Managed switch question.
-
So, my parents own a 4-unit apartment complex. I am in 1 apartment, my brother in another, and 2 family friends in the other 2. We are sharing a single fiber optic internet connection between the 4 of us. I want to segregate the 4 apartments into separate subnets. Someone tried to make a phone call the other day, and accidentally sent the audio to my HomePods without realizing it. It was annoying! If I have a computer with 2x 1 Gig Ethernet ports, and a 5-port managed Gig switch, am I able to manage the switch from pfSense sufficient for my purpose above, or would I need to add a 4-port pcie ethernet card?
My understanding of vlans is rudimentary at best. I know how to set up vlans on my home router flashed with openwrt, and am planning to come back to pfsense once I purchase the hardware. I am planning to get a Zimaboard 4/32 to run it. Hopefully it has sufficient “oomph” to run my network.
-
WAN -> pfSense -> 5 port switch
pfSense to switch 4 VLANs, A, B , C, D
1 port from the switch to each apartment, each port only having 1 VLAN.
In each apartment either a dumb or managed switch and all things in the apartment operate off of that switch. PCs and APs managed my the resident of each apartment. -
@aaronouthier If it were me, and I was in a situation like this, I would probably give each apartment a separate interface in the pfsense box. Since you said 4 apartments, and a 4-port ethernet card in a computer, that's a perfect setup for this. If feasible, you could run a single ethernet cable from each pfsense interface to each apartment, make 4 LAN subnets, no firewall rules in pfsense to let them talk to each other, unless you have or need special requirements, and just run with it like that. You don't necessarily need to do the VLAN thing, since the interfaces are all separate. This way also saves you from running a network switch between the pfsense box and the apartments.
With that single ethernet drop in each apartment, the tenant could hook up their own wireless router, or access point, or even their own fancy network switch(es). Let pfsense do all the firewalling and routing at the backend, users wouldn't even know any different.
By the way, what's your internet connection? You said "sharing a single fiber optic internet connection", but what's the speed of that?
-
@akuma1x 5 ports are needed, WAN and 4 LAN. Either way will work well. The rules are the same for virtual and physical interfaces.
-
@akuma1x That was actually my first thought. Then I looked on amazon and saw a 4-port ethernet card is like $70, but the managed switch is only $30. I’m down to my last $60 budgeted for “other” spending. If I buy the 4-port ethernet, I’d either need to go without lunch this week, or beg my parents for the rest. Needless to say, I’d rather spring for the 5-port managed switch if it’s feasible to accomplish my goal.
-
@andyrh The host machine has 2 built-in Gig ethernet, so adding 4-more would be sufficient.
-
@aaronouthier Oh, ok, gotcha. Then yes, pick the lower cost option. Both will work just fine.
Just keep in mind, if you put lots of VLANs over a single interface, you run the risk of over-saturating the line. You don't have "lots of VLANs", so this might be all ok anyway.
Meaning... mom and dad probably don't do anything hard core on the internet, but if you or your complex-mates start hitting the internet connection pretty hard with streaming HD or 4K video content, online gaming, cloud backup stuff, video calling, app or operating system updates, torrents, etc. Your single cable connecting the pfsense box and the switch, carrying 4 VLANs for 4 different apartments, might noticeably slow down. How much? It's hard to tell, not knowing what you're doing, or what your internet connection is. The amount of traffic might even be a non-issue.
Edit - ok, now I see your internet is gig fiber. Again, it might be a problem, it might not. I'm talking about the single cable run from your 5-port switch back to your pfsense box. You could set it all up and see how it runs, then plan to add a 4-port card in the future, if it presents a problem. What the 4-port ethernet card will allow you to do is this - each apartment will theoretically be able to get the full 1GB speed to the internet, but not all at the same time. It should be less congested, but you won't know how much until you get it all loaded up and running. Again, it might not even be a problem, and I'm not trying to scare you off the project at all. Does that make sense?
-
@akuma1x Fiber-optic link is 1 Gb up and 1 Gb down symmetrical.
-
Ok then, next question: Where/how would I configure the external switch from the pfSense menu?
Bear in mind, I’ve used pfSense before, but it’s been a few years - I don’t have a box in front of me.
-
@aaronouthier You configure your pfsense box first, setting up all of your VLAN tags in Interfaces -> Assignments -> VLANs. You could even use the VLAN tag for the real apartment number, that way it will be easy (at least in my mind) to manage all the traffic and settings. You want to put all of your VLANs onto your LAN interface, use that as your parent interface. Give each VLAN interface an IP address space and turn on the interfaces DHCP server.
Here's the instructions for setting up VLANs on pfsense:
https://docs.netgate.com/pfsense/en/latest/vlan/configuration.htmlThen, on your managed switch (you didn't say which one you have), you login and setup the same VLAN tags, on the appropriate ports of the switch, then connect everything up and start testing. You will need to use one of the switch ports to carry ALL of the VLAN tags, this is the network port that you run back to the LAN port of your pfsense box. Then in the switch, assign each individual switch port the individual VLAN tag, but only use 1 separate tag per port. Does that make sense?
As an example - switch port 1 has VLAN tags 2-5, all of the tags you just setup above. You might not even be able to use VLAN tag 1, some switches use that for special management stuff. Switch port 2 has VLAN tag 2, switch port 3 has VLAN tag 3, switch port 4 has VLAN tag 4, and switch port 5 has VLAN tag 5. Since each VLAN that was setup should also have a DHCP server running, with an IP address range, you can plug a computer into each port on the switch and you should get an IP address, different than the other ports on the switch. Switch port 2 could be for mom and dad, and they would get VLAN tag 2, switch port 3 could be for you and you would get VLAN tag 3, etc., etc.
Do all this and let us know how it works!
-
@akuma1x
Hmm. I’ve never owned a managed switch before. I didn’t know you could login to them. Not having a pfSense box in front of me, I’ll have to refer back to this when I do. I don’t have it yet.I was looking at this one:
https://a.co/d/fKAZhDqAs well as a zimaboard for the actual router:
https://www.zimaboard.com/
Landlords have agreed to purchase zimaboard.As for the lan congestion, they will all be going through a 1 gb wan connection anyway, so I don’t really see why adding an extra leg to the journey would make a substantial difference. I realize there must be some kind of control information to tell the switch which to port it should route the info, but again, over Gb ethernet, I can’t imagine that would make a noticeable difference.
-
@akuma1x Landlords live elsewhere, btw. Only 4 bachelors in 4 apartments.
-
@aaronouthier Don't get a TP-Link managed switch, they are known for leaking their VLAN traffic to other VLANs that you setup and not letting you remove or not use like VLAN tag 1 or something like that. They don't do VLANs correctly, long story short...
Here's a good one:
https://www.amazon.com/D-Link-Ethernet-Managed-Internet-DGS-1100-08V2/dp/B08MV9315KOr this one:
https://www.amazon.com/D-Link-Ethernet-Managed-Internet-DGS-1100-08V2/dp/B08MV9315KOr this one:
https://www.amazon.com/Gigabit-Managed-Snooping-Aggregation-GS1200-5/dp/B07BNVTZ3S@aaronouthier said in Managed switch question.:
@akuma1x Landlords live elsewhere, btw. Only 4 bachelors in 4 apartments.
What do you think your network needs will be? Just casual, or something way more? That's why I expressed some concern about running 4 apartments thru just 1 ethernet cable back to your pfsense LAN port. Again, might be totally ok and will work fine, but just keep that in mind when you get everything hooked up.
I've never heard of a zimaboard before, that looks pretty interesting. You gotta be careful however, in the specs section, it says that it uses Realtek 8111H network cards. Realteks aren't real solid when it comes to moving lots of traffic thru pfsense. Intel network cards are preferred.
I would also make sure that you can get access to the pfsense environment thru a console connection on that box. A really quick look at their site doesn't show anything specific about that and pfsense. A console connection (or a video connection thru HDMI to a monitor) allows you to troubleshoot pfsense in case of problems where you can't access the webgui thru a connected computer. On the 3 or 4 pfsense boxes that I've used over the last 4-5 years, I have needed to use a console connection at least a dozen times, and all in a pinch. Make sure the zimaboard computer can support something like that.
By the way, are these boxes even available yet? Everything says pre-order on their site. Yikes! Here's a comparable box, about the same price, with Intel network ports, and 5 of them.
https://www.amazon.com/gp/product/B09Z853DRJ?th=1
-
@akuma1x said in Managed switch question.:
Don't get a TP-Link managed switch
This used to happen in their cheap switches, like TL-SG105E and TL-SG108E, hardware revisions 3.0 and earlier. It has been fixed and now they are a good option for the price.
-
@mcury said in Managed switch question.:
@akuma1x said in Managed switch question.:
Don't get a TP-Link managed switch
This used to happen in their cheap switches, like TL-SG105E and TL-SG108E, hardware revisions 2 and earlier. It has been fixed and now they are a good option for the price.
Oh, ok... scratch my post then.
-
@akuma1x
I would prefer to let my cat do the post scratching - he enjoys it more…
🤪
-
You may be able to go two ways here.
-
plain routing means you will be connecting to any pfsense
port a small switch and do all without vlans setting up for
any residential a own "subnet" -
vlans and you need only a small switch that is vlan capable
Netgear GS105E or GS305E
Netgear GS108E or GS308EMight be goo to start for you. Small footprint and metal case on rubber feet.
If you want to route the entire vlan traffic by the switch
I would to council try to get your hands on a small Cisco
SG300 Series switch, they are an awesome bug for the money -
-
So, my parents own a 4-unit apartment complex. I am in 1 apartment, my brother in another, and 2 family friends in the other 2. We are sharing a single fiber optic internet connection between the 4 of us. I want to segregate the 4 apartments into separate subnets.
I trust you understand that may be a violation of your service agreement.
-
I hadn’t thought of that. Fortunately, I was trying to simplify the scenario for easier explanation.
It’s actually a 2 bedroom house in front, an ADU or “Mother-in-law” apartment next to the garage, and a 5th wheel trailer, the latter 2 are out back. Power is common throughout, including ground, and ethernet is run to 3 of the locations, with an extra WiFi router in the house for the trailer guest. Such details are not so important. Hence, the “4 apartments”. Perhaps I should have said a 4 bedroom house…
-
You'd better check your service agreement. They generally prohibit such sharing. If you're renting out a room or trailer, that's still another residence.
