Help me integrate pfSense into my existing network



  • Hi All,

    Some quick background: I work for a small language school and have taken over their IT part-time.  I'm primarily a teacher, but I know enough IT to feel reasonably comfortable in this role.  Still, I have lots of shortcomings and I study my ass off to close the gaps.  Read: I'm more than happy to go off and learn something/figure something out and report back; I don't need my hand held.

    I inherited a poorly-functioning network and am trying to improve it where I can.  The main problem we have right now is that we can't seem to handle the traffic; we have daily downtimes.  I think they can be narrowed down to us using a small Cisco business router–I don't believe it's got enough power to handle our spikes.

    I've attached two network diagrams: the first is our existing system, and the second is my proposed replacement.  In both, there could be errors or omissions (specifically with my notation), but they're essentially accurate.  (Also note that the Port 67 thing is just to indicate that whatever that is (I haven't figured it out yet) needs to remain in the new layout.  I have no documentation on it and haven't had a chance to unplug it and find out who/what complains.)

    My goal is to replace the little Cisco switches and router with a pfSense router; I think it will be more robust, easier to manage, easily replaced/repaired (there are always parts on-hand), and it is far simpler than the current layout.  (The new switch is to increase future and current capacity; currently, classrooms are wired into the panel but lack a switch to connect to.)

    What may not be clear in the diagrams are the actual networks I need to create, so I'll outline them here:
    I need:

    • a LAN, 172.10.0.X with wired and wireless access (Staff network)

    • a LAN, 192.168.1.X with wireless access only (Student network)

    • a LAN, 192.168.2.X with wireless access only (Public network)

    Before I go much further, does my proposed diagram make sense?  My follow-up questions (assuming things make reasonably good sense) will be how to specifically configure pfSense and create vlans to configure the network.  But first things first…

    Thanks in advance for your help,
    --Derek
    ![current_network_diagram (1).jpg](/public/imported_attachments/1/current_network_diagram (1).jpg)
    ![current_network_diagram (1).jpg_thumb](/public/imported_attachments/1/current_network_diagram (1).jpg_thumb)
    ![proposed_network_diagram (2).jpg](/public/imported_attachments/1/proposed_network_diagram (2).jpg)
    ![proposed_network_diagram (2).jpg_thumb](/public/imported_attachments/1/proposed_network_diagram (2).jpg_thumb)


  • LAYER 8 Global Moderator

    So yeah looks like right direction.

    Couple question for you what speeds are your downstream switches and how are you going to run them back to what becomes your core switch the sg300.

    Are you going to homerun them all back, or daisychain them - are you going to use fiber/copper?



  • Roughly how many users are you going to have on your network (Worse case scenario)? I would also recommend using a multilayer switching scenario with the LAG connections for speed but also redundancy. Also what is the speed of your ISP connection down/up. Who is your provider and are you using a backup service?



  • @johnpoz:

    So yeah looks like right direction.

    Couple question for you what speeds are your downstream switches and how are you going to run them back to what becomes your core switch the sg300.

    Are you going to homerun them all back, or daisychain them - are you going to use fiber/copper?

    Downstream switches are 10/100.  My plan had been to daisychain them back, but after reading about trunking (from mikeisfly's comment), I think that's a better option if my switches will do it.  All cabling is cat5e.



  • @mikeisfly:

    Roughly how many users are you going to have on your network (Worse case scenario)? I would also recommend using a multilayer switching scenario with the LAG connections for speed but also redundancy. Also what is the speed of your ISP connection down/up. Who is your provider and are you using a backup service?

    Unqualified max users: 250, but in reality, 175 of just grab an IP on the way in and use mobile devices periodically throughout the day.

    I hadn't understood the benefits of LAG connections before (redundancy, and on my limited hardware, speed).  We have Eastlink 10 Mbps/1Mbps (and won't be changing from that in the near future), and don't have backup off-site due to the slow connection (daily backups go off-site physically though).


  • LAYER 8 Global Moderator

    Well depending on switches your using, and their locations - from your drawing it seems like all these switches are in one area with a patch panel than then runs out to your different drops?

    In that case I would stack the switches and run what you need to your internet router and wireless.  Seems like your internet is really slow.  But 10/100 –- arrrghhh, must be like watching paint dry moving anything between anything ;)

    Daisy chain is rarely good idea, if bandwidth is not being used it can work, and save runs - and if you run a connection back from the last switch you have redundant paths, etc..

    But if you can stack the swtiches??

    What kind of budget do you have for this uplift?  SG300 is SMALL office type switches, you mention multiple switches like 16 and 2x24s?  Why not just get a 48 port?  Or go with the 500 series that are stackable?



  • I'm all about doing a job one time. If I'm going to be running cat 5e throughout a building I'm going to put wires everywhere that way I only have to work hard once. LAG connections to your core switch can give you better aggregation speeds which would help with congestion, also if one of your lines went down you would still be up. I prefer to use LAG connections instead of letting spanning tree bring a link in blocking mode up if the main link goes down. If you think about it with spanning tree you have a link just sitting there doing nothing. Even if your equipment doesn't support it you can still wire everything up and then as you upgrade the hard work will have been done.

    Not sure the size of your school but if you have a switch in every classroom then I would have all the switches come back to your main switch (core Switch). Don't Daisy Chain.

    Elephant in the room

    It would seem to me that the problem is your ISP, you don't have the bandwidth to support 175 users 250 max. We can certainly help with assisting you in making sure your LAN is optimized to perform the very best that it can but on today's modern internet and with how students use the internet today 10/1 is just way to slow. It would seem to me that most people can get better speeds with their cellular provider.

    I did some research on your ISP and looks like they server: Nova Scotia, New Brunswick, Prince Edward …, I'm down here in the United States (New Jersey) and we have programs to provide High-speed Internet at affordable pricing to education and government facilities. Do they have a program like that where you are located? Looks like you are going to have to do some traffic shaping and proxying to make sure that students aren't taking all the bandwidth, doable just wanted to point this out because although I believe PfSense is a fantastic Solution (In many cases I have gone with PfSense instead of Cisco) I'm not sure that the problem is your router as you have stated originally.

    What kind of hardware are you working with to install PfSense on? Are you looking to do a new build?



  • @johnpoz:

    Well depending on switches your using, and their locations - from your drawing it seems like all these switches are in one area with a patch panel than then runs out to your different drops?

    In that case I would stack the switches and run what you need to your internet router and wireless.  Seems like your internet is really slow.  But 10/100 –- arrrghhh, must be like watching paint dry moving anything between anything ;)

    Daisy chain is rarely good idea, if bandwidth is not being used it can work, and save runs - and if you run a connection back from the last switch you have redundant paths, etc..

    But if you can stack the swtiches??

    What kind of budget do you have for this uplift?  SG300 is SMALL office type switches, you mention multiple switches like 16 and 2x24s?  Why not just get a 48 port?  Or go with the 500 series that are stackable?

    Correct: everything is in one room and patched out to the drops.

    Re speed: I know everything is slow, but users and management don't seem to.  Nobody complains about speed, and we don't tend to have bandwidth-heavy things happening very often.

    My budget is shoestring.  The only new hardware I'd planned to buy (beyond nics for the router) was a new switch to accommodate the drops not currently connected past the panel.  I can get a 48 for about the same price as a new 24 and you're right–that could make more sense and is a possibility.



  • @mikeisfly:

    I'm all about doing a job one time. If I'm going to be running cat 5e throughout a building I'm going to put wires everywhere that way I only have to work hard once. LAG connections to your core switch can give you better aggregation speeds which would help with congestion, also if one of your lines went down you would still be up. I prefer to use LAG connections instead of letting spanning tree bring a link in blocking mode up if the main link goes down. If you think about it with spanning tree you have a link just sitting there doing nothing. Even if your equipment doesn't support it you can still wire everything up and then as you upgrade the hard work will have been done.

    Not sure the size of your school but if you have a switch in every classroom then I would have all the switches come back to your main switch (core Switch). Don't Daisy Chain.

    Elephant in the room

    It would seem to me that the problem is your ISP, you don't have the bandwidth to support 175 users 250 max. We can certainly help with assisting you in making sure your LAN is optimized to perform the very best that it can but on today's modern internet and with how students use the internet today 10/1 is just way to slow. It would seem to me that most people can get better speeds with their cellular provider.

    I did some research on your ISP and looks like they server: Nova Scotia, New Brunswick, Prince Edward …, I'm down here in the United States (New Jersey) and we have programs to provide High-speed Internet at affordable pricing to education and government facilities. Do they have a program like that where you are located? Looks like you are going to have to do some traffic shaping and proxying to make sure that students aren't taking all the bandwidth, doable just wanted to point this out because although I believe PfSense is a fantastic Solution (In many cases I have gone with PfSense instead of Cisco) I'm not sure that the problem is your router as you have stated originally.

    What kind of hardware are you working with to install PfSense on? Are you looking to do a new build?

    As mentioned in my previous post, all network gear is in a single room.  To bring everything back to the core switch I'll do whatever makes most sense and involves buying the least hardware.  LAG seems like the best choice.

    Also, again, the speed isn't an issue (somehow).  Our staff use is not bandwidth-intensive, and most of the students aren't using it heavily, either.  LTE is faster than most WiFi available anywhere; anyone with LTE doesn't bother connecting.  The remaining users aren't flooding the network either.  Our theoretical max users is high for our infrastructure, but the reality is that they don't really use it a whole lot.  I can incrementally upgrade the network, but it has to happen on a case-by-case basis.  I try to make any changes with that future in mind, but I can't do it all at once.

    For the pfSense build, I've got a basic dual core machine with 4 gigs of ram and a couple Intel gigabit nics.



  • Just to provide a little more background:

    The reason I decided to try replacing the router is because at some point each day our wireless users lose connectivity–the APs stop accepting new connections (permitting those already connected to remain connected), and the only fix is to either reboot the APs or the small Cisco router and switches (the three showing in my original diagram).  It seemed like eliminating those could solve the problem, and I could try doing that without spending any real money--a pfSense box and a bit of reconfiguring (and adding the new switch while I was in there).

    If I had my way, I'd bump everything to gigabit (we have the cabling and nics already) and move to a single switch from the patch panel (replacing the 10/100s there now), and increase our bandwidth by a factor of 10.

    I can replace the switches if I can find a suitably-priced replacement.  I doubt I can up the bandwidth unless I can conclusively show that's our bottleneck.  But whereas the wired users stay up while the wireless go down, it doesn't seem that that's the true problem.

    Thoughts?  (Also, thanks so much for all your help so far!)


  • Netgate Administrator

    Anything you can run pfSense on will be sufficient for a 10/1 connection.  ;)

    In your initial post you mention 'daily downtime' due to not being able to handle the traffic. Volume of traffic? From where to where?
    Clearly something is not up to the job so you need to make sure your new topology is capable of handling it. To do that you need some idea of what is crippling your current network.

    Steve

    Edit: You've just answered some of this.  :)


  • LAYER 8 Global Moderator

    If wireless is the problem - maybe a bit more detailed drawing.  That current just looks like a complete cluster F ;)  Looks like your double natting for starters and then you show 192.168.1.1 public?

    Are these networks you mention want really on their own segments or vlans - or are you just running 3 different address spaces over the same wire?  So they are all broadcasting on the same wire?  Which then goes out your wireless network?

    You mention wired/wireless for 1 segment and then a student and then guest wireless.

    How exactly do you plan on isolating these networks - I see you have a wireless controller.  How many AP exactly - are you going to put those physically on the different segments, or are they going to just vlan traffic based upon SSID?

    Also for bandwidth issues, your phones are voip?  You prob want to break that out to its own network, how much traffic over this phone system is office to office, or just local to the building.



  • @johnpoz:

    If wireless is the problem - maybe a bit more detailed drawing.  That current just looks like a complete cluster F ;)  Looks like your double natting for starters and then you show 192.168.1.1 public?

    Are these networks you mention want really on their own segments or vlans - or are you just running 3 different address spaces over the same wire?  So they are all broadcasting on the same wire?  Which then goes out your wireless network?

    You mention wired/wireless for 1 segment and then a student and then guest wireless.

    How exactly do you plan on isolating these networks - I see you have a wireless controller.  How many AP exactly - are you going to put those physically on the different segments, or are they going to just vlan traffic based upon SSID?

    Also for bandwidth issues, your phones are voip?  You prob want to break that out to its own network, how much traffic over this phone system is office to office, or just local to the building.

    Double natting?  Possibly.  Probably actually.

    The existing network has a switch for 192.168.1.1 (on which are the Student and Public segments), but they're SSID-based (as is wireless Staff 172.10.0.).

    There are 3 APs, all vlan'd based on SSID.  As for the phones, I'm still getting my head around them; until a few weeks ago I'd never worked with an office phone system.  They live on their own network (which I didn't include in my original diagram).



  • It's beginning to sound like I have other things to work on before integrating pfSense into my network.  I spoke with management today to find out why the network was setup as it is (as they'd hired the setup out) and basically management asked to make as few changes to the previous network as possible.  But the old network had been added to and modified piecemeal over the years; I think it should have just been redesigned from the ground up.

    If it's appropriate here, let's talk redesign instead.  Keeping the essence of my proposed network diagram, I need to provide the following:

    Staff subnet, wired and wireless
    Student subnet, wired and wireless (I hadn't specified wired previously)
    Public subnet, wireless
    Voip for the phones

    I have the following hardware:
    10 port PoE managed switch (SG 300-10P PoE)
    3 access points, ZoneFlex 7363
    Wireless controller (ZoneDirector 1100)
    New gigabit managed switch (to be purchased to replace existing 10/100 gear)
    10/1Mbps connection (which could be upgraded if the case can be made)
    pfSense router
    Cat5e for all cabling, to patch panel

    Rather than addressing existing problems, it seems to me that a redesign is just easier.  Is this a bad approach?



  • Nothing wrong with a redesign if it makes sense imho. Do you have Visio, I can make a network diagram for your perusal.



  • @mikeisfly:

    Nothing wrong with a redesign if it makes sense imho. Do you have Visio, I can make a network diagram for your perusal.

    I do–that would be great.  Thanks!



  • Decided to use gliffy.com just encase someone else comes by and reads this post later maybe they can benefit from it as well.

    Here is what I have come up with:

    It's pretty straight forward and with your current configuration I don't think that it would be hard to implement. Your switches are Cisco but I believe they are linksys rebranded as Cisco and I don't have much experience with them. What's nice about Cisco (and if your switches support this is would be great) is they have a protocol called VTP. What this will allow you to do is you can create a VTP domain and give it a password. Then you would set all your switches to the same VTP domain and password. You can make your core switch the VTP domain Server and you can set all the other switches to VTP clients. Now all you have to do is create the VLANs in your Server and VTP will push the configurations to the clients which makes configuration a lot easier. Then you can prune your VLANs as necessary. Some people don't like VTP because if you are not careful you can wipe out your VLAN database but all in all it make life much easier.

    Now if your switches don't support VTP then just make all the VLANs on your switches manually. I didn't include the LAGG ports but any port going from your core switch to the your access switches can be LAGG if your switches support this feature. If not spanning-tree will kick in and put one of the ports into blocking mode (which basically disables it) until the main link goes down.

    As far as configuration you will have to make all the VLANs in Pfsense and they will have to have the same numbers as the ones you created on your Switches. They don't have to have the same name but I recommend that you keep them consistent for sanity and that way anyone coming after you will be able to follow what's going on. Make sure you apply all those VLANs to the interface that you designate as the LAN port.

    Once you do all that just confirm that every thing can talk to everything and ever thing is working. If it is then I would start applying rules to PfSense to block things that you don't want to communicate, for example: make a rule so that the public vlan can't communicate to any other network/subnet on your LAN.

    Once all your rules are established and everything is working the way that you want then you can start thinking about adding a proxy server configuration to see if that speeds up your Internet, also you can use it for content filtering which is probably a good idea at a school.

    Once all this is done you should be set and the only thing left is to talk your boss into upgrading your ISP connection to 100/100 or what ever fits into your budget.

    As a side note Gigabit is good but not necessary unless you are transferring large files around your network. It's good that you are getting a gigabit switch and I would make that the core, but unless one of your switches dies or you need to buy more switches because your network is growing 10/100 is fine. As things die I would replace them with gigabit as my strategy. You can and even think about a rolling upgrade where you replace just a few pieces a year until your network is completely upgraded.

    As far as management of all your gear I would put them on their own network (VLAN) and call it management. When your network gets more mature and you start replacing/upgrading equipment you might want to think about putting the management VLAN on it's own switch with maybe a access server and a secondary ISP connection just to have out of band management but that is down the road and not necessary at the moment.

    I welcome all comments, I think that this is a pretty straight forward design that shouldn't be hard to implement. I don't think you ever mentioned if your VoIP is running locally or if its a hosted solution. If it is hosted then you may have to contact your provider to let them know of the changes you plan to make to see if there is something they need to do on their end.


  • Netgate Administrator

    You haven't included the mystery 'port 67' device.  ;)
    Looks like a far more more rational approach though.

    Did you find out anything more about that?

    Steve



  • @mikeisfly:

    I welcome all comments, I think that this is a pretty straight forward design that shouldn't be hard to implement. I don't think you ever mentioned if your VoIP is running locally or if its a hosted solution. If it is hosted then you may have to contact your provider to let them know of the changes you plan to make to see if there is something they need to do on their end.

    Thanks for this.  Busy day here and an early weekend, so I won't be around terribly much until Monday.  I'll spend some time with your diagram and report back with any comments or questions.

    Voip is hosted locally.



  • @stephenw10:

    You haven't included the mystery 'port 67' device.  ;)
    Looks like a far more more rational approach though.

    Did you find out anything more about that?

    Steve

    Still haven't unplugged it.  I assume it's phones related, but can't say yet.  (Maybe it was just grandfathered in from whatever had been setup before–maybe it's never done a thing!)



  • I've had some time to go over the diagram you posted.  There are a couple elements that I'd have to change to make it work with my hardware due to a couple limitations.

    The first limitation is that my APs are PoE, and my only PoE provider is (currently) the 10-port managed switch.  The wireless controller is a single port in, single port out; it can't handle the APs directly.

    The other issue is capacity–because my existing switches (except the 10-port PoE) are unmanaged, they can only handle traffic from one VLAN.  One switch for Students is fine; the other for servers is fine, but that leaves a few drops disconnected; they'll have to be routed through the other managed switch if I don't buy greater capacity.  The simplest solution for that is buying two switches, a 48-port and a 24 (site limitations make that a true max capacity for physical connections).  2 managed switches instead of one would free up the 10-port to handle the APs (or APs and VoIP).

    Is there a better solution than these mods?



  • Nothing wrong with that. You don't need managed switches I just like them because they let you have more control of your network. I would just make sure that you only send untagged traffic to your unmanaged switches. Although there are some unmanaged switches that can deal with tagged traffic. Typically unmanaged switches will not support LAGG and may not have spanning tree too so be careful when running extra links between switches for redundancy.


Log in to reply