VLANS help needed. Complex network layout
-
I have this scenario:
I have network devices in House A and in House B. There is only a cat6 cable joining house A and B
In House A I have:
The Wireless AP in bridge mode , granting access to the users on the pfsense LAN network
The WAN Router 1 (Wimax Router).
One unmanaged switchIn House B I have:
The pfsense router, an APU with 3 network cards.
The WAN Router 2. A DSL router
One unmanaged switchAgain, there is only one cat6 wire between House A and B.
DHCP is configured on LAN interface, load balancing is enabled in both WAN interfaces with static IPs. The DHCP is only enabled on the LAN interface, I disabled it on the WAN routers, so the LAN clients are getting the right IP. The problem is, as one of the WANs and the LAN are in house A, the switches allow trafic for both subnets, withouth vlans, and I think this is causing switch performance issues besides that if one user in the wifi LAN setups his network card with a static WAN range IP, they can bypass the pfsense box.
How will you fix this mess? Another wire between A and B is not a solution, and move the pfsense box to house A is not possible.
I need managed switches? May I assign one of the wan and the lan to the same interface of the pfsense box using vlans?
Let me know, and thanks in advance.
-
Yes. Say you used VLANs 100, 200, 300, 400
Switch A
Port 1 Untagged 100
Port 2 Untagged 200
Port 3 untagged 300
Port 4 Untagged 400
Port 5 Tagged 100,200,300,400Switch B
Port 1 Untagged 100
Port 2 Untagged 200
Port 3 untagged 300
Port 4 Untagged 400
Port 5 Tagged 100,200,300,400Plug the inter-house cable into port 5 at each end.
It will appear as if a separate "cable" is connecting ports 1 and 1, 2 and 2, 3 and 3 and 4 and 4.
Yes, you need managed switches to do this.
You can also tag the VLANs to pfSense and connect just one interface to a switch and run multiple pfSense interfaces.
Other than that I am not clear as to exactly how you want your network to look when you're done.
-
Thanks for your reply.
Would this also be possible?
Plug the wire joining both houses say on the em0 port of the pfsense.
Create pfsense vlans on em0, one for WAN1 and another for LAN. Place a managed swicth in House A. Tag one port of the managed swicth with WAN1 vlan id and another with LAN vlan id. Plug those ports to the wan router interface and to the lan AP interface on house A.
That will reduce the need of managed switches to just 1 in house A, but, it is possible? The WAN2 interface would be plugged directly to WAN2 router interface in house B, without managed switches.
Thanks, this would save my life!
-
Yes. You just need a tagged interface at each end of the wire. It doesn't matter if that is a managed switch port or a physical pfSense interface.
-
Thanks man, you made my day, I am going for this one
So, after reading this, I understand that you may have a PFSENSE box with just one physical interface if you also use managed switches and vlans.
Interesting, I knew I should put my hands on vlans earlier!
-
-
"with just one physical interface"
You do understand that is not always a good thing.. Every vlan you put on an interface is shared bandwidth.. And causes hairpinned connections.. Which is not something you really want to do.
Its not that big of an issue when your talking gig interfaces with less than 100mb speeds like internet.. Interfaces are normally not that expensive.. A quad nic these days is fairly cheap.. Here is decent card for 110 from good seller amtech
http://www.amazon.com/Intel-Ethernet-Adapter-I340-T4-packaging/dp/B003A7LKOU/ref=pd_cp_147_2?ie=UTF8&refRID=02Q5MBGRYC1H5Q3MESJW
-
I don't think your current setup is causing any performance problems. Remember, the primary traffic control for switches is the CAM table which herds packets based on the MAC addresses. VLANs are just a way to put some administrative control on your packets.
If you go with VLANs, it looks like you'd end up with something like:
VLAN 10 - ISP #1
VLAN 20 - ISP #2
VLAN 30 - House 1 LAN
VLAN 40 - House 2 LAN (assuming you want to isolate the subnets in the two houses from each other.)I see no reason to add physical interfaces to the pfsense box - just trunk the VLANs into one or two interfaces.
A couple of notes:
1. Copper running between buildings isn't a great idea (and you might be violating codes). I can guarantee that a close lightening strike will take out one or both switch ports that the copper line is plugged into. I'd highly recommend you add cat-5 surge protectors on each end.
2. Security experts will tell you that running Internet and LAN traffic on the same cables is a no-no. Personally, I think the risk is small, but it isn't a best practice.
3. 100mb ethernet only requires two pairs. You could split the pairs using two pairs to connect the ISP to pfsense, and two pairs to connect the house LAN to the LAN side of pfsense. Not recommended, but it would work.
-
Thanks Gomez, I know that vlans will decrease performance of the NIC, of course.
That infrastructure is located in a Camping, the wire goes underground, no law violation as everything is in the owners property :)
Finnally I changed the pfsense box to the House A.
I created two LANS, one for the wifi camping customers, and another one for the Office in House B.
Currently there is just one WAN working, but when I'll receive the managed switch, I'll create a VLAN in the Office LAN adapter to include the secondary WAN access to the system. I will place the switch in house B.
That one will be used for the Office people, as in peak times the main WAN access is saturated by the Camping wifi customers.
Anyway I'd like to thank all the people that helped me on this. Pfsense forum is an example fo what a community forum has to be.
