, smartphones, computers, VMs, printer, watch (lol) etc...
Nothing too weird like videocameras for now.
One thing could become tricky from the day one, but I'll semplify in this way, my ISP offers me also IPTV, reason why I can't remove the modem/router from the ISP. It has 2 LAN ports, one for the PfSense router, the other one directly to the IPTV box.
In this way, I avoid the headache connecting this box behind PfSense.
In the future I'll try to play with it, but it's not mandatory, who cares about the TV box as long as it's isolated from other devices :D .
Precisely speaking though, the ISP modem/router will see only the PfSense box, so I'm ok with it, it will be just limited to exchange packets with the ISP.

mer

I've got a Zoom cable modem (with a Motorola waiting for if I decide to upgrade speed tiers), a Netgate SG2440, a generic Netgear 8 port (1G ports) switch (unmanaged), generic Netgear R6900 for wireless (plugged into the switch) and that's about it. Generic home setup, phones and a couple PCs on the WiFi, desktops plugged into switch, the SG2440 using LAN and OPT1 (keep work stuff separate). Works fine for me.

Keep in mind "the future". The 2100 may be good for now, but if you expand a little, maybe not? Limited RAM and storage means you may need to spend time tuning rules and logging on extra packages. It may be worthwhile to think about something like the 5100 instead (yes, easy for me to spend your money :) ) I have one that is cold standby for my 2440 and don't regret it. Extra packages like Snort and others can add a good deal of cpu and ram loading.

For managed switches, I think a lot of different ones available. I would also look at used/refurbished Cisco.

Have fun

JKnott

@jt40

I didn't buy Netgate, I got a Qotom mini PC, as described in my sig. It has lots of performance and I leave the switch ports to a proper switch. Here's a speedtest result, which I got on my 500/20 connection. My ISP has always been generous with download bandwidth, at least as long as I've been checking.

mer

@jknott
That's a good point about the ISP. Most residential broadband plans seem to max out a 1G (symmetric if you're on fiber) so a lot of modern network stuff (PCs, phones, switches, etc) are likely 1G ethernet, so you can send 1G around your house all you want, but then bottle neck at the ISP. Having internal higher speed than ISP means downloads get onto your devices faster "Hurry up and wait on the ISP".

JKnott

@mer

Prior to getting that Qotom computer, I had been using an old HP compact desktop computer. After it died, I was using an old D-Link router and could only get about 35 Mb down. With the HP I was getting around 550 down, so was quite surprised to see what I was getting with the new computer. So yes, hardware performance is important now. That's one of the reasons I didn't go with Netgate, as I got the impression some models weren't capable of what my ISP was providing.

AndyRH

I like having POE, I use it to run the Pis, APs, and cameras. I found an Aruba 2500 switch (well out of support) for $120 on eBay with 48 POE ports and 4 SFP+ ports.
The country is semi-important because some HW is less available is some places.
I use Unifi APs, many here do. There are other good choices.

You may find many in this forum are a bit extreme even for the home setup. In those cases a 2100 may not be very future proof, a 6100 might be a better starting point.
I use PiHoles and VLANs to block unwanted content and restrict access.

It sounds like you are going to start "simple" and work your way up.

Have fun.

JKnott

@andyrh said in Questions about my ideal setup:

I like having POE

Me too. My AP is powered with PoE, which means I can mount it in the best location, without having AC power handy. It's mounted near the ceiling in my laundry room, where I don't have any spare AC outlets.

JT40

@mer Ahaha, that's really too expensive.
People buy X86 hardware to spare money, but I'm not sure if it performs well, I may end up paying even more, plus electricity...
For what I see, the performance declared are enough for home usage, even though I do a lot with many devices.
Unfortunately I don't have an easy way to estimate how well it will perform...
I can say that I'm not planning to have this device for 20y, maybe 7 if it survives, 7 years won't change much in my network usage I guess...

JT40

@jknott said in Questions about my ideal setup:

@jt40

I didn't buy Netgate, I got a Qotom mini PC, as described in my sig. It has lots of performance and I leave the switch ports to a proper switch. Here's a speedtest result, which I got on my 500/20 connection. My ISP has always been generous with download bandwidth, at least as long as I've been checking.

Did you enable all the security features? On the paper, that traffic can be handled by the Netgate 2100

JT40

@andyrh said in Questions about my ideal setup:

I like having POE, I use it to run the Pis, APs, and cameras. I found an Aruba 2500 switch (well out of support) for $120 on eBay with 48 POE ports and 4 SFP+ ports.
The country is semi-important because some HW is less available is some places.
I use Unifi APs, many here do. There are other good choices.

You may find many in this forum are a bit extreme even for the home setup. In those cases a 2100 may not be very future proof, a 6100 might be a better starting point.
I use PiHoles and VLANs to block unwanted content and restrict access.

It sounds like you are going to start "simple" and work your way up.

Have fun.

Mmm... https://shop.netgate.com/products/6100-base-pfsense --> 700 dollars.......................
Price aside, the performance is for powering an entire datacenter :D , it's really not for me...

JT40

@jknott said in Questions about my ideal setup:

@andyrh said in Questions about my ideal setup:

I like having POE

Me too. My AP is powered with PoE, which means I can mount it in the best location, without having AC power handy. It's mounted near the ceiling in my laundry room, where I don't have any spare AC outlets.

Awesome point, I never thought about it :D

AndyRH

My first pfSense system was a small Lenovo desktop running a gen 1 i3. I put a 4 port intel card in it and it was great, easily did 1Gbps. You might be able to find a low power desktop with 1 slot and that does not use too much power. Then weigh the cost vs the power and you might find it is years for the power cost to equal the difference in equipment cost. I happened to get the i3 for free. Ask friends if they have any old HW laying around.

stephenw10

Yeah, we need more details to be able to recommend hardware:

What is your WAN bandwidth? Will that be increasing?

You mention power consumption being an issue, do you have any sort of figure in mind?

Are you going to be running VPNs? What bandwidth do you need across them?

Steve

Sergei_Shablovsky

@jt40
Do You Apple-centered user, or just have a lot of different home devices from different brands?

You wrote about VMs, so how much servers You have and what You need for them? (bandwidth, speed, latency, etc...)?

Sergei_Shablovsky

@andyrh said in Questions about my ideal setup:

My first pfSense system was a small Lenovo desktop running a gen 1 i3. I put a 4 port intel card in it and it was great, easily did 1Gbps. You might be able to find a low power desktop with 1 slot and that does not use too much power. Then weigh the cost vs the power and you might find it is years for the power cost to equal the difference in equipment cost. I happened to get the i3 for free. Ask friends if they have any old HW laying around.

May be best solution to start with ;)

Just pay ~$50-60 for desktop+4-port card+monitor, install pfSense and start to play with it. After 2-3 month You would be close to what You need exactly.
And also may be You find solution to kick off ISP modem (if PPTP for authorizing You as legal ISP user are only one that this modem making actually, not to forgot change MAC on WAN) ;)

Very reasonable price (2-5 cups of Starbucks coffee) for 2-3 month of education, isn’t?

JKnott

@jt40 said in Questions about my ideal setup:

People buy X86 hardware to spare money, but I'm not sure if it performs well, I may end up paying even more, plus electricity.

That Qotom I bought wasn't exactly cheap, but has plenty of performance. I tried measuring the power requirements, using my UPS, and it wasn't very much. I haven't tried measuring with a proper watt meter though.