PfSense with 1 NIC + managed switch = ?
-
So I plan to use my laptop as router. I am not willing to put more Ethernet ports on the laptop since in my setup I am quite likely to need a switch anyway, so why not save some bucks?
My current hardware topology is like this:
|–-Access Point---Wireless Devices
Modem---Switch---|---Laptop
|---ESXi Box(which has 3 Ethernet ports to connect)The ESXi box holds my media files and other devices connected to the AP can stream from it. Traffic goes through the switch since they are in the same LAN. Or even if they are not, the traffic will not exceed the Ethernet capacity anyway, if I understand correctly(links are full duplex so my laptop should be able to handle 1Gbps in and 1Gbps out simultaneously-more or less). It might be a future concern but not now. I have other services running in the ESXi box but they are pretty much irrelevant in this post.
Question is, will this work? If it will, how to configure the network so that pfSense in the laptop can talk to the modem through the switch?
-
So you have a esxi box with 3 nics, and you want to use a laptop as your router??? :rolleyes:
Put pfsense as a VM on you esxi box your 3 nics now could be wan, lan and vmkern (or other segment) done.. Use your laptop for laptoppy stuff ;)
So goes like this
modem - esxi - switch - accesspoint and other wired devices to your switch
-
Yep, ^that.
The only reason not to do that is if your ESXi box is not always powered up and you are saving money by running an old laptop (with low power consumption) as your pfSense box.
You can do it but you need to use a managed switch that supports VLANs to segregate the WAN and LAN traffic.Steve
-
So you have a esxi box with 3 nics, and you want to use a laptop as your router??? :rolleyes:
Put pfsense as a VM on you esxi box your 3 nics now could be wan, lan and vmkern (or other segment) done.. Use your laptop for laptoppy stuff ;)
So goes like this
modem - esxi - switch - accesspoint and other wired devices to your switch
One of which is IPMI port so 2 usable.
I want to run pfSense in a separate physical machine, so this is not an option. Nor would I ask this question in the first place.
-
What switch are you planning on using?
-
@pf2.0nyc:
What switch are you planning on using?
It is likely to be a Cisco sg300 10 ports managed switch. I know it is overkill but I want to learn network management and do it real.
-
install pfSense on laptop.
Create VLANs 10, 20, 30 on the NIC
Assign nic0_vlan10 to WAN, nic0_vlan20 to LAN, nic0_vlan30 to OPT1Config pfSense interfaces as appropriate for your environment.
Switch:
vlan database
vlan 10
vlan 20
vlan 30interface vlan 20
ip address management ip address and netmask on LAN for telnet login to switch.switchport gig 1
switchport mode trunk
switchport trunk allowed vlan 10,20,30
! plug laptop into gig1switchport gig 2
switchport mode access
switchport access vlan 10
! plug WAN modem into gig2switchport gig 3
switchport mode access
switchport access vlan 20
! plug LAN device into gig3
! repeat for other LAN devicesswitchport gig 4
switchport mode access
switchport access vlan 30
! plug OPT1 device into gig4
! repeat for other OPT1 devicesswitchport gig 5
switchport mode trunk
switchport trunk allowed vlan 20,30
! plug gig5 into ESXi, create VLAN vNICs. You can now assign NICs to VMs on LAN or OPT1.From memory. no idea if the syntax is exactly right for the cisco small biz switch.
-
install pfSense on laptop.
Create VLANs 10, 20, 30 on the NIC
Assign nic0_vlan10 to WAN, nic0_vlan20 to LAN, nic0_vlan30 to OPT1So, set the NIC on laptop to have multiple VLANs assigned to it, set IP addresses to something like 192.168.X.1 respectively(so it becomes the gateway), plug it into the switch, trunk the traffic from&to other VLANs to that port; assign VLAN to each port and plug devices in respectively. Is my understanding right?
-
What you want is called the Laptop running as a "Router_on_a_Stick" and that is quite common.
-
Config pfSense interfaces as appropriate for your environment.
-
"and that is quite common."
I would not say that.. Its an abomination and should be avoided at all cost!! Hairpinning is horrific for performance..
As to to the sg300 being overkill - I don't think so, I have one in my house - for the price <200 you can not beat it!! Saw them for 180ish, killer price!!!
You can use the esxi with 2 nics
wan, lan/vmkern = done! This is much better setup than router on a freaking stick with some laptop ;) If you want to put pfsense on its own box, then do so - don't you have a old desktop you can use and slap a dual or quad port nic in and be done.. Or for that matter a couple of 20$ nics. You can get a intel quad nic for under 100
Here throw this in your esxi box or some old pc
http://www.amazon.com/HP-NC364T-Gigabit-Server-Adptr/dp/B000P0NX3GMuch better than router on a stick!
-
It's not horrible for a test/lab/learning environment as long as the tester/labber/learner knows it sucks for production.
-
Prob is, oh it worked in my lab.. Sure lets leverage it in the real world ;) Your talking pennies to get enough ports to not to hairpin.
The switch is a great investment for your home/lab – but don't cheap out because your short a nic port so you don't have to router on stick nonsense.
-
"and that is quite common."
I would not say that.. Its an abomination and should be avoided at all cost!! Hairpinning is horrific for performance..
As to to the sg300 being overkill - I don't think so, I have one in my house - for the price <200 you can not beat it!! Saw them for 180ish, killer price!!!
You can use the esxi with 2 nics
wan, lan/vmkern = done! This is much better setup than router on a freaking stick with some laptop ;) If you want to put pfsense on its own box, then do so - don't you have a old desktop you can use and slap a dual or quad port nic in and be done.. Or for that matter a couple of 20$ nics. You can get a intel quad nic for under 100
Here throw this in your esxi box or some old pc
http://www.amazon.com/HP-NC364T-Gigabit-Server-Adptr/dp/B000P0NX3GMuch better than router on a stick!
OK. I know I can use an old desktop…but believe it or not, I do not have one! So it falls to my laptop :) Also, power consumption.
Well I guess it might be a good idea to just buy an adapter to make one more NIC on the laptop then...I do not like this solution because the 2 NICs will be on the opposite side of the laptop making it...uh, you know. Even worse, I might need to do Express card->2x USB3.0->2x GbE ports, just imagine how messy it is :o
-
That laptop + switch idea is a disaster waiting to happen. It'll be more headache than its worth in my opinion.
For reference…
I have been using a Dell Optiplex GX520 to run the latest x86-RELEASE since 1.2.3-RELEASE without hiccup or issue. Yes they use a bit more power but in reality it probably isn't much more than your laptop + switch... You are probably going to use a switch regardless so the power consumption differential is between the laptop and the PC. My business partner and I have a small company with a few employees and I host two 25-u racks in my basement behind this setup. The family also uses the wifi and internet bandwidth as well. I have a second machine on cold standby but not in HA Failover.Specs:
Either 3.0 or 3.2ghz Pentium 4 single core CPU (With HT)
2.0GB of RAM
80GB WD Raptor HDD (came OEM with the machine)
1x Broadcom 57xx Gigabit Ethernet on motherboard (for LAN + VLANs)Add-in cards: (All PCI)
2x Intel Pro 1000 GT NICs (for WAN1 and WAN2)
1x Cisco/Aironet AIR-PI21AG-A-K9 a/b/g Wireless adapterThe machine has a fairly small footprint and gives me everything I need to run squid + snort + two SSID's and five VLAN's.
I've spent far too much time on this post but for further reference I went on eBay and priced it all out...
++Optiplex GX520 (desktop, not to be confused with the Mini-Tower form factor) machine: $40 shipped (there are active buy-it-now listings for $39.99 + free shipping)
++Wireless adapter: $15 shipped
++Intel Pro 1000 GT NIC: Less than $15 shipped, some go for as low as $6. (priced below at $30 for two)$85 (or less) shipped to your door
You could use the Small Form Factor chassis (two Low Profile PCI slots vs. two full-height and one LP in the Desktop chassis) and look for one without a floppy or CD/DVD drive (less power consumption and cheaper). Those look like they can be had on eBay for closer to $20 shipped so if you get a good deal on the PCI cards you could reasonably pull it off for <$50 shipped. You would then have a proper setup AND trust me, it would be money well spent in the long run compared to the headaches of a laptop + switch. You will probably spend more than $50 mucking around with those Express Card/USB >> Ethernet adapters than buying what I listed above.
Also, it was unclear as to whether or not you own the Cisco SG300 switch currently or not. You can get a Dell PowerConnect 2816 switch on eBay for closer to $75. Dell's management GUI is a bit of a PITA and in my opinion the Dell is inferior to the Cisco you listed... but to my knowledge that switch does support trunking (something I assume you will want for your ESXi host --2700 series DOES NOT support trunking).
All in, for the same or less cost of the Cisco SG300 switch and the adapters you may end up with... you could have a much better setup.
Good Luck!
-
@pf2.0nyc:
That laptop + switch idea is a disaster waiting to happen. It'll be more headache than its worth in my opinion.
For reference…
I have been using a Dell Optiplex GX520 to run the latest x86-RELEASE since 1.2.3-RELEASE without hiccup or issue. Yes they use a bit more power but in reality it probably isn't much more than your laptop + switch... You are probably going to use a switch regardless so the power consumption differential is between the laptop and the PC. My business partner and I have a small company with a few employees and I host two 25-u racks in my basement behind this setup. The family also uses the wifi and internet bandwidth as well. I have a second machine on cold standby but not in HA Failover.Specs:
Either 3.0 or 3.2ghz Pentium 4 single core CPU (With HT)
2.0GB of RAM
80GB WD Raptor HDD (came OEM with the machine)
1x Broadcom 57xx Gigabit Ethernet on motherboard (for LAN + VLANs)Add-in cards: (All PCI)
2x Intel Pro 1000 GT NICs (for WAN1 and WAN2)
1x Cisco/Aironet AIR-PI21AG-A-K9 a/b/g Wireless adapterThe machine has a fairly small footprint and gives me everything I need to run squid + snort + two SSID's and five VLAN's.
I've spent far too much time on this post but for further reference I went on eBay and priced it all out...
++Optiplex GX520 (desktop, not to be confused with the Mini-Tower form factor) machine: $40 shipped (there are active buy-it-now listings for $39.99 + free shipping)
++Wireless adapter: $15 shipped
++Intel Pro 1000 GT NIC: Less than $15 shipped, some go for as low as $6. (priced below at $30 for two)$85 (or less) shipped to your door
You could use the Small Form Factor chassis (two Low Profile PCI slots vs. two full-height and one LP in the Desktop chassis) and look for one without a floppy or CD/DVD drive (less power consumption and cheaper). Those look like they can be had on eBay for closer to $20 shipped so if you get a good deal on the PCI cards you could reasonably pull it off for <$50 shipped. You would then have a proper setup AND trust me, it would be money well spent in the long run compared to the headaches of a laptop + switch. You will probably spend more than $50 mucking around with those Express Card/USB >> Ethernet adapters than buying what I listed above.
Also, it was unclear as to whether or not you own the Cisco SG300 switch currently or not. You can get a Dell PowerConnect 2816 switch on eBay for closer to $75. Dell's management GUI is a bit of a PITA and in my opinion the Dell is inferior to the Cisco you listed... but to my knowledge that switch does support trunking (something I assume you will want for your ESXi host --2700 series DOES NOT support trunking).
All in, for the same or less cost of the Cisco SG300 switch and the adapters you may end up with... you could have a much better setup.
Good Luck!
However not everybody lives in NA…
I do adore the idea of using an old desktop but I do not have one nor can I easily get one cheap. Well if I spend some time looking around I can find one cheap, but that probably will not be a good looking case, and the power consumption on old desktop PC is always a concern...in short, it is too much randomness.
And I have the laptop already, it is going to retire anyway, so why would I bother to buy another piece of equipment which is likely to die in another 2 or 3 years, makes more noise, takes more place and consumes more power? Plus the time spent online hunting for a good deal...
Anyway, thanks for the advice and I am considering buying an adapter for my laptop to have one more NIC. Probably will use a USB3.0->RJ45 adapter and connect that one to modem. Even though I do not have USB3.0 on my laptop, USB2.0 should be fast enough just for the internet connection(no affordable 1Gbps intgernet here lol). Then the native RJ45 will be connected to the switch...hmm sounds like a plan.
As for the switch, I choose to go with Cisco because they are sort of the standard in networking world and I want to get hands on such a switch in real life.
-
Hairpinning with a switch is better than USB NICs.
-
Hairpinning with a switch is better than USB NICs.
The reason being?
I never played with a USB NIC before…
-
usb nics pretty much blow, and its a OLD laptop you ay - so highly doubt usb 3 ;)
Why can you not leverage your esxi box?? Would make it cleaner, would make it less power, etc.. You can get a dual or quad nic for it cheap..
While I love my sg300, keep in mind it is not the typical enterprise ios that runs on their enterprise line - this ios is different. While many of the commands are the same - there are differences to be sure.
-
USB NICs, under FreeBSD at least, are unpredictable. A quick look through the forum will show the many, many threads with people having problems with USB. I would choose a router-on-a-stick setup over USB.
There are people running both types of setup without any issues.There are several reasons not to use a router-on-a-stick configuration:
If you're completely unfamiliar with VLANs then setting it up may prove frustrating depending on what switch you use.
The bandwidth through pfSense will be reduced as all your traffic has to travel in both directions along a single ethernet connection. However if your WAN connection is relatively low speed and the connection to the switch is gigabit this is unlikely to be a restriction.
There's a security risk. If your switch should forget its settings for some reason you could end up with the WAN connected directly to the LAN. This is a pretty minimal risk in my opinion, i've never seen of heard of it happening, but you need to consider it yourself.There are much cheaper switches you can use.
Steve
