Recommend managed switch for my needs

[snbf7889]

I have a pfSense box and need an 8-16 port managed switch to configure VLANS on both a wired network and a wireless AP. I would strongly prefer a POE port to power the AP.

Looking gets me more confused. The Ubiquiti solution with their cloud key seems ridiculously overkill for my needs and like another piece of hardware to buy.

The TP-Link EAP 225 v3 should serve my needs fine as a wireless AP but I am hesitant to pair it with a TP-Link switch and pfSense. I have read of TP-Link issues with pfSense on their forums.

The end goal is:

wired and wireless main networks
guest wireless network
IoT wireless network

I basically just want to isolate devices so my IoT devices are not able to see my other devices and computers. Looking for better security.

 

[sfx2000]

Netgear GS-108T is a good choice to pair up with a pfSense router...

 

[umarmung]

The Ubiquiti Unifi controller software is free and can run on Windows, Linux or Mac. You also do not need it to run 24/7, unless using a feature that requires it, e.g. captive portal or Zero-Handoff. You can just use it to initially configure Unifi products and turn it on for any other changes later. Some people run it on Raspberry PIs or even in the cloud.

Like you said, there are many managed switches, even PoE managed ones. Here are two easy to use managed PoE+ ones: Zyxel GS1900-10hp (77W PoE) or Zyxel GS1900-8HP (70W PoE). Or you can just get a Unifi PoE switch, which are only a little bit harder to use and conveniently have the Unifi interface for greater visibility into your network: US-8-150W (150W PoE) or US-8-60W (60W PoE).

Netgear GS-108T is a good choice to pair up with a pfSense router...

I do not recommend this switch, if it refers to the GS108Tv2. It is functional, but in not uncommon Netgear fashion it has significant failings, especially in security:

• it uses Java in the browser for a viewer component, thankfully non-critical
• it has no secure remote access by default
• it is extremely difficult to enable secure remote access (not sure it is actually possible since most give up before then)
• it has unsecurable open ports (port 4242)

Its interface is also very clunky, especially managing ACLs and VLAN memberships.

To cap it all off, it is very unusually marketed as a PoE switch, but that only refers to it itself, i.e. a PoE PD device aka. PoE IN, not that it supplies PoE power to other devices aka. PoE OUT.

 

[snbf7889]

I appreciate the replies. They Zyxel switches look like they may be what I need. How would they pair with a TP-Link EAP 225 v3 for the wireless?

I am really surprised there isn't an 8-12 port managed switch with a single POE port to power a wireless AP out there that is universally recommended for users in my situation. I realize pfSense is not very common but the choices out there can be frustrating to wade through.

That said, please keep the recommendations coming!!!

 

[umarmung]

The recommended switches will pair perfectly well with most APs because the switches export standard PoE 802.3af (and higher powered PoE+ 802.3at) which the TP-Link EAP225v3 accepts.

The Unifi switches also support 24V Passive PoE which the Unifi APs and EAP225v3 additionally support.

I am really surprised there isn't an 8-12 port managed switch with a single POE port to power a wireless AP out there that is universally recommended for users in my situation. I realize pfSense is not very common but the choices out there can be frustrating to wade through.

That is not economical. If you have ONE PoE device, you would almost certainly add more later, e.g. PoE APs and PoE cameras.

There is no single recommendation possible, as you have found out in your own research. I do not see what pfSense specifically has to do with anything - it just another OS, just dedicated to router functions.

 

[sfx2000]

I do not recommend this switch, if it refers to the GS108Tv2. It is functional, but in not uncommon Netgear fashion it has significant failings, especially in security:

• it uses Java in the browser for a viewer component, thankfully non-critical
• it has no secure remote access by default
• it is extremely difficult to enable secure remote access (not sure it is actually possible since most give up before then)
• it has unsecurable open ports (port 4242)

Its interface is also very clunky, especially managing ACLs and VLAN memberships.

Interface is a bit ugly, and I would agree on the Java component for device view... but that info can be obtained in other screens, the Java thing is a summary view.

POE - Don't pick the switch for POE stuff - that support is old and obsolete, it's there, but I wouldn't use it.

The other items - e.g. secure remote access parts 1 and 2 above - shouldn't be exposing the switch (or any managed switch for that matter) to the public internet. If one doesn't, then point 4 above is likely moot - who would port forward 4242/tcp to the WAN?

ACL's and VLAN membership is a bit clunky, the WebUI is showing it's age, but once one gets the hang of things... it's pretty straightforward.

My point for recommending the GS-108Tv2 is that it's a layer 3 Lite switch that is under $100USD, and that's a lot of capability for the price.

Combine that with the capabilities on a pfSense router, things are pretty good... and that's why I recommended it.

BTW - you missed 64515/UDP - which is SmartWizard Discovery Tool

 

[umarmung]

Interface is a bit ugly, and I would agree on the Java component for device view... but that info can be obtained in other screens, the Java thing is a summary view.

POE - Don't pick the switch for POE stuff - that support is old and obsolete, it's there, but I wouldn't use it.

The other items - e.g. secure remote access parts 1 and 2 above - shouldn't be exposing the switch (or any managed switch for that matter) to the public internet. If one doesn't, then point 4 above is likely moot - who would port forward 4242/tcp to the WAN?

ACL's and VLAN membership is a bit clunky, the WebUI is showing it's age, but once one gets the hang of things... it's pretty straightforward.

My point for recommending the GS-108Tv2 is that it's a layer 3 Lite switch that is under $100USD, and that's a lot of capability for the price.

Combine that with the capabilities on a pfSense router, things are pretty good... and that's why I recommended it.

BTW - you missed 64515/UDP - which is SmartWizard Discovery Tool

Did we not have an entire discussion about the dangers and relative technical ease of attacking internal devices? And that was just one type of attack vector ...

Not even most ordinary consumers would consider putting a switch directly on the Internet, so what's your point? Are you trying to say that without such direct exposure it cannot be attacked?

The Netgear GS108Tv2 is a significant security risk in at least three different ways, which is poor even for consumer standards: likely insecure client component, insecure client access, insecure remote access and there's no way to fix these on the device itself. The best you can do, which is beyond most consumers knowledge, is to segregate the device, e.g. via Management VLAN and/or external firewall.

Also, it is beyond a stretch to call an L2 switch with less L2 features than (under $100USD) competitors, and not even L3 static routing, "a layer 3 lite switch". Even Netgear considers it just a plain L2 device.

 

[sfx2000]

The Netgear GS108Tv2 is a significant security risk in at least three different ways,

No, it is not...

 

[snbf7889]

I appreciate the replies. It looks like the Zyxel GS1900-8HP and TP-Link EAP225 v3 will do what I am looking to do. Before I order I would just like to confirm.

pfSense firewall >>> Zyxel GS1900-8HP >>> EAP225 v3

I would have 2-3 wired devices off the GS1900 and about 8 devices on the EAP225. I would like to have the wireless separated into multiple SSID and VLAN to be be able to segregate things like Roku devices and IoT thermostats from my laptop and NAS devices.

Am I on the right track?

 

[umarmung]

I appreciate the replies. It looks like the Zyxel GS1900-8HP and TP-Link EAP225 v3 will do what I am looking to do. Before I order I would just like to confirm.

pfSense firewall >>> Zyxel GS1900-8HP >>> EAP225 v3

I would have 2-3 wired devices off the GS1900 and about 8 devices on the EAP225. I would like to have the wireless separated into multiple SSID and VLAN to be be able to segregate things like Roku devices and IoT thermostats from my laptop and NAS devices.

Am I on the right track?

Yup, perfect.

 

[spenceclair]

Like Zyxel, FS has two models of 8-port PoE switch that can serve your need: S1130-8T2F (130W) and S1250-8T2F(250W). They are compliant with IEEE 802.3af/at, connecting to VoIP phones, wireless APs and IP surveillance cameras for intelligent switching and networks growth. Come with 8x 10/100/1000Base-T RJ45 Ethernet ports, 1x console port, and 2x Gigabit SFP slots, the transmission distance of the SFP fiber port can be up to 120km.

 

[username0475]

Did we not have an entire discussion about the dangers and relative technical ease of attacking internal devices? And that was just one type of attack vector ...

Not even most ordinary consumers would consider putting a switch directly on the Internet, so what's your point? Are you trying to say that without such direct exposure it cannot be attacked?

The Netgear GS108Tv2 is a significant security risk in at least three different ways, which is poor even for consumer standards: likely insecure client component, insecure client access, insecure remote access and there's no way to fix these on the device itself. The best you can do, which is beyond most consumers knowledge, is to segregate the device, e.g. via Management VLAN and/or external firewall.

Also, it is beyond a stretch to call an L2 switch with less L2 features than (under $100USD) competitors, and not even L3 static routing, "a layer 3 lite switch". Even Netgear considers it just a plain L2 device.

Any thoughts on the 8 port/4 PoE Netgear GS108PEv3 ?
I just got one but it appears the ZyXEL GS1900-8HP has better & easier admin software experience and 8 PoE ports for future expansion.

Netgear seems to have better customer support but User software looks outdated & not so easy to use.

 

[sfx2000]

Any thoughts on the 8 port/4 PoE Netgear GS108PEv3

It's a nice managed layer 2 8 port switch - you can do VLAN's (as this is all layer 2) and this is what is good enough for most folks. Just keep the WebUI/config private, put a decently strong PW on it, just in case of internal LAN malware, and you'll be right as rain...

Some folks like the GS-108T series, as they are layer 3-lite, and have some routing capability (as routing is all layer 3) at the IP layer... but that's a luxury few people need, and for many, can add additional complexity.

Like I mentioned earlier - I tend to recommend the 108T, keeping capability in reserve, but the 108PE is good...

 

[sfx2000]

I do not see what pfSense specifically has to do with anything - it just another OS, just dedicated to router functions.

Then you can't appreciate what pfSense can do in the hands of one that can admin it.

One can do similar/same with Windows, MacOS (yes), Linux - pfSense focuses on specifics for L2/L3 packet handling.

 

[kfp]

Any thoughts on the 8 port/4 PoE Netgear GS108PEv3 ?
I just got one but it appears the ZyXEL GS1900-8HP has better & easier admin software experience and 8 PoE ports for future expansion.

Netgear seems to have better customer support but User software looks outdated & not so easy to use.

I have both 108E and 108T. Bought the T after frustrating experience with the E. Web UI pretty trash, the Windows utility that ‘discovers’ the switches and updates firmware is also trash. Mostly just clunky, and configurations won’t stick after being applied (or applied wrong). I don’t like talking to level 1 tech support so never tried to contact them, can’t comment on that.

Granted when I was first trying to set up VLANs with it I was more inexperienced and robocfg is not the greatest either on the Asus router side. Frustration all around.

@sfx2000 How was your experience configuring the 108(P)E? Maybe I’ll give it another go when I find some time.

 

[sfx2000]

I've had limited experience with the 108(p)e - since the price difference is close (shop around, seriously, sometimes the 108t is cheaper than the 108e) - I'd agree that the UI is clunky, and non-intuitive...

My go to low-end is the 108t, mostly because of the SNMP support, ACL's, QoS, and https access - the 108t has these, the 108e does not.

 

[snbf7889]

So I ordered the switch and AP and so far so good. I have them installed and will attempt the VLAN setups this weekend.

However, I am having an issue on the Zyxel GS1900-8HP. The web management interface is not displaying correctly in the browser. It seems to work fine on Edge, but Chrome and Firefox do not display the text for words at all. I have to highlight the text for it to show up. I tried OSX & Windows 10 and it only works on Edge on W10.

The TP Link interface is fast, nice, and works on everything. So there's that.