Multiple lan subnets (NO VLANS)
-
So I'm setting up a new home network soon. I have my pfSense router, 1 16 port gigabit UNMANAGED switch and a 5 port UNMANAGED switch (will not need all ports, its just what I have), and 3 Engenius EAP1300 WAPs.
I want to setup my network so that there are 2 networks. 1 for all home devices and 1 for IoT/guest but the IoT/guest will be WiFi only on a seperate SSID. The WAPs I have, have an option for it to be a guest network and setup its own DHCP server for the guest network but I want to have the pfSense router controlling everything and not the WAPs. I want the DHCP server and firewall rules going through the pfSense router.
I was wondering how I could create a second subnet for the IoT/guest network on the same LAN interface and how to manage it all through the router. I would usually just do vlans but these are unmanaged switches. Am I asking too much and should I just go with the WAPs to do all the work?
-
@Khoomn
Yes, VLAN is the only option to separate multiple SSIDs.The best would be to get a VLAN capable switch to separate the IoT network from your LAN cleanly, however it should also be doable with dumb switches.
Just configure the switches as AP with multiple SSIDs, where the IoT is bound to a VLAN. On pfSense add the same VLAN on the interface, where the APs are connected to (or even the switch in between). Assign an interface to this VLAN and configure it.
Then you have an IoT interface plus the other without VLAN, your home LAN. -
Unmanaged switches like that should just pass all tagged traffic so I'd expect it to work fine using VLAN tagged traffic for guest, IoT etc. However some switches may not YMMV!
Obviously that doesn't provide full isolation so broadcast on any VLAN would be sent to all clients. Any wired client could set their own VLAN tag and join that subnet. But wireless clients would still be isolated.
Steve
-
@Khoomn as mentioned while its possible to pass tags across a unmanaged (dumb) switch. It is not true isolation.
Do you not have another nic in your pfsense box? Can you not add one - if you had another nic, you could connect your AP to that and run a completely isolated network without any tagging.
Or you could if you want run an untagged network and tagged and or all tagged networks on your AP. Which would be completely isolated from your "lan" network.
If you do not have another nic it would be best to get at least 1 small smart (vlan capable) switch - now you can add your dumb switches to ports and all devices on that dumb switch would be on the vlan you put them in on the upstream smart switch. And you can connect your vlan capable AP to a port on this switch and put wifi devices on any network you want.
You can pick up like a 8 port gig smart switch for $40.. Or even just a 5 port smart switch would work.. Adding a smart switch to your network would still allow you to leverage the ports on your dumb switches and even put your dumb switches on a specific network be it your normal lan or another vlan, and allow your AP to put clients on any network you want while providing complete isolation..
-
@johnpoz said in Multiple lan subnets (NO VLANS):
get at least 1 small smart (vlan capable) switch
Be careful with TP-Link. Some models don't handle VLANs properly.
-
I was looking at TP-Link’s TL-SG105E managed switch. Is that a bad choice? I don’t need many ports so all I need is a 5 or 8 port managed switch
-
@Khoomn the tplinks in the past had issues with vlans - they wouldn't let you remove vlan 1 from ports you wanted in another vlan..
They did fix it, and I would think if your model is current, and not off the shelf from a couple years back you should be fine. But yeah I would look to something else other than tplink.. That whole fiasco kind of showed they don't really understand how vlans are suppose to work.
I would think you could find another brand in the same price point as the tplinks.. But if you can't - I would sure hope the current models do allow you to remove vlan 1 when you want a port in another vlan, etc.
-
Yeah all the 5 port ones I’m seeing online either have vlans not working or, even though they are $50 for 5 ports, you can only do vlan 1-5 which is dumb
-
@Khoomn I see a Zyxel GS1200-5 on amazon for $20 right now.. I have no experience with that brand - but from a quick look it should work, and its cheaper than the tplink one by like 3 bucks ;)
-
@johnpoz said in Multiple lan subnets (NO VLANS):
I see a Zyxel GS1200-5 on amazon for $20 right now.. I have no experience with that brand -
Get the 8 port version (GS1200-8). I have them both and do like them (you can have max 32 VLANs).
-
@Khoomn
I have also a Zyxel GS1200-8 with VLANs configured on it and a trunk to pfSense. Works pretty well and is easy to set up. -
I only plan to have 2 but can you select the vlan ids or is it only vlan ids 1-32? Also who is that company? Ive never heard of them.
I’m gonna just go with the 5 port as thats all i need.
Also is the web based panel local or online? Any subscriptions?
-
@Khoomn said in Multiple lan subnets (NO VLANS):
I only plan to have 2 but can you select the vlan ids
Sure you can, also it is the easiest understandable vlan interface I am aware of because they put everything in one page.
-
I’m gonna just go with the 5 port as thats all i need.
Also is the web based panel local or online? Any subscriptions?
-
@Khoomn Good old local.
-
@Khoomn said in Multiple lan subnets (NO VLANS):
I’m gonna just go with the 5 port as thats all i need.
Currently - but what about tmrw, or next month ;)
if the extra 15 isn't going to break you budget - I would go with the extra ports.. Maybe you want to add an extra AP in the future, or 2 etc..
-
I already have 3 APs that will cover my whole house. No security cameras (i really dont know why we dont), and the only hardwired PC is mine. Everything else is wifi
-
@Khoomn oh so you won't be using the dumb switches then?
