Network configuration best practices?

jfd.lewgmail.com

Good evening. I'm curious to hear about network setup 'best practices'. Pretty much to learn and tinker because it keeps me occupied and I like to dink around.

My network configuration is pretty basic ->

Interwebs (PPPoE gigabit WAN) -> pfSense -> 8 port Netgear Gigabit switch (unmanaged) -> random things

pfSense is connected to my CL ONT by CAT6. No provider modem, etc.

The 8 port Netgear switch houses the following:

1. Runs to a 5 port gigabit switch located in my office (Work PC, Printer, Xbox One)
2. iMac
3. AppleTV 1
4. AppleTv 2
5. AppleTv 3
6. DirectTV
7. Airport Time Capsule
8. pfSense Box

The Time Capsule is located in my rack, which has a line ran upstairs to my living room to an Airport Extreme and a regular Airport Express. I had to do this for a roaming network because of poor wifi range. It's seamless and the devices connect to whichever has the better signal. The Time Capsule and Extreme do the wireless, the Express's only purpose is to connect my stereo receiver to iTunes for my whole home audio, so wireless is turned off on that.

We have a plethora of wireless devices, just as everyone typically does -> iPhones, iPads, a few laptops, etc.

I'm considering replacing the dummy netgear with a managed switch. I have been looking at the Netgear GS716T-300NAS.

My question to you guys is, with the stuff I have on my network, what would be 'best practices' on configuring my network? Should I be doing running my wireless and wired on separate VLANS, etc? What about my work PC? I currently connect to work through their VPN. What I find odd is that even when I am on their VPN, I can use Putty on my work laptop and login to my pfSense box at 192.168.1.1. Shouldn't I not be able to do that?

Just a few thoughts, I welcome any and all suggestions. Thanks!

A Former User

Not sure if your handle is a real email but my first thought was you may want to change that.  ;)
If not then disregard my meaningless dribble.

virgiliomi

For most home users, a network for their own devices (wired and wireless) and a separate Guest network for visitors is just fine. Apple's Airport devices have a Guest network option, but an Airport needs to be running as your main router in order for it to function.

If you want to get into multiple SSIDs for different networks, you'll be looking for some upgrades. At a minimum, you'll need some kind of "smart" switch with a web interface. This will let you set up VLANs for the various ports, so you can designate a port be on a specific network (access port), or be a trunk connection and carry multiple VLANs (you would want the connections to pfSense and your wireless access point to be a trunk, for example). Not all of your switches need to be smart/managed… if all of the devices on your office switch only need to be on your LAN, then you don't need a managed switch there. Just set the port on your managed switch as an access port on the appropriate network.

Of course, with the growing "internet of things", some more security-conscious folks are going an extra step and creating a THIRD network for their various IoT devices, given how great the security on some of them has proven to be. This keeps their LAN computers and personal devices separate from their smart home hubs, wireless cameras (or camera system DVRs), thermostats, and other "cloud managed" devices. This doesn't usually affect their functionality, as those devices communicate through cloud-based servers on the internet, and the apps that control them do the same.

How far you want to take your network is up to you. Everyone has different wants and needs. If you want me to detail my network (I fit in the first group, but still have a pretty beefy network for a home), I'd be happy to.

jfd.lewgmail.com

Thank you for the reply. I'm naturally curious, so yes, if you don't mind detailing your network, I would be happy to see how others have set up.

I think what I will do, however, after talking with some guys from work, is to put my office on its own VLAN. It's a big no-no for my internal network to be able to see my work PC and vice versa. And since I work from home, it's compounded even more since it's essentially on 24/7.

My wireless devices need to be able to see certain devices (iMac, MB Air, MBP and iPhones all need to see each other) for backup purposes, etc. And the Apple TV's need to be able to see the iMac for streaming from iTunes. But other than that, it's pretty much up in the air.

Derelict

Apple's Airport devices have a Guest network option, but an Airport needs to be running as your main router in order for it to function.

Apple tags the guest network with VLAN 1003. It can be made to work if you untag the port to the Airport for the main SSID and tag 1003 for the guest SSID.

virgiliomi

pfSense connections:

• WAN -> Arris cable modem, Comcast internet service - IPv4/IPv6
• LAN -> Linksys LGS308 switch port 1

VLAN 1 (untagged) - LAN (192.168.1.1/24; Track WAN prefix ID 1)
VLAN 5 (tagged) - GUEST (172.20.10.1/27; Track WAN prefix ID 5)

LGS308 port 8 - Trunk to LGS308P port 8
LGS308P port 7 - Trunk to wireless access point, LAPAC1200

• two SSIDs VLAN 1 (2.4 and 5 GHz separately)
• one SSID VLAN 5 (2.4 GHz only)

All other switch ports are access ports, set to VLAN 1.

I have an unmanaged gigabit switch that goes from the LGS308 to my entertainment center, where a handful of devices connect to my LAN.

Guest

(Work PC, Printer)

VLAN10

2. iMac
7. Airport Time Capsule

VLAN20

3. AppleTV 1
4. AppleTv 2
5. AppleTv 3
6. DirectTV
Xbox One

DMZ or VLAN 30 or each in his own VLAN

8. pfSense Box

As it is.

Netgear GS716T-300NAS

Pending on the configuration and set up and for sure all can be different and changed against each (devices)
other it would be better in my eyes to go with 2 other switches but much more according to that set up with
a DMZ. Otherwise it can be really useful to go with one bigger switch that is capable of VLANs, QoS and real
strong in performance such as a D-Link DGS1510-20 or Cisco SG300-20 and without a DMZ but each in his
own VLAN and the siwtch is routing then the entire LAN workload. More cost for sure bit nearly wire speed
for each device and routing is done by the switch and not the pfSense firewall to free it for other packets.