Buying a pfSense SG-XXXX and a Cisco Switch (Advice needed)

Chti

Greetings

I want to significantly upgrade my home's network and am considering purchasing the following devices:

• pfSense SG-4860 or SG-2440
• Cisco SG-300-28

My idea is to set up several VLANs to isolate certain devices/users from each other:

• VLAN-Personal: for my own personal traffic, no restrictions
• VLAN-Kids: for the kids (heavily filtered, time restrictions, etc)
• VLAN-Guest: for the occasional visitor (also some form of filtering)
• VLAN-Home: for future home connected devices (heating, cooling, etc)
• VLAN-Media: for my media players and media library
• VLAN-Proxy: an always-on outbound VPN (proxy)

1/ Having never set up a VLAN before, is that a reasonable breakdown?

2/ Should I set up VLANs at the pfSense appliance level or the Ciso switch level?

3/ Would I assign all my devices to each VLAN using their MAC address?

4/ Owning a Synology server, is there a way I can share parts of my Synology with different VLANs or can it only be allocated to one VLAN?

5/ What is the main purpose of the SSD in the pfSense appliance? To store log files? Is it worth investing in a higher capacity SSD?

6/ Considering I would use a switch, would I need to plug wifi access points into the pfSense box to ensure all filtering is applied to all AP devices too?
Therefore are the pfSense applicance ethernet ports mostly used for AP? If I use the Cisco can I get away with SG2440 only?

7/ Is my computer is assigned to a specific VLAN how can I connect to the other VLANs if I need to configure devices on them?

8/ Is there any form of Growl integration that would notify me when a new devices is seen on the network (e.g. "Laptop just came online")?

9/ Is anyone running a similar setup and willing to share their experience? Is that a good setup?

Many thanks in advance for your input :)

tim.mcmanus

@Chti:

Greetings

I want to significantly upgrade my home's network and am considering purchasing the following devices:

• pfSense SG-4860 or SG-2440
• Cisco SG-300-28

Less expensive option than the Cisco:  http://routerboard.com/CRS125-24G-1S-IN

1/ Having never set up a VLAN before, is that a reasonable breakdown?

Sure, but you're going to have to create rules to pass traffic across all of those vLANs.  For example, if Personal and Kids wants to view Media, you're going to have to create rules for all of those services to pass traffic to one another, or you can alternatively have all three vLANs pass traffic unrestricted.  If that's the case, there's no reason for a vLAN.  If you want to manage a ton of rules, then you will need to use a vLAN.

2/ Should I set up VLANs at the pfSense appliance level or the Ciso switch level?

3/ Would I assign all my devices to each VLAN using their MAC address?

Both.  vLAN packets need to be tagged by all devices that will be passing/routing them.  If you've never programmed a vLAN or programmed a Cisco switch, this is going to be a frustrating experience.  I strongly suggest researching and learning the basics of vLANs before you take the plunge.  I decided against it for my home network and physically split the networks into two LANs.  That made things much easier.

4/ Owning a Synology server, is there a way I can share parts of my Synology with different VLANs or can it only be allocated to one VLAN?

Best asked to Synology to see if their device supports this feature.

5/ What is the main purpose of the SSD in the pfSense appliance? To store log files? Is it worth investing in a higher capacity SSD?

It stores the OS and log files and such.  Investing in larger storage depends on what you want to do, but generally speaking, you should be fine with the default size.

6/ Considering I would use a switch, would I need to plug wifi access points into the pfSense box to ensure all filtering is applied to all AP devices too?
Therefore are the pfSense applicance ethernet ports mostly used for AP? If I use the Cisco can I get away with SG2440 only?

If the APs support vLANs, they can go on a vLAN.  If not, you'll need to do port mapping on the switch or plug them directly into pfSense.

7/ Is my computer is assigned to a specific VLAN how can I connect to the other VLANs if I need to configure devices on them?

See my comment above about learning about vLANs.

8/ Is there any form of Growl integration that would notify me when a new devices is seen on the network (e.g. "Laptop just came online")?

Yes, there is Growl integration, but I don't think with that specific kind of messaging.

9/ Is anyone running a similar setup and willing to share their experience? Is that a good setup?

IMHO, and please take this constructively, you need to better understand networking before you go down this road.  Buying this equipment and setting up vLANs is a lot of work that requires a good amount of planing prior to implementation.  Sure, there are several people here who've jumped in head first, but you'll be spending hours setting this up, troubleshooting it, and finally getting it to work.  If you're okay with that, go for it.  However, it's not as easy as it seems.  So consider my words of caution.

The best rule is to keep your network as simple as possible.  Every complexity you add is another thing to troubleshoot when something goes wrong.  It's incredibly frustrating trying to troubleshoot your network without an internet connection and Google.

Chti

Hi Tim

First of all, many thanks for your detailed answer! And of course I am taking your comments constructively :)

Would I be misinterpreting your answer if I said that a big part of VLANs complexity is making cross-VLAN rules (e.g. having a device from VLAN1 try to access a service on VLAN2)?
But if I am OK with having those VLANs and their respective devices completely isolated, then it should be reasonably easy enough to configure (similar to multiple "single LANs")?

I don't mind getting my hands dirty, after all, if I ever want to learn more about the complexities of networking I need to start somewhere.

Just a clarification on your response to my questions 2 & 3: Would you be able to give me a high level example of how you would create a VLAN both on the PfSense appliance and the switch?

Many thanks again for your input. Greatly appreciated!!

tim.mcmanus

@Chti:

Would I be misinterpreting your answer if I said that a big part of VLANs complexity is making cross-VLAN rules (e.g. having a device from VLAN1 try to access a service on VLAN2)?
But if I am OK with having those VLANs and their respective devices completely isolated, then it should be reasonably easy enough to configure (similar to multiple "single LANs")?

I don't mind getting my hands dirty, after all, if I ever want to learn more about the complexities of networking I need to start somewhere.

Just a clarification on your response to my questions 2 & 3: Would you be able to give me a high level example of how you would create a VLAN both on the PfSense appliance and the switch?

If you want to isolate traffic, sure, vLANs would be very effective.

The basis for vLANs is packet tagging.  You "tag" a vLAN ID to a packet, and the receiving device knows where that packet should go based on rules that you've set up.

As a very basic example, you'd assign vLAN 1 to ports 1-4 on your switch.  vLAN 2 would be assigned to ports 5-8, and vLAN 3 would be assigned to ports 9-12.  pfSense would be connected to lucky port 13.

In the switch you'd tell it to route tagged packets to the corresponding ports.  Port 13 would accept all tagged and untagged packets.  The switch should assign vLAN packet IDs from incoming untagged packets (like from a computer or mobile device) so they route properly when they reach pfSense.

You can run multiple vLANs on the same port, but that requires all devices to be able to support packet tagging.  Servers and hypervisors (Vmware, etc.) can do this, but many client machines cannot.  Additionally, the NIC needs to support vLAN tagging too.

There's more to it than that, but it's a very quick example.  But I hope it gives you an idea of the kind of planning you need to do and some of the assessment you may have to do with each device.  What can it support and how do you enable that support?

Good luck with your architecture, but always have a fall-back plan when it all goes to hell.  You can also get away with creating the network within your own network first, and then deploying it.  It's a safe "burn in" that doesn't take down your entire internet connection.  Design, build, troubleshoot, and then promote it into production.

Chti

Many thanks again Tim… that was very helpful :)

Guest

If not to late, it I would be really considering a Cisco switch from the SG series.
SG4860 and SG300-28 (Layer3) if this is not to expensive for you.
It would running for a very time as you go belong with pfSense.
If your Synology is capable of 10 GBit/s the D-Link DGS1510-20
would be also a really hint to bring more speed on your LAN.

tim.mcmanus

http://www.amazon.com/MikroTik-CRS125-24G-1S-RM-rackmount-enclosure-manageable/dp/B00I4QJSIM/ref=sr_1_15?ie=UTF8&qid=1436577191&sr=8-15&keywords=routerboard

That is better feature-wise than any Cisco device for SOHO deployments.  ~$170 versus a Cisco for ~$800.

Cisco is generally over priced.

SisterOfMercy

@tim.mcmanus:

Cisco is generally over priced.

And you have to hit it with a hammer sometimes. And if you're ever going to need one piece of information you can get quite lost on the cisco website.  :(
I've had a fine experience with a cisco switch, found out the hard way you should not try to upgrade the firmware via the web interface.

ontopic: I agree with the general consensus, don't make things too complex. First play around with pfSense on a pentium 4 or other piece of old computer hardware. Throw in a few gbit pci network adapters, and mess around. :)
You might also want to dump the whole vlan idea and try filtering on pfSense.

Guest

@tim.mcmanus:

http://www.amazon.com/MikroTik-CRS125-24G-1S-RM-rackmount-enclosure-manageable/dp/B00I4QJSIM/ref=sr_1_15?ie=UTF8&qid=1436577191&sr=8-15&keywords=routerboard

That is better feature-wise than any Cisco device for SOHO deployments.  ~$170 versus a Cisco for ~$800.

Cisco is generally over priced.

I can´t imagine, why peoples should first play with old hardware if the money is there for a SG-xxxx series?
Why should this be done? The box is also able to feed IPfire, ZeroShell, OpenWRT, DD-WRT and Untangle
or OpenBSD and other operating systems. It is a cool box to built his own appliance based on OpenSource
Software and pfSense is one of the best from them, for sure not easy to learn and not easy to handle,
but getting pre installed firewall on adequate hardware would be the best option for a beginner as I see
it right.

And if a so called ROS v6.xx update is coming you may get more problems as before!
I find Mikrotik is making good routers but really poor switches!

Cisco SG300-28 is able to buy for ~370 € here in Germany, so what you are talking about $800
please?

• Intuitive Webfiq and CLI
• Best and most options
• Layer3 feature set
• easy to use

One of the best Swicthes for home, SOHO and SMB at this time as I see it right.
Better then the MikroTik CSR series where you activate more and more options and features and then
only 5% of the cpu is able to use, this is more for very advanced users they know what they need and
are able to configure it.

SisterOfMercy

@BlueKobold:

I can´t imagine, why peoples should first play with old hardware if the money is there for a SG-xxxx series?

Perhaps you want to know you're sure you're buying the right stuff. Anyway, all money not spent on hardware can be spent on beer!  ;D ;D ;D

aus_guy

Extremely happy with my Cisco SG300-20
yes cisco anything is overpriced, but you get what you pay for in a switch, im not going to spend the money on a nexus at home so im happy with the sg300, im much happier with the power bill aswell. Although a switch is the only thing i would pay the cisco price for, and the only thing i have.

learn what you can about networking and vlans before spending alot of money but you also learn by doing at least with an SG300 with lots of ports you will have the capasity and the features to setup a basic lan at the same time as learning the more complex side. The standard lingo cisco products use makes their products easier to learn than some vendors. I can certainly say its helped me professionally aswell, i can talk about more advanced concepts with network engineers at work.

M_Devil

Using SG300-28 for half a year now and I am very happy with it. Setting up VLANS is very easy and default settings are ok for normal use.
If you like to extend your knowledge of networking even further, the SG300-28 gives you enough possibilities.

jahonix

+1 for the Cisco SG300-series switches.
I use them nearly exclusively now at clients, in my office and at home. Rock solid.

Alternatives can be the D-Link mentioned above (great bang for the buck with 10G SFP+ support) or, you hardly believe it, TP-Link.
On edge positions at home I (still) have some TL-SG3210 and they perform quite well. Didn't even have to reboot them for years now. CLI is quite similar to Cisco's.

• If you are working with VLANs make sure that you configure the switch via serial console. Helps to not shoot yourself in the foot (lock yourself out).
• do not use VLAN1 for anything else than nothing.

You probably don't need out-of-band management for your switch. Set default- and management-VLAN IDs to your Lan's VLAN ID.

Both pfSense appliances you mentioned are great and out of question. Choose to your needs.

athurdent

My SG300-10 are nearly 5 years old now. Still regular firmware updates with new features and never any problems. Great product.

But personally I'd not buy the Small Business WLAN-AC APs again, had one for a few days and returned it. Connection problems all over, connection loss, WPA2 Enterprise auth failures, etc. Maybe it was faulty but at least some other guys in the Cisco forum had the same problems I had.

gazoo

I have a very similar setup to your desired one. I also have a synology NAS. I have the Cisco SG200-26 10/100/1000BT layer 2 switch. To be honest, I would consider not doing all those VLANs. I manage a pretty similar home network and just use IP aliases to classify the kids traffic and all others. No need for any of it - the VLANs will just overcomplicate your life. The cisco switch is economical and can do VLANs and mirrored ports (which I use, the mirrored). I don't think synology will operate on multiple ports. I believe it can get a trunked port and can pick a VLAN out of it, but as far as segregating users coming from VLANs, I think not.

I use just access based stuff for the synology.

jahonix

@gazoo:

…I would consider not doing all those VLANs...

Disagree here.

If you look at what the OP intends to separate it makes sense.
"Guest VLAN" is self explaining and a no-brainer.
"Control-VLAN" or "Home" is mandatory to separate! Those devices aren't made to cope with heavy traffic from streaming/media devices and tend to lock-up pretty quickly. I do setup control systems for a living, consider this first-hand knowledge.
At my home we already have ~80 network hosts with nearly half of them being "control devices". I'm glad they are separated from the kid's game console and Steam devices! This way I don't have to worry about a "heating failed" UDP broadcast not reaching its destination…

It doesn't matter how many VLANs you set up once you're at it.

Guest

To be honest, I would consider not doing all those VLANs. I manage a pretty similar home network
and just use IP aliases to classify the kids traffic and all others.

Separating each from another and owning a SG4860 and a Cisco SG300-28 would be crying
to use VLANs. The SG-300 is cable to route this VLANs it selfs and there fore it would be not
"overcomplicate " such things, but more filling some free space at the weekends.

gazoo

Ok, I spoke too soon. I have the wireless guest LAN on a separate LAN interface altogether. There's also only three of us here and we have TONS of bandwidth (85x5Mbps), so maybe your situation would be good to have some VLANs. I just think it's a little overboard in the number of VLANs. You definitely don't want the guests on the same LAN. The switch I have is pretty decent and is a little less then 300 version, but you may need fiber or other features that the 300 would bring.

Guest

but you may need fiber or other features that the 300 would bring.

Fiber is also there at the SG200 series, but the SG300 series is capable to route
between the VLANs it selfs without the SG unit and by going to use VOIP functions
it would be the best to proper handling QoS things then.