pfSense/ OPNsense help

[coxhaus]

I think you are better off only using 1 LAN connection which could be a lagg connection out of a firewall. I think it is better design. The only data I want on my firewall leg is internet traffic. All local network traffic stays in my local network. Even with layer 2 traffic I think it is a better design.

I use multiple APs connected to my switch. I use 2 SSIDs on each and every AP. Each SSID is a separate VLAN. I use 1 SSID for guest. Each SSID has both 2.4 and 5 GHz defined to them. So, every AP has the same set up on it. As you move out of range of 5GHz then it will automatically switch to 2.4GHz. I have another AP waiting to be installed in my wife's sewing room. This will keep her on high speed 5 GHz as she has 2 walls for the signals to pass through right now.

I have a third Cisco CBW150ax AP waiting for my granddaughter to show up so she can help me install it. I want her to see how it is done. She is going to spend the summer with us. I already had my granddaughter redo under my supervision set up my core network using a large APC UPS. I made her redo all the cables and make them neat. She likes doing it. There are 7 devices in my core. She made the batteries hot in the APC. I was hands off; she was my hands. I just straw bossed.

My old Cisco APs had 2.5 gig ports but I decided it would be better to have more APs than fewer APs. And I have already moved to a 10 gig card in my pfsense router/firewall. I don't see me dropping down to 2.5gig. I am not happy with my 10 gig switch as it is still a little noisy.

My final plan which I have posted years ago would be to run a routing protocol between my router and my L3 switch. That way the router will pick up all the networks automatically from the switch through the routing protocol. So, I would like the connection between router and L3 switch to be a little larger than my internet bandwidth to account for router protocol overhead. In a small home network, it would not be very much but in larger networks it can chew up 10% or more of connection bandwidth.

The last is just me rambling.

 

[Thomas01]

I guess my first question is why do you need a switch and not just directly connect the backhaul to a LAN port on the hardware that is set up as your router?

I was originally going to do this, but now I also want the option to hardwire some of my devices and not only rely on WIFI. Also I got this switch instead https://a.co/d/asuUhnH

Does your AP have a 2.5 gig port?

I think so https://a.co/d/6T0WaGh

 

[ddaenen1]

a good thing you bought one with POE+ so your access points wouldn't need a separate PSU...

 

[Thomas01]

Will buying two usb to serial cables allow me to control my mini PC/firewall with my laptop? I want to be able to control it even when there is no internet connection and the firewall is down like when updating the software. Both the mini PC and my laptop don't have serial or com ports. Looking at 2 of this https://a.co/d/65XvRj4 and 1 of this this https://a.co/d/8wjyTFn

 

[ddaenen1]

why would you need a serial cable for that? As long as your LAN is up you should be able to access the firewall. If you also want to be able to see what it does when updating, assuming it is headless, you would need a board with IPMI or hook up a screen and keyboard to it. Afaik, you can't SSH into it when it is updating.

 

[Thomas01]

Afaik, you can't SSH into it when it is updating.

I know you can't that's why I want to connect with serial if/when it is down.

assuming it is headless, you would need a board with IPMI or hook up a screen and keyboard

I don't know what IPMI is or have it and I don't want to buy a monitor and keyboard just for this. I'm trying to use my laptop.

 

[Tech Junky]

@Thomas01

Serial is for devices that don't output video. Just configure RDP if you want a GUI or ssh into it and do it from cli.

 

[ddaenen1]

I know you can't that's why I want to connect with serial if/when it is down.


I don't know what IPMI is or have it and I don't want to buy a monitor and keyboard just for this. I'm trying to use my laptop.

IPMI allows you to remotely access and control your server though LAN but your motherboard either has it or doesn't. I am not very knowledgeable about serial connections. Hopefully other members can help you with that.

 

[Thomas01]

Just configure RDP if you want a GUI or ssh into it and do it from cli

These both require a network connection though. What if the firewall is down for updates or some other reason. I even read on the OPNsense docs that for major updates the firewall goes offlinse so use vga or serial to monitor the install of the update. I have a monitor but it is connected to my desktop gaming PC and it would be a pain to unplug and plug it back in to the PC again because it is a large desktop underneath my desk.

 

[Tech Junky]

pain to unplug

Get another HDMI cable and swap it in as needed. Or just wait for the firewall to come back online. It shouldn't take that long and you'll need a monitor to set it up anyway.

 

[Thomas01]

Or just wait for the firewall to come back online. It shouldn't take that long and you'll need a monitor to set it up anyway.

My original plan was to try and use serial to connect and install OPNsense so I don't have to use my PC gaming monitor. Now I'm planning to use the monitor for install and setup then for major updates just update from the web GUI and be blind during the update and hope nothing goes wrong.

 

[Thomas01]

@tgl How do you have the wired backhaul set up? Daisy chain the 2 APs together or some other method?

 

[tgl]

@tgl How do you have the wired backhaul set up? Daisy chain the 2 APs together or some other method?

Well, if you must know: the setup I'm currently running is two Zyxel NWA210AX each running in plain access point mode (no WDS), one on channel 36/80MHz and one on channel 153/80MHz to reduce interference. (DFS channels are right out in my area, so no 160MHz for me, not that I have many clients that could use it.) One of the Zyxels is directly wired to the main house ethernet and thence out to the wild internet. The other is on the far side of the building and I've got no appetite to run a cable to there, so the solution I've hit on is to repurpose the two XT8s that I was using as access points until I couldn't stand their flakiness anymore. One XT8 is wired to the main ethernet and is set up in access point mode, and it has clear line of sight to the other one running in media bridge mode, and the second Zyxel is plugged into that one. The XT8s run in U-NII-4 spectrum, that is 169/80 where there is pretty much nothing else in my neighborhood, so effectively I've got full-bandwidth backhaul from the second Zyxel with no interference on the client bands. Firmware 388.22525 on the XT8s seems to be stable enough for this purpose.

To be clear: I would not recommend this lashup as something designed on purpose. I ended up with this mainly because I couldn't stand to throw two expensive ASUS boxes in the recycle bin. But they are not an improvement on a length of CAT6, except for the fact that I don't have to explain a cable leading through the bedroom door to the wife.

 

[Thomas01]

@tgl Do you know of a simple way for me to set it up? your set up is pretty complicated. Can I just connect both APs to a switch and it would that work as a wired backhaul and give me max performance? Or could I daisy chain them somehow and would that work as a wired to give me full performance?

 

[Tech Junky]

Can I just connect both APs to a switch and it would that work as a wired backhaul

Yes. Tgls setup is creative in reusing things but if you use the switch it's better than the wireless backhaul in terms of speed and reliability.

could I daisy chain them somehow and would that work as a wired to give me full performance?

You could but, the 2nd port on the AP is only 1ge.

 

[Thomas01]

if you use the switch it's better than the wireless backhaul in terms of speed and reliability.

When I connect them both to the switch is there any setting I need to enable or change on the APs? Also do you know if there is a way to have one single network for my devices to connect to instead of having each AP broadcast a separate network?

 

[Tech Junky]

When I connect them both to the switch is there any setting I need to enable or change on the APs? Also do you know if there is a way to have one single network for my devices to connect to instead of having each AP broadcast a separate network?

Just connect them and configure them with the same SSID.

 

[coxhaus]

Multiple APs should all be configured the same way.

 

[Thomas01]

@tgl For the wired backhaul do I need to enable the mesh setting on the nebula app?

 

[ddaenen1]

@tgl For the wired backhaul do I need to enable the mesh setting on the nebula app?

My recommendation would be to leave mesh off and just configure all AP's with same SSID and password. This works seamless for me.