Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Network configuration best practices?

    Scheduled Pinned Locked Moved General pfSense Questions
    7 Posts 5 Posters 4.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jfd.lewgmail.com
      last edited by

      Good evening. I'm curious to hear about network setup 'best practices'. Pretty much to learn and tinker because it keeps me occupied and I like to dink around.

      My network configuration is pretty basic ->

      Interwebs (PPPoE gigabit WAN) -> pfSense -> 8 port Netgear Gigabit switch (unmanaged) -> random things

      pfSense is connected to my CL ONT by CAT6. No provider modem, etc.

      The 8 port Netgear switch houses the following:

      1. Runs to a 5 port gigabit switch located in my office (Work PC, Printer, Xbox One)
      2. iMac
      3. AppleTV 1
      4. AppleTv 2
      5. AppleTv 3
      6. DirectTV
      7. Airport Time Capsule
      8. pfSense Box

      The Time Capsule is located in my rack, which has a line ran upstairs to my living room to an Airport Extreme and a regular Airport Express. I had to do this for a roaming network because of poor wifi range. It's seamless and the devices connect to whichever has the better signal. The Time Capsule and Extreme do the wireless, the Express's only purpose is to connect my stereo receiver to iTunes for my whole home audio, so wireless is turned off on that.

      We have a plethora of wireless devices, just as everyone typically does -> iPhones, iPads, a few laptops, etc.

      I'm considering replacing the dummy netgear with a managed switch. I have been looking at the Netgear GS716T-300NAS.

      My question to you guys is, with the stuff I have on my network, what would be 'best practices' on configuring my network? Should I be doing running my wireless and wired on separate VLANS, etc? What about my work PC? I currently connect to work through their VPN. What I find odd is that even when I am on their VPN, I can use Putty on my work laptop and login to my pfSense box at 192.168.1.1. Shouldn't I not be able to do that?

      Just a few thoughts, I welcome any and all suggestions. Thanks!

      1 Reply Last reply Reply Quote 0
      • ?
        A Former User
        last edited by

        Not sure if your handle is a real email but my first thought was you may want to change that.  ;)
        If not then disregard my meaningless dribble.

        1 Reply Last reply Reply Quote 0
        • MikeV7896M
          MikeV7896
          last edited by

          For most home users, a network for their own devices (wired and wireless) and a separate Guest network for visitors is just fine. Apple's Airport devices have a Guest network option, but an Airport needs to be running as your main router in order for it to function.

          If you want to get into multiple SSIDs for different networks, you'll be looking for some upgrades. At a minimum, you'll need some kind of "smart" switch with a web interface. This will let you set up VLANs for the various ports, so you can designate a port be on a specific network (access port), or be a trunk connection and carry multiple VLANs (you would want the connections to pfSense and your wireless access point to be a trunk, for example). Not all of your switches need to be smart/managed… if all of the devices on your office switch only need to be on your LAN, then you don't need a managed switch there. Just set the port on your managed switch as an access port on the appropriate network.

          Of course, with the growing "internet of things", some more security-conscious folks are going an extra step and creating a THIRD network for their various IoT devices, given how great the security on some of them has proven to be. This keeps their LAN computers and personal devices separate from their smart home hubs, wireless cameras (or camera system DVRs), thermostats, and other "cloud managed" devices. This doesn't usually affect their functionality, as those devices communicate through cloud-based servers on the internet, and the apps that control them do the same.

          How far you want to take your network is up to you. Everyone has different wants and needs. If you want me to detail my network (I fit in the first group, but still have a pretty beefy network for a home), I'd be happy to.

          The S in IOT stands for Security

          1 Reply Last reply Reply Quote 0
          • J
            jfd.lewgmail.com
            last edited by

            Thank you for the reply. I'm naturally curious, so yes, if you don't mind detailing your network, I would be happy to see how others have set up.

            I think what I will do, however, after talking with some guys from work, is to put my office on its own VLAN. It's a big no-no for my internal network to be able to see my work PC and vice versa. And since I work from home, it's compounded even more since it's essentially on 24/7.

            My wireless devices need to be able to see certain devices (iMac, MB Air, MBP and iPhones all need to see each other) for backup purposes, etc. And the Apple TV's need to be able to see the iMac for streaming from iTunes. But other than that, it's pretty much up in the air.

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              Apple's Airport devices have a Guest network option, but an Airport needs to be running as your main router in order for it to function.

              Apple tags the guest network with VLAN 1003. It can be made to work if you untag the port to the Airport for the main SSID and tag 1003 for the guest SSID.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • MikeV7896M
                MikeV7896
                last edited by

                pfSense connections:

                • WAN -> Arris cable modem, Comcast internet service - IPv4/IPv6
                • LAN -> Linksys LGS308 switch port 1

                VLAN 1 (untagged) - LAN (192.168.1.1/24; Track WAN prefix ID 1)
                VLAN 5 (tagged) - GUEST (172.20.10.1/27; Track WAN prefix ID 5)

                LGS308 port 8 - Trunk to LGS308P port 8
                LGS308P port 7 - Trunk to wireless access point, LAPAC1200

                • two SSIDs VLAN 1 (2.4 and 5 GHz separately)
                • one SSID VLAN 5 (2.4 GHz only)

                All other switch ports are access ports, set to VLAN 1.

                I have an unmanaged gigabit switch that goes from the LGS308 to my entertainment center, where a handful of devices connect to my LAN.

                The S in IOT stands for Security

                1 Reply Last reply Reply Quote 0
                • ?
                  Guest
                  last edited by

                  (Work PC, Printer)

                  VLAN10

                  2. iMac
                  7. Airport Time Capsule

                  VLAN20

                  3. AppleTV 1
                  4. AppleTv 2
                  5. AppleTv 3
                  6. DirectTV
                  Xbox One

                  DMZ or VLAN 30 or each in his own VLAN

                  8. pfSense Box

                  As it is.

                  Netgear GS716T-300NAS

                  Pending on the configuration and set up and for sure all can be different and changed against each (devices)
                  other it would be better in my eyes to go with 2 other switches but much more according to that set up with
                  a DMZ. Otherwise it can be really useful to go with one bigger switch that is capable of VLANs, QoS and real
                  strong in performance such as a D-Link DGS1510-20 or Cisco SG300-20 and without a DMZ but each in his
                  own VLAN and the siwtch is routing then the entire LAN workload. More cost for sure bit nearly wire speed
                  for each device and routing is done by the switch and not the pfSense firewall to free it for other packets.

                  cf_murph.jpg
                  cf_murph.jpg_thumb

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.