Single WAN multi lan configuration with LAGG and Bridging
-
I apologize in advance if this is simple but I have not previously had much experiencing in configuring a lot of these features.
I have recently built a Intel Avoton based pfsense box running the newest release with 6 Intel network adapters. The following is my desired configuration, the majority of my questions resolve around correctly setting up the routing, and gateways. This is for a home network however I do work.
Setup:
PFsense Box
Interfances:
1. WAN - Verizon FIOS coming in from ONT via CAT5 directly
2. LAN - This will consist of 2 NICs in LACP connected to a 24 port switch & Bridged with OPT1 interface. The 24 port managed switch will have a freeNAS server (connected via 4 port LACP) and an ESXI host for work (connected via 4 port LACP).
3. OPT1 - Runs to the upstairs where it connects to the office and family room via already installed switch, hoping to be bridged with LAN to place on the same subnet. Office will be used the most and needs consistent and fast access to the servers on LAN.
4. OPT2 - This will connect to my Verizon Auctiontec router to allow the TV to receive the needed guide functionality, I would like this on a subnet by itself with only direct access to the WAN and whatever ports it needs.
5. OPT3 - Connected to a wireless router, due to house layout the AppleTV and HD Home run prime box are also connected and will to be able to reach the freeNAS server, I would like the wireless to have limited access to the freeNAS server, potentially only over VPN or only for a couple specific IP/mac addressesI was hoping to do something along the lines of:
LAN & OPT1: 192.168.1.1/24 (Can connected to OPT2: 192.168.20.1/24, WAN, AND OPT3)
OPT2: 192.168.10.1/24 (Can ONLY connect to WAN)
OPT3: 192.168.50.1/24 (Can connect to WAN & LAN for specific clients).I am not very positive this is the best setup, and I am also not sure how to configure the gateways, I understand the concept but I am not sure if each subnet should have a gateway to get out of their specific subnet or if the gateway is only for reaching outside the entire home network?
Lastly, maybe if possible I would like to break up my OPT3 interface even further to say that devices connected via wired connection on OPT3 may join 192.168.40.1/24 where they can communicate to LAN/OPT1 freely but all wireless devices are forced onto a more restrictive 192.168.50.1/24, I "think" this could be done with VLANS?
If it is relevant the following is the hardware I am using other than the Pfsense box:
Switch: http://www.amazon.com/gp/product/B005KQ5FSG/ref=oh_aui_detailpage_o03_s01?ie=UTF8&psc=1
Wireless Router: http://www.amazon.com/gp/product/B00HKEI3DA/ref=oh_aui_detailpage_o08_s01?ie=UTF8&psc=1 - The wireless router is running DD-WRT if this matters.Thank you for reading, if any part does not make sense please let me know and I will do my best to clarify.
-
I don't understand why you would bridge LAN and OPT1 instead of just connecting the upstairs switch to a LAN switch port?
-
I was thinking in terms of performance, the office will be accessing an outside VPN over VAN and data off the NAS/ESXI host, while at the same time the HD Home Run Prime wired to the wireless router will be streaming to the freenas box as a DVR. When I was thinking about this in my head and drawing it out it seemed to be a good idea to maximize bandwidth between networks, now that I think about it I am not so sure. Are you saying there is no benefit at all? Additionally, even if I was to do this, can I split up my wifi router into two subnets (coming into one PFsense interface) and will each subnet need to have a separate gateway?
-
If anything your managed switch will be tons faster. Going through it to get to your pfSense/VPN will be almost imperceptible.
And with the bridge your office accessing your NAS would have to go through your router ports. No bueno.
-
That sounds like a good argument, I will connect the office to the switch. You however mentioned it is not good to have to communicate out of one interface to another, does this mean my wired connections on the wifi router will not be able to reach my NAS? Also, what do you mean regarding the issue with VPN and the switch? Will I not be able to VPN back into my network and reach my NAS?
-
Additionally, even if I was to do this, can I split up my wifi router into two subnets (coming into one PFsense interface) and will each subnet need to have a separate gateway?
Can ddwrt create different SSIDs and assign them to different VLANs? If so, then yes.
VLAN interfaces are pretty much the same as physical interfaces as far as pfSense is concerned.
In fact, you might want to conserve router ports and create VLANs for a couple more networks like OPT2 to the verizon router.
-
That sounds like a good argument, I will connect the office to the switch. You however mentioned it is not good to have to communicate out of one interface to another, does this mean my wired connections on the wifi router will not be able to reach my NAS? Also, what do you mean regarding the issue with VPN and the switch? Will I not be able to VPN back into my network and reach my NAS?
All I'm saying is that compared to a modern switch, using a pfSense bridge is not the way to go.
Your wired connections on the wifi router will be able to reach the NAS, but if you're planning on cranking a LOT of latency-sensitive traffic across it, you might want to put the wired ports on the same VLAN as the NAS and run your pfSense interface through the switch instead of directly to the access point. That way only traffic that has to be routed goes through pfSense. Device-to-NAS traffic would be switched.
You'll be able to get at anything if you set the rules right. If it needs to be routed, put it through pfSense.
-
I did not realize Bridging was an older technique. I had originally added additional NICs to the machine with the idea of using them in LACP and setting up separate subnets by separate physical card. Do you think performance wise there is effectively no difference? Or is performance even better with VLANs? The subnet given to the wireless router would only be communicating to the LAN subnet to either send video tuner records to my MythTV box for recording, or to stream them back to the set top box in the living room.
Would getting rid of Bridging all together and simply routing the traffic in the correct directions between the subnet the NAS is on and the subnet the office is on considered a bad way to go? I just want to understand the benefits of each way and obviously how to actually implement it. I am still not sure what to do with regards to gateways with multiple subnets. Lastly, are there any security concerns with VLANS? If you can get on to my wireless which is sharing the same path physical as the NAS, is pfsense susceptible to VLAN security issues that have been seen before?
Thanks!
-
A drawling here would help a ton. http://www.gliffy.com/
-
I was just trying to provision a customer on a 200Mbit metro-ethernet. I like to bridge this circuit from WAN to bridge interfaces so I have some minimal control. Speed tests about 120Mbit.
Passed the same VLAN to the outside switch (same as is connected to the metro-ethernet) and the same customer gear and I get 180-190Mbps.
Bridging has its place, but it also has its costs.
For this customer, I let them connect directly to the outside switch since I know they have a clue. For others, they deal with the suboptimal performance, which is probably 4-5x what they will ever need in their wildest dreams.
Postulate: A pfSense bridge will never perform as well as a good managed switch. Take it to the bank. Even of the switch is a TrendNet or similar it will be better. One more feather in the cap of my "why does pfSense even attempt to support wireless adapters" question.
I <3 pfSense