Using Managed Switch for Company and Private Networks

Gblenn

@bookie56 said in Using Managed Switch for Company and Private Networks:

@Gblenn Sweden....what ever gave you that idea

Two tiny skrivfel...

plus I wanted en access point for private and one for company...
they are tp-link men not at home at the moment...so not sure...

I have 2 x TP-Link EAP245 AP's
My wifi doesn't get affected by this switch at all...they have there connections to:
WIFI_PRIVATE and WIFI_COMPANY on my quad...
This switch is mainly for the LAN side of things...most computers are LAN_PRIVATE.
I have firewall rules in place so that those networks don't talk to each other... or with LAN_COMPANY

Ok so if you don't want to touch that, it's fine but I'm just saying it would perhaps streamline and simplify things from a rules perspective. And it would free up two additional ports on your pfsense... With that CPU/Motherboard you have plenty power to run other things on it as well. Why not Omada controller for your AP's...? Then you can manage both AP's from one single interface.

When I work on customer computers I either connect to the WIFI_COMPANY which is just above my head.... or the LAN_COMPANY which up and til now has been two standard unmanaged switches.... hence my interest to get rid of them and replace them with the new one...

This is only an 84 square meter flat so one AP is in the living room behind the tv and the other above my head in the office....YES I understand what you are saying about using both to feed both networks....but because of the size of the flat I have very good connections speeds where ever I am...(Good point though)
If I run speed tests from my kitchen to the living room which is around the corner....YES I lose some speed - but we have 500 up and 500 down so it doesn't really affect us...

Sounds like you are all good then, wrt wifi...

Like I said the Wifi AP's are directly fed by network cables coming from my pfsene router which at the moment is an old Asus Gaming:
Motherboard 1155
Processor i7-3770 3.4GHz
2 x 4 GB PC3-1200
Intel 520 Series SSD
Dell Pro 1000 VT PCie

I even have a reserve router with pfsense that I keep updated so that if something goes pear shaped I am up and running quite quickly
All private connections are ip and mac reserved in pfsense....

I have a cubiQ CS 1794 from Aten on an adjustable height bench which is always up....
Under there I have several feeds that come from this switch so I can work on several computers at once...
These cable feeds have two network cables that serve the private or company LANS depending what I have connected at the time..

Ok so then you will only drop one of the connections from pfsense, the COMPANY port.
This since you will be basing the COMPANY VLAN on the same Port you use for PRIVATE.

Basically no changes at all on the PRIVATE side, rules, DHCP or anything. If you are ok using a new subnet for COMPANY, I suggest you do that. Then you can just disable the current COMPANY interface and leave it until you might need it for something else.
So all you need then is to create the VLAN for COMPANY as per the Netgate documentation, making sure you select the right parent interface (the one used for PRIVATE LAN).

Edit the rule on PRIVATE (if you have one) so that it can't access COMPANY_VLAN), and add a rule for COMPANY_VLAN so that it can't connect to PRIVATE and you are done...

bookie56

@Gblenn Sorry I am lost...
I was hoping to have the link for the LAN_PRIVATE which goes to Port 1 on the switch
I then was hoping to have the link for the LAN_COMPANY go to Port 17 on the switch...
If the above can't be done then I will have a separate switch for LAN_COMPANY and leave everything else on the new switch...

This is why I have the quad using all 4....
bookie56

johnpoz

@bookie56 said in Using Managed Switch for Company and Private Networks:

If the above can't be done

Why do you think that can not be done? You can for sure have multiple uplinks from your switch to different interface on pfsense - when they are different networks..

Where you would run into some issues if you also want to connect your APs to other ports on pfsense and those were wanting to be on either lan private or lan company. For that to work you would need to create a bridge on pfsense which is not optimal. But if you have these AP providing 2 different networks ie wifi private and wifi work that are different networks than lan company and lan private you would be fine.

bookie56

@johnpoz so how do I set up the switch with both of these networks?

bookie56

johnpoz

@bookie56 your port 1 would be connected to lan_private interface on pfsense with whatever vlan you want that network to be on your switch.. this would be untagged and pvid would be whatever vlan your using on your switch.

You connect port 17 on your switch to the pfsense interface that is lan company.. This port would be on some other vlan you create on the switch, this port would also be untagged and with a pvid of whatever vlan you created on your switch for this network.

So as example

Here is 3 different networks on pfsense, igb0, 3 and 5

login-to-view

On my switch I have 3 different vlans created 9, 3 and 7 for these networks. I just used the 3rd octet number so its easy to remember.. my lan network is 192.168.9/24 my dmz is 192.168.3/24 and my roku is 192.168.7/24

Might make it easier for you to see if show this on the switch gui vs cli

These are the 3 ports on the switch those pfsense interfaces are connected too

login-to-view

Now those ports on the switch are configured like this

login-to-view

see pvid that is set, which is also shown on the vlan membership page as the P, the UP means Untagged and PVID vlan ID. All a pvid is what vlan on the switch the switch will put traffic that it sees coming in on that port untagged. Before you were isolating your networks with physical different switches. But when you want to keep these networks isolated on a vlan swtich, you have to tell the switch what vlans are what ports, etc even if the traffic is not tagged.

Even if the networks on pfsense are not actually vlans on pfsense, ie no TAG.. You still have to isolate that traffic on the switch by creating vlans..

Here are the vlans I have created on the switch

login-to-view

In my case my default vlan is set to 9 on the switch vs 1, the default vlan on most switches is 1 and many do not even allow you to change that.. I just changed mine so the ID would match up with the network I use on my lan of 192.168.9.0/24

You could prob do this on your switch with port vlans.. But using 802.1q is better option. Because now it will allow you in the future maybe to create a vlan on pfsense and carry this over the same physical port.. See for example those ports that are trunked and have multiple vlans listed on them.. Like port 7 on my switch that has 2,3,4,6,7,9,110 and 1011 all Tagged, see the T next to the number other than vlan 9 which is untagged.. you can only ever have 1 untagged vlan on a port.

That port 7 on my switch is an uplink to another switch that sits in my AV cabinet in my living room.. And I can put a port on that switch in any of those vlans.. For example one of my APs connects to that switch in the AV cab, and depending on what SSID you connect to puts you on that network/vlan.

Gblenn

@bookie56 said in Using Managed Switch for Company and Private Networks:

@Gblenn Sorry I am lost...
I was hoping to have the link for the LAN_PRIVATE which goes to Port 1 on the switch
I then was hoping to have the link for the LAN_COMPANY go to Port 17 on the switch...
If the above can't be done then I will have a separate switch for LAN_COMPANY and leave everything else on the new switch...

This is why I have the quad using all 4....
bookie56

Ah of course that's perfectly possible, exactly like @johnpoz describes it. You will essentially split your 24 port switch into two logical partitions, replacing your current dumb switches. And for that to work like you want, you don't need to do anything on the pfsense side at all.

So going back to my example with the picture of the TPLink interface, you will do this (using my 16 port switch as an example)

First for PRIVATE (using VLAN tag 5 here)

login-to-view

Then Update and Apply and then similarly for COMPANY (using VLAN tag 10)

login-to-view

Then on the 802.1 VLAN PVID page you make ports 1-16 members of VLAN 5
And then ports 17 to 24 members of VLAN 10..

Like this:
login-to-view

johnpoz

@Gblenn yup that works - only thing with those entry level vlan capable switches. He prob wants to use just the default vlan 1 as one of his network. Because this is the vlan the management of the switch will be on..

So for his say lan private, just use vlan 1, then create a new vlan be it 5 or 10 or whatever other ID he wants to use for his lan company..

But I like the idea of just splitting the switch into 2 vlans.. Ie 2 switches in 1 box, which is what vlans are - the ability really to create multiple switches (virtual lans) in one box..

And its also a good idea to keep all the ports in 1 vlan together.. So ports 1-8 are vlan 1, and ports 9-16 are the other vlan.. So ports 1-8 are his lan private "switch" and ports 9-16 are his lan company switch.. then port 1 connected to pfsense lan private interface, and say port 9 connected to his lan company interface on pfsense... Easy peasy, lemon squeezy ;)

edit - personally I would connect his AP to the switch as well.. This allows him then to put wired devices on either his wifi private or company network.. He could still leave his pfsense as is without having to create vlans on it.. And just 2 more uplinks from the switch for wifi private and company.

And if he ever wants more network than his 4 ports, then he can start tagging those vlans and use one of the physical uplinks from switch to pfsense to carry that vlan. I would hope his APs allow for vlans - this way he could place his AP in different parts of the house and client can connect to which ever one is closer and provides the best signal - doesn't matter if client is wifi private or company, etc.

Gblenn

@johnpoz Yes I just realized that and was meaning to edit my post accordingly, but you beat me to it...

So what johnpoz is saying is to keep the switch at default VLAN settings for all ports except 17-24. Only those ports do you make the changes I showed in the pictures...

You also need to do one more thing, which is to remove the VLAN 1 membership from those ports. So type 1 in the VLAN ID field and click Not Member for ports 17-24.

Similar to this (using 5-8 as an example for your COMPANY ports)

login-to-view

johnpoz

@Gblenn great reminder about removing vlan 1 from the ports you put into different vlan.. You would hope the switch would be "smart" enough to not allow you to have more than 1 untagged vlan on the same port.. But those tplinks don't have a great track record for understanding vlans to be honest ;)

There was a whole issue quite some time ago, where they wouldn't even let you remove vlan 1 if you put the port into a different vlan.

Gblenn

@johnpoz said in Using Managed Switch for Company and Private Networks:

@Gblenn yup that works - only thing with those entry level vlan capable switches. He prob wants to use just the default vlan 1 as one of his network. Because this is the vlan the management of the switch will be on..

edit - personally I would connect his AP to the switch as well.. This allows him then to put wired devices on either his wifi private or company network.. He could still leave his pfsense as is without having to create vlans on it.. And just 2 more uplinks from the switch for wifi private and company.

Agree but I guess he wants to keep the setup on pfsense untouched, with any rules etc that have already been created for the 4 subnets.
Perhaps move the COMPANY AP to the switch ports 17-24, and drop the WIFI_COMPANY interface on pfsense. There are no static leases on either of the COMPANY networks so why make it more complicated than needed.

And if he ever wants more network than his 4 ports, then he can start tagging those vlans and use one of the physical uplinks from switch to pfsense to carry that vlan. I would hope his APs allow for vlans - this way he could place his AP in different parts of the house and client can connect to which ever one is closer and provides the best signal - doesn't matter if client is wifi private or company, etc.

Exactly, and those AP's do actually allow for VLANs and are compatible with Omada centralized management.

johnpoz

@Gblenn said in Using Managed Switch for Company and Private Networks:

setup on pfsense untouched, with any rules etc that have already been created for the 4 subnets.

He really wouldn't have to change anything on the pfsense side, he would just move the AP from the port on pfsense to port on the switch.. This would really give him more flexibility going forward.

Gblenn

@johnpoz said in Using Managed Switch for Company and Private Networks:

@Gblenn great reminder about removing vlan 1 from the ports you put into different vlan.. You would hope the switch would be "smart" enough to not allow you to have more than 1 untagged vlan on the same port.. But those tplinks don't have a great track record for understanding vlans to be honest ;)

There was a whole issue quite some time ago, where they wouldn't even let you remove vlan 1 if you put the port into a different vlan.

Yes the switch I am using to exemplify is an old one and have had some wierd issues wrt VLAN and picking up, or flipping between two differen IP's for the UI. So sometimes I had to access it via a VLAN and other times I could reach it via the static lease I had given it in pfsense.

I am playing around with another firewall which has it's LAN port connected to a VLAN only existing in my switches. Similar to what this config does with ports 17-24. But apparently it couldn't decide which DHCP server to listen to... I have fixed it now but it was a bit frustrating before I figured out what was going on.

The newer Omada switches I'm using for my network are way better and have not had any problems at all.

Gblenn

@johnpoz said in Using Managed Switch for Company and Private Networks:

@Gblenn said in Using Managed Switch for Company and Private Networks:

setup on pfsense untouched, with any rules etc that have already been created for the 4 subnets.

He really wouldn't have to change anything on the pfsense side, he would just move the AP from the port on pfsense to port on the switch.. This would really give him more flexibility going forward.

Agree, like I said about the COMPANY AP, but I suppose there is some reason he wants his wifi separated...

bookie56

Wow you guys have been busy...
Ok I will try and keep to just English.......
Too many years in Sweden....lol
Give me time to digest all of this !
I am so grateful for the support one gets on this forum!
In one word BRILLIANT!

bookie56

bookie56

@Gblenn said in Using Managed Switch for Company and Private Networks:

@johnpoz said in Using Managed Switch for Company and Private Networks:

@Gblenn said in Using Managed Switch for Company and Private Networks:

setup on pfsense untouched, with any rules etc that have already been created for the 4 subnets.

He really wouldn't have to change anything on the pfsense side, he would just move the AP from the port on pfsense to port on the switch.. This would really give him more flexibility going forward.

Agree, like I said about the COMPANY AP, but I suppose there is some reason he wants his wifi separated...

No real reason apart from the fact I have a quad and could physically run cables to each AB and LAN networks

johnpoz

@bookie56 do you not have enough ports to just connect those 4 ports to your switch... Which then would give you more flexibility..

bookie56

@johnpoz Can we leave at it is for now....
Here are the two settings now:
login-to-view login-to-view

bookie56

I have gone back to pfsense and added an IPv4 address and then in DHCP Server given it a range ...because I have no need for so many gone from 192.168.121.2 to 192.168.121.25 (example)
The existing firewall rules I had help with.....
What rules do I need to stop this network talking to LAN_PRIVATE and WIFI_PRIVATE?

bookie56

Gblenn

@bookie56 Under Firewall > Rules you have the LAN_COMPANY and WIFI_COMPANY tabs.

Create new block rules above the allow all rule that look similar to this. In my case it's my GuestVLAN that I don't want accessing e.g. the IoT-network.

login-to-view

Select Block and the interface is your LAN_COMPANY, protocol any and source any.
Then it's a matter of selecting the destination you want to block, in this case you would pick LAN_PRIVATE and click Save.

login-to-view

Then you create one more looking exactly the same but select WIFI_PRIVATE as the destination you want to block. Make sure they end up above the allow rule.

To test that it works you can try pinging anything on your PRIVATE netwórk from one of your COMPANY PC's.

johnpoz

@bookie56 said in Using Managed Switch for Company and Private Networks:

Can we leave at it is for now

sure.. whatever you feel comfortable with doing, its your network..

So your lan private and lan company are working now.. depending on what port you plug them into on your switch? That switch config looks correct to me for just splitting the switch into 2 virtual switches.