Dedicated Interfaces versus VLAN's on older equipment
-
Hi - I am an amateur IT enthusiast and I get to feed my passion by volunteering my time at a small non-profit providing IT services. The non-profit owns its own building and rents out rooms to even smaller non-profits as office space. Part of the rental agreement is to provide Internet service for the rooms.
When I started working with them, everyone was sharing the same network through a router provided by the Internet provider! I installed some cheap routers with VLAN capability to separate the networks and provide a level of security. A few months ago, someone recommended building a router with a desktop computer using pfSense. I thought it would be a great project, so I did. The non-profit had an old HP dc5800s SFF desktop; I dropped in a Q9505 CPU, 120 GB SSD, 8GB RAM and an Intel PCIe Ethernet card for the LAN port (I used the computer's integrated Intel NIC as the WAN). I installed pfSense 2.5, set up 6 VLAN's for the 6 offices and installed the router - it worked great! The non-profit had a 600Mbps Internet service; running a speed test in one of the rooms consistently showed 450-460Mbps on weekends when no one was around.
The non-profit is upgrading to 1Gbps Internet service. My question is whether my VLAN setup will be able to take full advantage of the 1G or whether I should install physical interfaces for the networks. My thinking is that there is a better chance of using the full 1G capacity if the WAN serviced several 1G physical interfaces versus just the one interface it services today. The desktop has more PCIe slots so I can easily drop in more physical interfaces, but I also read on the pfSense website that you need to be cautious about the number of interfaces as you could cause a bottleneck on the PCI bus. Further, since it is an older computer, I assume this could be a higher possibility since the bus is PCIe 1.1.
I know I can find a more modern computer fairly cheaply (I saw an i5 on eBay for less than $100) which probably can do what I want standing on its head. Further, it would have a CPU with AES-NI which I will need for future pfSense updates. However, since the requirements are so minimal (i.e. basic firewall, no VPN, no communication between networks, no packages, etc.), I would prefer not to ask the non-profit to spend the money if I can add a few more interfaces (I saw a 4-port card on eBay for less than $20) and access the full 1G.
Any thoughts/comments would be welcome. Thanks!
-
@oldsports off the cuff comment. Without knowing any real details of your traffic flow or capabilities of your hardware. But if your internet is 1gig, and you have no intervlan traffic there prob is not much point to splitting the vlans out..
Since even if you had multiple gig interfaces coming in all trying to go to and from the internet you would be limited by the isp speed of 1 gig.
Now if you had inter vlan traffic, then splitting out your vlans to other physical interfaces could provide for some better performance.. Say you had 3 vlans, and A and B were talking to each other they could use full gig.. While this C vlan was just going to and from the internet he could also do full speed of your internet..
But if your not doing intervlan traffic and your internet is 1 gig, prob not going to make much difference splitting your vlans across multiple physical interfaces if they are all just going to and from the internet which is limited to 1 gig anyway.
-
@johnpoz Thanks for the quick reply! You are correct - I do not have any intervlan traffic. Each of the offices are independent organizations so there is no need for them to communicate. In fact, I set up firewall rules so they cannot communicate.
One reason I thought that having separate interfaces would help when moving to the 1 Gbps service is that I was getting 450-460Mbps from the 600Mbps service. I initially thought this was OK because I was probably losing some throughput due to the managed switch between the router and the rooms as well as losses due to cable length. However, I started to wonder if some of the loss was due to the fact that the single interface needed to transmit VLAN tag data, using up some of its 1G capacity that would otherwise be dedicated to transmitting Internet data to the WAN. I thought that flooding the WAN with multiple 1G interfaces might keep it busier than the single interface and use more of the WAN's 1G capacity when the service was increased to 1Gbps. However, it appears that you are saying that the single interface should be able to maintain close to its 1Gbps capacity even while processing the VLAN tag data that does not go through to the WAN - is that correct?