What are my options in this type of small network setup?
-
I want to provide as little support as possible.
;D Good luck with that!
If each office is going to have multiple clients connected then, yes, setup VLANs for each uplink. You can easily reconfigure the switch, remotely, to join several ports to a single VLAN for a single client.
Do not set the ports to 10Mbps. If you do anything connected to them will have to be manually set also to avoid negotiation failures. You will get lots of support calls! Just use traffic shaping in pfSense to set a download/upload limit for each VLAN.Are you going to be NATing all these to a single public IP or using a routed subnet?
Steve
-
I want to provide as little support as possible.
;D Good luck with that!
If each office is going to have multiple clients connected then, yes, setup VLANs for each uplink. You can easily reconfigure the switch, remotely, to join several ports to a single VLAN for a single client.
Do not set the ports to 10Mbps. If you do anything connected to them will have to be manually set also to avoid negotiation failures. You will get lots of support calls! Just use traffic shaping in pfSense to set a download/upload limit for each VLAN.Are you going to be NATing all these to a single public IP or using a routed subnet?
Steve
Most office is small, between 1-2 staff. I'm planning to let them rent a preconfigured AP/router so they can plug it directly to the port if they need to. At the moment I think it is very basic and when I walked around last time, I didn't see many SSID broadcast so I'm assuming they are sharing using a switch or hub in each office.
Good suggestion, I didn't think about having negotiation failures when I set the port speed.
I've not been to the server room yet so I don't even know whether they have UPS installed. Therefore I wasn't sure whether installing a pfsense box would be a good idea. If there's a powercut, I want to keep it simple so the network will back without any problems.
For the time being, I'll NAT it all with a single public IP. I believe I get 8 free ones with this leased line. I'm not quite sure what routed subnet means? Probably all of clients in there do not need a public facing IP.
I'm not expecting much support calls after it is up and running…... I'm fine with remote support but I'm not expecting to go onsite too often as it is 3 hours away. If you guys think it will, then I better reconsidering helping them.
-
Don't forget to rate limit and enable Codel on your WAN interface. If you do any traffic shaping, use codel. Just always use Codel on your queues.
-
Personally I would use Limiters unless they prove insufficient. I guess it depends on your experience with traffic shaping.
Steve
-
For the time being, I'll NAT it all with a single public IP. I believe I get 8 free ones with this leased line. I'm not quite sure what routed subnet means? Probably all of clients in there do not need a public facing IP.
I'm not expecting much support calls after it is up and running…... I'm fine with remote support but I'm not expecting to go onsite too often as it is 3 hours away. If you guys think it will, then I better reconsidering helping them.
That means every simple port forward someone needs, you have to provide. I would get enough IP addresses on a routed subnet to assign each tenant a /30 (or a /31 if you know it's supported on both sides). Turn off NAT, build 20 VLANs, and put a /30 on each VLAN and a VLAN in each office and you're done.
A /25 would let you do 32 /30s. A /26 would let you do 32 /31s.
You could also get just a /29 and put all the offices on the same VLAN and use the features in the switch to ensure only traffic from their assigned IP address is allowed into the switch, otherwise it would be a free-for-all on the network and one WAN interface could conflict with another. Not sure if the switch you mentioned has the necessary L2+/L3 features.
-
That means every simple port forward someone needs, you have to provide. I would get enough IP addresses on a routed subnet to assign each tenant a /30 (or a /31 if you know it's supported on both sides). Turn off NAT, build 20 VLANs, and put a /30 on each VLAN and a VLAN in each office and you're done.
I'm going to have a meeting with the tenants next week and discuss their requirements. I think giving them a public IP isn't a good idea as most of the offices in there are really small. By small I mean it ranges between 1-5 staff. For those 1 man office, I wouldn't be surprised if they plug their laptop directly into the port. I was thinking I'll NAT most of the ports then maybe create a few /30 VLAN for those that will need a public IP? Or another suggestion my colleague made is that put them all on 1 vlan and use ACLS to make sure they are all isolated and won't be able to speak to other devices within the vlan.
I wouldn't mind setting port forwarding as I really don't think there is that many tenants that will need it.
Looks like I have to find another switch, the one I have seems bricked.
-
Personally I would use Limiters unless they prove insufficient. I guess it depends on your experience with traffic shaping.
Steve
I have no experience with traffic shapping. But we are getting 100mb leased line so it is probably overkill for 20 small offices. I do need some form of traffic shaping to prevent someone from hogging all the bandwidth.
Thinking about it now, I definitely will need pfsense since we don't know what the tenants will be browsing and will need some loggings if we ever have security incidents.
-
Don't use ACLs, just use Private VLAN edge (protected ports). Note that means there is no way for them to talk to each other even if they want to.
If you don't want to do publics to everyone, then I'd do a VLAN interface with a /24 on each one. That way if they actually need to talk to each other they can do so through pfSense.
You're sort of in no-man's land. Trying to provide shared LAN access to a bunch of unrelated parties. I still think providing a public to everyone is the way to go. Provide them a blue, plastic box if they don't want a real firewall.
Do you really want to be responsible (liable) for their firewalling?
-
If shaping is your concern then you might want to consider putting the /30s on layer 3 switch interfaces and running one interface to pfSense so it can shape all the tenants together on one LAN interface. The limiter might also be good enough for your requirements. It should be workable across all the pfSense VLANs.
-
Yep, if you've never messed with traffic shaping at all before Limiters are far easier to understand. IMHO.
Steve
-
Do you really want to be responsible (liable) for their firewalling?
Very good point. I'll check how many free public IP can get and if it is enough to provide to everyone. You mentioned earlier that /31 needs to be supported by both side? Could you explain a bit more on why it wouldn't be supported? Or can you point me towards an article that explains it. Ideally I want to use /31 so I don't require so many IP. I believe they said you need to submit a RIPE form if you request more than 8. I have to get a quote for the cost as well.
edit: I think I know why you said /31 needs to be supported by both side now, it's because you don't specify the broadcast / network?
So ideally I should use /31 and provide them with a compatible router? Then I give them full access on their own router so they can configure their own firewall and settings?
Yep, if you've never messed with traffic shaping at all before Limiters are far easier to understand. IMHO.
Steve
I've got 2 months until they install the leased line, I think I got plenty of time to read up on it and test it ;D But I'll research both limiters and Codel. I thought it was as simple as turning it on in pfsense and forget about it lol.
-
Why do they have to be free? Is there no profit motivation to providing all these people with their access?
Yes, you will have to justify them. You should have no trouble doing so. (Justify a /30 or /29 per endpoint (so you can run VRRP/HSRP/CARP) if they're not too expensive, then use /31s where you can ;) I'd try to get a /24 and be done with it.
With a /30 you have the network address, two host addresses, and the broadcast address. Just like with a /24 you have a network address, 254 host addresses, and a broadcast address.
The /31 only has two host addresses so it's different from your normal IP subnet. It is usable only on a point-to-point link.
/31 is new. pfSense, for example, has only officially supported /31 since 2.2 was released (only a few weeks).
Another something to think about before you start talking all this up to the ISP is whether or not doing what you're doing is permissible under the service agreement for the 100-meg. Some can be resold, some can't. If it can't be resold you might just have to NAT and that's that because you won't be able to be up front about it and won't be able to justify the IPv4 space.
-
Why do they have to be free? Is there no profit motivation to providing all these people with their access?
Another something to think about before you start talking all this up to the ISP is whether or not doing what you're doing is permissible under the service agreement for the 100-meg. Some can be resold, some can't. If it can't be resold you might just have to NAT and that's that because you won't be able to be up front about it and won't be able to justify the IPv4 space.
It's complicated. This is one of the oldest building in the estate but also highest occupancy because the rent is cheaper than the others. We have had a few tenants left due to the slow internet provider around the area. We've been told that none of the other buildings in the area has a leased line so this would make it even more attractive. We are also the guinea pig, if it works well then we will be installing more lines into the other buildings.
I think it is a bit too late as I spoke with the account manager and he knew what we are going to do! So I think we are safe.
I'm looking at the hardware section, most people are asking what hardware to run pfsense on. Since my original switch isn't working, I'll need another one. Do you have any recommendation? Or what features I need to make this happen? Please note that we are on a shoestring budget so it is likely that we will buy refurbished equipment. I think I have a cisco 3750g lying somewhere but I haven't tested it.
-
It depends on what you decide to do. I can't imagine a 3750g won't do everything you need - at least to get it all rolling.
If you're trying to differentiate your building with internet I would do it right, and charge enough to make it worth doing.
As for pfSense hardware, just about anything will do 100M. APU, I3, even an Atom D525, etc will probably be fine with PCI-E and good NICs. As long as there aren't any expectations of a LOT of traffic needing routing between the local users, which I doubt.
I wouldn't think there's any requirement for the end users to run pfSense. Of course it's what I would recommend but any consumer router will do the job for now (if /31 ends up a requirement, be sure). My nod always goes to Netgate. You can build APU 2G kits with and 8G SD for well under $200.
Fun project.
-
Fun project.
I've started playing around with pfsense and I really enjoy it. Last time I used it was back in 2007. However the more I play with it, the less confident I become as I realise I really don't know enough. Even if I do get the whole thing up and running, I wouldn't be able to troubleshoot when it goes wrong.
I guess this is what happens when your boss pays network contractors to install the networks and send you on ccna just to change vlans or do patch cabling.
There's just so much to learn and think about. Like traffic shaping, private vlan, remote management, monitoring & keeping logs, spanning tree, NATing and how I'm going to recover when there is a hardware failure. I know the basic concepts but I don't know what is the best practice.
So I'm thinking of calling it off, but I'll give myself another few weeks to try it out. Just happens I'm going on training so let's wait and see if I'm more comfortable after that. Setting up something from scratch feels a lot scarier than just maintaining it.
-
Don't over-think it.
Nothing you have proposed is particularly difficult, I would say the biggest challenge you face is deciding what you want to do in the first place. There are some good suggestions above.Steve
-
I don't want to see him give up either. Nothing posed is too complicated. If the site was local we could knock it out on a Saturday.
BaNZ: Are you cancelling the 100M??
-
Thank you both for encouraging me to do it and I would really love to be able to set it up and learn from it. But I hope you understand that my knowledge with networks is fairly basic. I started testing it with my sfe2000p yesterday and I thought it was dead because I wasn't getting any dhcp leases. Reset to factory and still wasn't getting any IP. The manual says I should get a dhcp lease and be able to connect to the web interface. I eventually found a serial to console and then I realise there is no dhcp server running so the manual isn't correct. Eventually I got it up and running then I decided I want the latest firmware on it. I managed to find the switch on cisco website and there are 3.x and 1.x driver. I can't find any instructions on which one to use but I'm on 1.x so I just upgraded to the latest version. There was no patch notes for it.
After I got it up and running I logged into the switch and I have the option of putting it in layer 2 or layer 3 mode. The manual didn't tell me much apart from layer 3 allows port to have multiple IP which I'm assuming it is talking about trunking and vlans. So I put the switch into layer 2 then also I changed to standalone mode and not stacking as this is my only switch. I'm guessing I don't need to be in layer 3 because this is going to be done via pfsense? I probably need to spend an afternoon refreshing myself on layer 2 and 3 again. From what I kind remember layer 2 is just like hub/ unmanaged switch whereas layer 3 is your router / managed switch and it understands routing / tcpip.
I started configuring pfsense ,add some vlans, assign dhcp and push the vlans through the trunk port to the switch. Had a problem with vlans not working and Derelict helped me identify the problem with the firewall rule.
What worries me is a few things, like putting the switch into layer 2 and not knowing what it may effect down the project. Or logging onto the switch and I have these settings in vlan like ingress filtering, GVRP settings and Protocol group that I have no idea what they mean or do. The documentation for the switch doesn't explain these kind of things so I'm having to Google them and look at pfsense guide which I have to say it is superb and informative.
Next in my to do list is start testing the segregation of vlans and port forwarding.
I haven't order the 100mb line yet as I wasn't sure whether I'm capable of setting this up. I've got a few quotes and I know which one I'm going for. I'm waiting till next week to meet with the tenants to discuss the requirements and whether I'm able to provide the service.
I have to say I'm really enjoying it and learning new things!
-
You just want layer 2 on the switch. That will let you assign switch ports to VLANs, so each client gets a physical port/s that is in their own VLAN. Then setup the connection from the switch to pfSense as tagged for all the VLANs. Then setup the VLANs in pfSense on that physical port. Each client has their own VLAN straight through to pfSense. Now you have a bunch of VLAN interfaces on pfSense and you can set whatever firewall rules on those, port-forward whatever is needed to the occasional client that needs to offer some service accessible from the public internet…
Layer 3 on the switch means it would be router itself. You would only need that if there is lots of general traffic directly between clients. In that case layer 3 on the switch saves pfSense having to do that local routing. Does not sound like that is your requirement.
-
I have to say I'm really enjoying it and learning new things!
Isn't that great?!! I wouldn't stop learning new things just because I'm enjoying it. ;D
And honestly, if you stumble upon terms you don't know yet (mentioned GVRP) then probably you don't need the functionality at this moment. Just leave the settings in default state.
