Advice for home network layout

A

amrogers3

Gawd
Joined
Nov 7, 2010
Messages
643
Currently have a pfSense box connected to a uverse router.

pfSense box has two NICS, one WAN, one LAN.

Have several devices I need to connect to internet - xbox, wireless router, tv, dvd player, etc... I would like to segregate devices on separate network via VLANs if possible but I don't want to buy an expensive router. Trying to figure out a solution.

I can get my hands on a Cisco ASA but I don't believe it does layer 3 routing. Although I think I can implement static routes for multiple VLANs.

Any suggestions?
 
Last edited:
Your PFsense box is fully capable of utilizing VLANs. You will need a manageable switch that supports VLANs as well. Trunk the interface between the switch and the PFsense box, apply the VLANs as needed on the other interfaces and you are golden.
 
dashpuppy said:
wanna draw a diagram :)
Click to expand...

Will do. Get it together when I get home tonight.


Shadowspawn said:
Your PFsense box is fully capable of utilizing VLANs. You will need a manageable switch that supports VLANs as well. Trunk the interface between the switch and the PFsense box, apply the VLANs as needed on the other interfaces and you are golden.
Click to expand...

shadow, couple questions:
1) I can install 3rd NIC on atom board for DMZ, do you know if pfSense can handle additional NIC?
2) how can I apply ACLs to each VLAN? For example, I may not want VLAN1 talking to VLAN2, etc
3) how will the setup you suggested affect network speed? Would a dedicated box like a Cisco ASA or a layer 3 switch be faster for what I want to do? FYI: I am running a supermicro atom board 510 for my pfSense box.


ghost6303 said:
http://www.gliffy.com
Click to expand...

Thanks for link, I'll use that for my diagram :D
 
buy a layer 3 switch > install > profit!

Enable routing on the switch, give the switch an IP on each VLAN (this is the new gateway address for the devices on the vlan) set up inter vlan routing, set a static route on the switch to the LAN address on your pfsense box. Done.
 
Gigabit layer 3 is reasonably expensive.

ASA does layer 3 routing. However if you want to do a VLAN trunk to the asa you need security plus licensing, which is around 500$.

You might be able to put together a chassis switch off ebay for reasonably cheap (and still have gigabit).
 
amrogers3 said:
shadow, couple questions:
1) I can install 3rd NIC on atom board for DMZ, do you know if pfSense can handle additional NIC?
2) how can I apply ACLs to each VLAN? For example, I may not want VLAN1 talking to VLAN2, etc
3) how will the setup you suggested affect network speed? Would a dedicated box like a Cisco ASA or a layer 3 switch be faster for what I want to do? FYI: I am running a supermicro atom board 510 for my pfSense box.
Click to expand...

1. Yes, it can handle a third NIC. You could also create a third VLAN and use it as the DMZ. There are some users out there using a pfSense box with only one NIC. They use VLANs to separate the incoming and outgoing traffic.

2. I have no idea how the ACLs work. Please note that I am not personally using VLANs on my pfSense box. Everything I have said is based on my reading of their forums. This solution will require much reading and asking of questions on their site.

3. I don't think you will see much of a hit on the speed. However, a layer 3 switch is actually the preferred method to use, You keep your VLAN tagging below the router so that any traffic that crosses between VLANs is not required to travel the same wire twice (into the pfSense box and back into the LAN again).

A gigabit layer 3 managed switch is going to cost a few bucks. I can sell you a 3550XL for cheap! It is only capable of 100mbps though, except the GBIC interfaces.
 
I believe Pfsense will do what youre looking for. When I first started playing with it I filled all the pci slots with Nics with no problems.


By the way, you dont need to draw me a diagram, ;) I can picture in my head one box with a lan line and a wan line.
 
cymon said:
Gigabit layer 3 is reasonably expensive.

ASA does layer 3 routing. However if you want to do a VLAN trunk to the asa you need security plus licensing, which is around 500$.

You might be able to put together a chassis switch off ebay for reasonably cheap (and still have gigabit).
Click to expand...

Not sure what version of ASA my buddy has. I'll have to ask. Is the security plus license $500 just for the license itself?? Is that something you can buy after purchaing the ASA or you have to buy the license at time of purchase?

Shadowspawn said:
3. I don't think you will see much of a hit on the speed. However, a layer 3 switch is actually the preferred method to use, You keep your VLAN tagging below the router so that any traffic that crosses between VLANs is not required to travel the same wire twice (into the pfSense box and back into the LAN again).

A gigabit layer 3 managed switch is going to cost a few bucks. I can sell you a 3550XL for cheap! It is only capable of 100mbps though, except the GBIC interfaces.
Click to expand...

Makes sense that some type of layer 3 device is what I need. I appreciate the offer about your 3550, I'll have to see how long I can use my buddy's ASA.
 
amrogers3 said:
Currently have a pfSense box connected to a uverse router.

pfSense box has two NICS, one WAN, one LAN.

Have several devices I need to connect to internet - xbox, wireless router, tv, dvd player, etc... I would like to segregate devices on separate network via VLANs if possible but I don't want to buy an expensive router. Trying to figure out a solution.

I can get my hands on a Cisco ASA but I don't believe it does layer 3 routing. Although I think I can implement static routes for multiple VLANs.

Any suggestions?
Click to expand...

ut1.PNG
 
Thanks for info Scotty, I've tried untangle but it wasn't for me.

@Dash, different thread and different issue.

Had some conflicting answers previously about the firewall but it's straight now. Appreciate the input all. This forum is great.
 
amrogers3 said:
Thanks for info Scotty, I've tried untangle but it wasn't for me.

@Dash, different thread and different issue.

Had some conflicting answers previously about the firewall but it's straight now. Appreciate the input all. This forum is great.
Click to expand...

We are all here to help :)
 
I was just trollin' dash...

BTW I'll be configuring UT tomorrow at our newest facility. Woot!

Maybe I'll take pics so dash can fap.:p
 
pfSense will support as many NICs as you can fit with your hardware.

While I generally agree with what has been posted above (managed layer3 switch would be ideal for VLANs), you have the option (potentially, if you can fit enough NICs) to effectively use your pfSense box in its place. You might be able to get a better deal on a quad GigE NIC (or 10/100 if you dont need gigabit) than a managed layer3 switch.

You can get licensing after the fact for ASA's, but as stated it's expensive and Cisco is a PITA to work with if you aren't certified with them.
 
obrith said:
pfSense will support as many NICs as you can fit with your hardware.

While I generally agree with what has been posted above (managed layer3 switch would be ideal for VLANs), you have the option (potentially, if you can fit enough NICs) to effectively use your pfSense box in its place. You might be able to get a better deal on a quad GigE NIC (or 10/100 if you dont need gigabit) than a managed layer3 switch.

You can get licensing after the fact for ASA's, but as stated it's expensive and Cisco is a PITA to work with if you aren't certified with them.
Click to expand...

Thanks for reply obrith. I have a supermicro 1U that has 2 NICs and a slot for an additional NIC. I would prefer to use multiple NICs and set up VLANs on each NIC but the problem is that I don't have enough NICs to do what I want to do. I could assign multiple VLANs to one NIC and use a layer 2 switch but then I would be looking at a speed decrease because all traffic would have to be sent to pfSense box for routing.

So unless I am overlooking something, I need a device which can provide layer 3 routing. I am not certified on cisco so it will probably going to be a mofo to work with but I could do some research and figure it out.
 
Last edited:
The ASA I was going to use unfortunately doesn't have a security + license on it and I need more than 2 VLANs.

I found a 3350 for less than $300 that might work but the problem is that it is noisy and it will need to be placed in a high traffic area.

Any suggestions on a more quiet layer 3 device? Getting desperate at this point, can't seem to find a workable solution.
 
amrogers3 said:
Thanks for reply obrith. I have a supermicro 1U that has 2 NICs and a slot for an additional NIC. I would prefer to use multiple NICs and set up VLANs on each NIC but the problem is that I don't have enough NICs to do what I want to do. I could assign multiple VLANs to one NIC and use a layer 2 switch but then I would be looking at a speed decrease because all traffic would have to be sent to pfSense box for routing.

So unless I am overlooking something, I need a device which can provide layer 3 routing. I am not certified on cisco so it will probably going to be a mofo to work with but I could do some research and figure it out.
Click to expand...

The big question is, do you need a 10/100 or a gigabit switch? Also how many extra ports do you need to have on your pfsence box to make it work for you (without the NEED for a layer 3 switch)? As Obrith pointed out a quad port gig card may likely be cheaper then a gigabit layer3 switch. and if alll you need are 4 extra ports here's the card that Obrith was talking about:
http://www.newegg.com/Product/Product.aspx?Item=N82E16833106050
It's for a PCI-E slot and I'm only guessing that's what you have in your supermicro server since that's what I have in mine.
 
pwrusr said:
The big question is, do you need a 10/100 or a gigabit switch? Also how many extra ports do you need to have on your pfsence box to make it work for you (without the NEED for a layer 3 switch)? As Obrith pointed out a quad port gig card may likely be cheaper then a gigabit layer3 switch. and if alll you need are 4 extra ports here's the card that Obrith was talking about:
http://www.newegg.com/Product/Product.aspx?Item=N82E16833106050
It's for a PCI-E slot and I'm only guessing that's what you have in your supermicro server since that's what I have in mine.
Click to expand...

Dude, I think you just saved the day. I must have read right over Obrith's port about the multi-port nic card. I only thought you could get a one NIC expansion card for the supermicro board. That wouldn't have worked.

I do believe it is a PCI-E slot. Man, if I don't have to buy a switch I will be a happy camper.

Last question that will either make or break this setup. Is there a way to "mirror" all traffic to one port using the setup you suggested? i.e. for traffic analysis so that I can attach a Snort box to one of the ports.
 
Last edited:
A card like that is indeed what I was suggesting. Supermicro makes Intel chipset quad cards like those too (potentially a bit cheaper). One thing you need to be aware of is the igb drivers are not happy campers in my experience with pfSense 1.2.3 but should work fine in 2.0, which is coming up on RC any time now.

I've not set up a mirror port, but it should be easy to set up.
 
You must log in or register to reply here.
Back
Top