Help with simple home config
-
Hello, everybody
I've been "pasivelly" using this forum for a long time (I've never posted before), the truth is that I've learned a few things about networking in general, but I'm still a newbie.
My questioon is quite simple:
Actually, my home setup is:
0/ internet -> 1/ ISP modem/router in bridge mode -> 2/ Asus DSL-N16U dealing with home traffic (asus-wrt) -> 3/ a few devices: smartphones, laptops…even an ESXi hypervisor.
What I want to achieve is:
0/ internet -> 1/ ISP modem/router in bridge mode -> 2/ ESXi6/pfSense2.2.4VM -> 3/ netgear GS108E-v3 switch -> 4/ Asus DSL-N16U as wifi Access Point **5/**a few devices: smartphones, laptops
My ESXi host got only 2 gigabit NIC, one for the WAN and the other one for the LAN.
The ASUS DSL-N16U is a very capable ADSL home modem/router with 4 gigabit ports and n300 wifi, with ASUS-WRT firmware (can't be flashed with open-wrt or others) and hardware NAT, VPN, dual WAN etc…
The netgear GS108E is an 8 port gigabit "easy smart" desktop switch with VLAN, IGMP snooping etc...My questions are:
Do I really need the netgear switch? or can I configure the asus router acting as an AP just behind pfSense?
How should I configure the LAN interface in both cases? I mean
case1: with the Asus DSL-N16U as wifi AP behind the pfSense VM (and 3 ports left for switch) with all the computers&devices in the same LAN
or
case2: with the netgear GS108E switch behind the pfSense VM and then the Asus wifi AP behind the netgear switch. In this 2nd scenario I'd like to have two separate subnets (or VLANs) but both with access to internetIt's a home network with a slow internet connection (just 10mb, but the inside home LAN is all gigabit), where I do my homework in my ESXi lab. The pfSense will also act as firewall/IDS (but not now, I'm still learning about pf, snort…I do all my practices in VMs, so my exercises are not a problem for the "real" home network).
I apreciate any suggestion, it's difficult for me to get the "big picture" of all of this, even I know clearly what I want.
Thanks in advance. -
Unless you have a way to run a second dhcp server in Case 2, you will only have one lan in both cases. AsusWrt AP mode does not support client isolation. What I had to do was add an interface for AP. So pfsense has WAN, LAN and OPT1.
-
that switch supports vlans.. So you can just run vlans for your wireless networks, even a guest network if that router/ap supports vlan tagging on its ssids. If you can put dd-wrt on it pretty sure it would.
I run pfsense on my esxi host, and I vlan 3 different wireless networks. My normal wireless which is using eap-tls to access, my psk network for devices that do not support enterprise wpa2 (nest thermostat, harmony hub for remote control). And then a guest network for actual "guests" I also then vlan my son's ps3 on that same physical interface use for the "wlan"
While I have more interfaces in my esxi host, so it has another physical interface for lan and one even for the vmkern. The wlan interface with vlans on it could just as very well be your lan interface.
As long as your switch supports vlans, and your AP does you want have any problems. As to having a 2nd dhcp server? Confused with that statement by gjaltemba - pfsense is more than capable of running multiple dhcp servers as long as pfsense has an interface in that network be it physical or a vlan..
If your esxi host has room for more interfaces - this would be a great normally very low cost upgrade to your system. 4 port gig nics are not all that expensive.. My esxi host has single nic, dual nic and then the onboard nic. If I was not about ready to upgrade that whole host I would prob redo with a 4 port nic.
-
First of all, thank you both for your time.
Unless you have a way to run a second dhcp server in Case 2, you will only have one lan in both cases. AsusWrt AP mode does not support client isolation. What I had to do was add an interface for AP. So pfsense has WAN, LAN and OPT1.
I could use a raspberry pi 2 that I have lying around, or a virtual machine, or another old Xavi 7968 router that I also have lying around@johnpoz:
that switch supports vlans.. So you can just run vlans for your wireless networks, even a guest network if that router/ap supports vlan tagging on its ssids. If you can put dd-wrt on it pretty sure it would.
I run pfsense on my esxi host, and I vlan 3 different wireless networks. My normal wireless which is using eap-tls to access, my psk network for devices that do not support enterprise wpa2 (nest thermostat, harmony hub for remote control). And then a guest network for actual "guests" I also then vlan my son's ps3 on that same physical interface use for the "wlan"
While I have more interfaces in my esxi host, so it has another physical interface for lan and one even for the vmkern. The wlan interface with vlans on it could just as very well be your lan interface.
As long as your switch supports vlans, and your AP does you want have any problems. As to having a 2nd dhcp server? Confused with that statement by gjaltemba - pfsense is more than capable of running multiple dhcp servers as long as pfsense has an interface in that network be it physical or a vlan..
If your esxi host has room for more interfaces - this would be a great normally very low cost upgrade to your system. 4 port gig nics are not all that expensive.. My esxi host has single nic, dual nic and then the onboard nic. If I was not about ready to upgrade that whole host I would prob redo with a 4 port nic.
At least at the moment, adding another NIC to the host is not an option (it already has a GPU in passthrough, an HBA LSI card…so no pci ports left). I have to manage with just two intel gigabit NICs, the one onboard and a PCI-E x1 NIC.
It's not posible to install DD-WRT, open-WRT etc...in this Asus ADSL router, I already checked that.The Asus DSL-N16U router doesn't support either vlan tags in the LAN network. The only VLAN mention is in the WAN configuration, but that's not what I need (I'm a bit disappointed with asus-wrt, even it's pretty stable, at least in my case). At least not from the web-gui, I don't know if I can do something about it from the shell.
Apart from that Asus router (with n300 wifi and gigabit ports) I've got an old XAvi 7968 router (no option to install DD-WRT, gargoyle, tomato etc…I already checked) but only got wifi 54g and fast ethernet ports, but it's VLAN port capable (at least that's what I think). I could use this 2nd souter attached to the Netgear switch and have a 2nd LAN, could I?
Or I even can manage with just one internal LAN, having a 2nd LAN it's not my main concern, I just want to know if the planing of the infraestructure it's OK.
Can I use the config I described before in case1?: the Asus router/wifi AP just behind pfSense, and all the devices connected (wifi & cable) to the Asus DSL-N16U router.
And in the 2nd hypothesis, I thought adding the Netgear switch (case2 described before) just behind pfSense, and behind it the Asus router, would let me solve the 2nd LAN question with VLANS. But if not, I can test other options. For example, using the Asus DSL N16U wifi guest network could be a solution (correct me if I'm wrong), in that case I would have two different and separate wifi LANs with access to internet.
Apart from that, as I've mentioned, I've got two other devices I could use for this, an old Xavi 7968 ADSL router and a Raspberry Pi 2. I was thinking about using the Raspberry Pi 2 as some kind of network diagnostic/logging device in some point of this infraestructure, but I could use it in any other way if you have a better suggestion. For example, I could add a wifi dongle and install open-WRT in the Raspberry Pi, and attach it to the Netgear switch (or to the Asus router) and make another wifi Access Point, can I? That could be a solution, and in both cases (using the switch or not using the switch) I would have two wifi APs with two different LANs, if I'm not wrong.
Thanks again for sharing some time & knowledge, johnpoz & gjaltemba, I really apreciate your help.As you can see, I'm a bit lost with all of this.
-
What about just buying a new AP? The unifi stuff is really reasonable priced - the new AC line runs like $89 to 149.. They support vlans - they can use a controller (software) that you could run in a vm on your esxi host. That is what I do, or you could even use your raspberry pi for that.
ADSL based routers do have very limited 3rd party support.
Is there anyway to change out your current x1 nic in your host with a x2 or even x4?
-
What about just buying a new AP? The unifi stuff is really reasonable priced - the new AC line runs like $89 to 149.. They support vlans - they can use a controller (software) that you could run in a vm on your esxi host. That is what I do, or you could even use your raspberry pi for that.
ADSL based routers do have very limited 3rd party support.
Is there anyway to change out your current x1 nic in your host with a x2 or even x4?
I've just bought an APC ups and the netgear switch…at least at the moment I have to stick to the hardware I already have... and as I said, the ESXi host has all the PCI ports occupied, the intel NIC is already using the only PCI-e x1 port left, and the rest of them are being used by GPUs, RAID cards and USB3.0 cards for different VMs, so that's not an option.
I think using the Raspberry Pi 2 with open-WRT and a wifi dongle as wireless Access Point could be a good solution.
what would be the configuration in that case?
0/ internet -> 1/ ISP modem/router in bridge mode -> 2/ ESXi6/pfSense2.2.4VM **-> 3/**Netgear GS108E switch
->
4.1/ Asus DSL-N16U as wifi AP1 ;
4.2/ Raspberry Pi as wifi AP2;
->
5/ DEVICES: computers, laptops, smartphones… using the 2 different APsI have no budget left for this, at least until next year, that's why I'm trying to do it with only these resources.On the other hand, as I said, I'm talking about a small home LAN with no more than ten devices simulteneously (most of them my homework VMs) and only 10mb of DL speed.
PD: I have to say I have another computer with 3 NICs, but 2 of them are just fast ethernet PCI NICs, and I'd rather not using that computer as home router (all day on) because it uses much more energy than my actual ESXi host: they both are core i7, but one of them is an old core i7 860 with only 8gb RAM, 3 NICs (only one of them gigabit) and an old crappy PSU, and the other one is a new core i7 4790 with 32gb RAM, 2 gigabit NICs and a 80+gold certified PSU. They both are ESXi hosts in the same Sphere, but only the core i7 4790 is all day on, I only use the old core i7 860 computer for backups, testing etc…
Thanks again for your time and help, johnpoz
-
"I think using the Raspberry Pi 2 with open-WRT and a wifi dongle as wireless Access Point could be a good solution"
Yeah that would most likely suck as AP.. Those little dongles are not very good in range and xmit power.. I wouldn't waste any time doing that - just buy a REAL AP that has vlan support.. Your not talking 1,000's of dollars you can get a unifi 2.4 AP for $70.. Or the new AC lite for $89.. Why would you not go that route??
And why can you not replace the pci-e nic with a dual port nic? here is a dual port pci-e x1 slot card for $30
http://www.amazon.com/Crest-Gigabit-Ethernet-Network-SY-PEX24028/dp/B00965J4TS/
Here is driver for esxi 6 since it doesn't seem to natively support that Realtek Chipset 8111E
https://vibsdepot.v-front.de/wiki/index.php/Net55-r8168
This would allow you to do it without vlans since you would another physical port.. But best option would be a AP that supports vlans..
-
Confused with that statement by gjaltemba - pfsense is more than capable of running multiple dhcp servers as long as pfsense has an interface in that network be it physical or a vlan..
Agreed but pfSense is limited to one subnet per interface (physical or vlan). Correct?
Asuswrt gui gives the false impression that a Guest Network in AP mode will restrict access to your LAN but it does not.
So a no cost solution would be to define vlan in switch. Asuswrt gui does not support vlan but I am going to try with ssh and script.
I have a computer that could use a dual port pcie x1. Thanks for the link.
-
Agreed but pfSense is limited to one subnet per interface (physical or vlan). Correct?
In pfSense one physical interface can host multiple VLAN interfaces.
Example
Create VLAN 10, 20, and 30 on eth0
Assign OPT1 to VLAN 10 on eth0
Assign OPT2 to VLAN 20 on eth0
Assign OPT3 to VLAN 30 on eth0Create a switchport with tagged VLANs 10, 20, and 30 and patch it to eth0.
-
Sorry I meant that pfSense dhcp server is limited to one subnet per interface. Correct?
-
Yes. If that's insufficient use helpers and another DHCP server.
-
That IO CREST card it's the first dual PCI-E x1 NIC I've ever seen, I thought they were only available in PCI-E x4.
Anyway, I can't buy it from amazon spain, and the cheapest price I've found (buying it from spain) it's > 50€.
I can get an IBM PRO/1000 PT Dual Port PCI-E for 25€ with 1 year warantee, but I will have to sacrifice one of the PCI-E x16 ports I'm using, so I'll think about it. I've got an LSI card in passthrough for a NAS4free VM that is using just 3 sata HDDs in RAID Z1. If nas4free can use those same disks in RDM (Raw Device Mapping)
http://vm-help.com/esx40i/SATA_RDMs.php
without losing their data in ESXi, I will probably replace the HBA card for a dual NIC card, I have to see if that is possible, I've never used RDM disks in ZFS before.Confused with that statement by gjaltemba - pfsense is more than capable of running multiple dhcp servers as long as pfsense has an interface in that network be it physical or a vlan..
Asuswrt gui gives the false impression that a Guest Network in AP mode will restrict access to your LAN but it does not.
So a no cost solution would be to define vlan in switch. Asuswrt gui does not support vlan but I am going to try with ssh and script.
I don't understand what you mean, at least now in my Asus DSL-N16U the wifi guest networks (I can have 3 apart from the regular wifi) are isolated from each other and from the main LAN if I mark "Intranet Access". Or aren't they really isolated?. I can access this router through telnet, but no ssh access
Agreed but pfSense is limited to one subnet per interface (physical or vlan). Correct?
In pfSense one physical interface can host multiple VLAN interfaces.
Example
Create VLAN 10, 20, and 30 on eth0
Assign OPT1 to VLAN 10 on eth0
Assign OPT2 to VLAN 20 on eth0
Assign OPT3 to VLAN 30 on eth0Create a switchport with tagged VLANs 10, 20, and 30 and patch it to eth0.
this seems a no cost solution that would let me have two separate LANs.
I really apreciate all your help, guys..many different points of view always open new perspectives.
-
"this seems a no cost solution that would let me have two separate LANs."
?? Been talking about vlans as options since first post. But your AP has to support them if you want more than 1.. You could put the wifi on its own vlan if you want via just your switch and pfsense.. But that does not allow you to have say ssid Users on vlan 10 and ssid Guest on vlan 20 unless your AP support that..
But sure if you just want to isolate your AP to its own vlan - then sure create the vlan on pfsense, do the vlan on your switch and connect the AP to a port on switch in the wireless vlan..
As to the x1 nic - there are a few other options, that was just 1 found.. If you want to play with vlans - get a AP that supports them.. I know for sure you can get unifi AP pretty much every country..
http://www.amazon.es/UBNT-UniFi-Access-Point-Standard/dp/B00HYW94J0/
-
I wanted (I still want) to know which are my options. For example, using the switch I can have 2 LANs if I also use both routers behind it (The Asus and the old Xavi 7968 I mentioned before, or the Asus and the Raspberry Pi 2 etc…).
On the other hand, there's probably some option around here (in iptv or guests wifi) I could use
At the openWRT wiki there's a page for the Asus DSL-N16U where they talk about its VLANs:
http://wiki.openwrt.org/toh/asus/asus_dsl-n16u
-
Why are you asking for help with those devices here?
-
Those devices guest networks only work when they are the GATEWAY!!! If you had them NAT all traffic from that device no matter what ssid they were on or wired would still just like the wan IP of that device.
If you use it as AP and turn off its dhcp and connect it to your wired network that is on a pfsense network that is the network your clients will be on.. Be it your lan, or a vlan you setup on your switch and connect to pfsense.
If you WANT to have multiple vlans based upon SSID then you need a AP that supports doing that, switch that supports vlans and setup the vlans in pfsense..
It always confuses me when users have lots of hardware, lots of computer clients and then they balk at spending a couple more bucks to do something correctly.. Get an AP that supports vlans and your all set.. Its 70 euro in that link I provided, this seems very low cost if you add up all the other costs of hardware you have already spent money on and this is something you want to do.. Vs some wifi dongle in a raspberry pi as your AP???
-
You could put the wifi on its own vlan if you want via just your switch and pfsense.. But that does not allow you to have say ssid Users on vlan 10 and ssid Guest on vlan 20 unless your AP support that..
But sure if you just want to isolate your AP to its own vlan - then sure create the vlan on pfsense, do the vlan on your switch and connect the AP to a port on switch in the wireless vlan..
That's what I'm going to try, that works for me. And if I can repeat the same proccess twice (I create a 2nd vlan in pfSense, then I define that 2nd same vlan in the switch and I attach another device behind them) will let me have a 2nd vlan…but if it doesn't, It's not a problem at all, I can perfectly work with just one LAN
Why are you asking for help with those devices here?
well, I think it's a good site to ask&learn about many things related to pfsense (probably the best site in internet) and being my network and most of its devices managed by pfsense, I thought this forum could be a good place to learn from the experience of other pfsense users. Yours, for example, have been very helpful, pointing the way to config the vlans.
Confused with that statement by gjaltemba - pfsense is more than capable of running multiple dhcp servers as long as pfsense has an interface in that network be it physical or a vlan..
Asuswrt gui gives the false impression that a Guest Network in AP mode will restrict access to your LAN but it does not.
So a no cost solution would be to define vlan in switch. Asuswrt gui does not support vlan but I am going to try with ssh and script.
I still cant understand what you mean about guest networks.
Your suggestion of defining the vlans in the switch etc is what I'm going to try
But anyway, even having just one LAN, if I just can use the Asus DSL N16U as wifi Access Point without any isolation, that would work for me.
