Home Network Design



  • Hi all,
    I was wondering if you guys have any comments or suggestion in regards of my Home Network Setup.
    Any comments bad or good are appreciated. Would you guys change the design or do something else.
    Please let me know.
    Thank you



  • Connect the wireless router to the switch. 
    Surge protect the phone cable and all power.



  • Why should I connect the AP to the switch? I would like to keep the Wireless Clients separate from my workstation/Server Group.



  • Do the Wireless Clients have access the servers?



  • No I don't want them to access anything.
    If I decide to have them access something on the other LAN I could route that specific client with the MAC Address in the pfsense, right?



  • Ok then your first design is better for that. Thought that the wireless clients needed access to the servers



  • Thanks for your input aGeekHere, but pfsense is able to route with mac addresses?



  • not sure , I will leave that question to someone else.


  • Netgate

    @riccardoc:

    Thanks for your input aGeekHere, but pfsense is able to route with mac addresses?

    I have found nothing in pfSense that can filter on layer 2 MAC addresses.  Except for the captive portal that will do MAC address passthrough.

    If you want to isolate your wireless from your wired your design looks pretty good if you put the appropriate rules on your interfaces.



  • @aGeekHere:

    Connect the wireless router to the switch. 
    Surge protect the phone cable and all power.

    Most cable companies bond the cable outside to all your other utilities so no need to surge protect the cable. Doing that can actually interfere with the cable signal and effect performance.

    @riccardoc:

    Why should I connect the AP to the switch? I would like to keep the Wireless Clients separate from my workstation/Server Group.

    Your switch is a cisco switch so if you use vlans you can connect the AP to the switch and save a valuable port on your PfSense Firewall. And still have isolation like you want. Also if your AP supports it you can have SSID based on VLANs so maybe you want a SSID later to have access to your servers. You can also create a guest wireless network, send that to captive portal and manage guest that way.

    Think about future growth like backup WAN …..., You don't want to waste ports on your firewall for something that the switch can do.



  • @riccardoc:

    If I decide to have them access something on the other LAN I could route that specific client with the MAC Address in the pfsense, right?

    PF doesn't do routing based on MAC, it doesn't FW based on MAC either. It's not a limitation of pfSense but PF itself, the foundation FW that pfSense uses.  IPFW can but is only used by CP I believe.



  • You have a pretty typical setup for a home network.  My only suggestion would be to move away from the 192.168.0.0/24 and 192.168.1.0/24 networks… they're too common and will cause you problems down the road if you incorporate VPN.

    And no, you can't route MAC addresses :)  MAC's are layer 2, routing is layer 3.

    If and when you're ready to allow WiFi clients access to your LAN, just add firewall rules to allow it.



  • @marvosa:

    You have a pretty typical setup for a home network.  My only suggestion would be to move away from the 192.168.0.0/24 and 192.168.1.0/24 networks… they're too common and will cause you problems down the road if you incorporate VPN.

    And no, you can't route MAC addresses :)  MAC's are layer 2, routing is layer 3.

    If and when you're ready to allow WiFi clients access to your LAN, just add firewall rules to allow it.

    Thank you for your input. What Ranges would you suggest? Should I do VLAN?



  • @mikeisfly:

    @aGeekHere:

    Connect the wireless router to the switch. 
    Surge protect the phone cable and all power.

    Most cable companies bond the cable outside to all your other utilities so no need to surge protect the cable. Doing that can actually interfere with the cable signal and effect performance.

    @riccardoc:

    Why should I connect the AP to the switch? I would like to keep the Wireless Clients separate from my workstation/Server Group.

    Your switch is a cisco switch so if you use vlans you can connect the AP to the switch and save a valuable port on your PfSense Firewall. And still have isolation like you want. Also if your AP supports it you can have SSID based on VLANs so maybe you want a SSID later to have access to your servers. You can also create a guest wireless network, send that to captive portal and manage guest that way.

    Think about future growth like backup WAN …..., You don't want to waste ports on your firewall for something that the switch can do.

    Thank you for your reply. My pfsense box is going to have 4 Ports so I really don't mind using one for this setup. I would still have an extra port free. What else would I use these ports?



  • I have my wireless networks into VLAN's. So the AP go into different NICs and are then put in VLAN's. The wireless clients are static IP with Radius enterprise, and they are not allowed anywhere near my LAN-servers (diskstations in there too  ;D ), they are only allowed access to my HTPC's, which reside in a different VLAN by themselves. I hope nobody is able to hack into that, and just to ensure that the wireless VLAN's are denied any access at night using a time schedule on the firewall rules for these VLAN's at night.



  • I have been noticing that a lot of people are talking about setting up VALNs. What would be the benefit be on such a small network?



  • Just saving using real ports on your pfSense. From a performance point of view, pfSense processes all the traffic between sub-networks anyway, whether they are together on a VLAN trunk port, or on real ports. In fact, traffic between 2 sub-networks should be quicker if they have a real port each - if they are both on the same VLAN trunk port then traffic going both ways ends up doubly competing for the real capacity of the VLAN trunk.
    If you already have 4 physcal ports on pfSense, then you can use them wired-LAN, WiFi-AP(s) network, ISP1, ISP2 and you are done. Of course if you want another separate LAN then you would have to implement VLAN(s).