Can this desired Network configuration be achieved?

[Dangermouse]

Firstly, thanks to everyone who contributes here, been lurking for a while and it's provided great value. Hopefully I will hit a stage to be able to give back one day.

I won't bore you you with what I think I know to save people needing to correct me.

What I'm using:

- 1 x pfSense router/firewall
- Managed switch with full VLAN support
- 2 x RT-AX86U

I want the ability to have wired VLANs and wireless VLANs to segregate my homelab/iot/guests etc.

The issue I'm having is the physical layer given an awkward distance between ONT vs my Homelab rack where the pfSense box resides.

Is it possible to have a physical network layout as follows:

WAN
| [Fibre]
ONT
| [Eth cable 1]
86U in AP mode allowing inbound WAN traffic to 'pass through' initially
| [Eth cable 2]
pfsense firewall/router filters WAN traffic
| [Eth cable 2]
86U in AP mode receiving filtered WAN traffic (back down the same wire it allowed the WAN to originally pass through) from the pfSense box to then serve the wireless clients... seperated by VLANs

I am currently ignoring the second 86U available but feel free to use it in your answer.

The main issue is I have only ONE ethernet cable as a physical backbone between the ONT and where I want the WAN traffic to flow via the pfSense box and where the AP needs to be. Moving the pfSense router close the ONT and AP is not possible.

Any ideas greatly appreciated even if throwing out the original idea and laughing at me is needed. If the best solution is tear up the ceiling to run another wire, that's also fine. (This is what I actually think is required)

Thank you.

 

[Tech9]

You need managed switch at ONT location with WAN and LAN VLANs/ports defined, your pfSense box with the same VLAN configuration and the AX86U router in AP mode connected to the switch LAN port. The switch configuration is similar to running pfSense box with single NIC as router on a stick.

 

[Dangermouse]

You need managed switch at ONT location with WAN and LAN VLANs/ports defined, your pfSense box with the same VLAN configuration and the AX86U router in AP mode connected to the switch LAN port. The switch configuration is similar to running pfSense box with single NIC as router on a stick.

Appreciated. Just read up on "router on a stick" too.

I've just ordered a small managed switch based on your advice to try this out.

Despite this I was thinking about using the AX86U as a Router instead and having it act as the WAN gateway for my lab to physically rather than just logically seperate the lab from the household.

Idea being messing around with my lab has no consequence to others and some increased security/insurance against mistakes.

I see the tradeoff being household network doesn't benefit from pfSense unless I put another box inline for that.

If you have any 1 liner opinions/cautions regarding that course of action then please shout them out, but no worries if not and thanks again for your time.

Cheers.

 

[Tech9]

You can use your "lab" in double NAT behind whatever is your main network. This is unrelated to your original question though. Home routers with no VLAN support don't make good APs to VLAN capable router/firewall anyway. If your pfSense gets out of the "lab" you may need new proper APs for it.

 

[Dangermouse]

You can use your "lab" in double NAT behind whatever is your main network. This is unrelated to your original question though. Home routers with no VLAN support don't make good APs to VLAN capable router/firewall anyway. If your pfSense gets out of the "lab" you may need new proper APs for it.

*Googles Ruckus Access Points on Unleashed*! ;-)

Cheers

 

[Justinh]

AX86U router in AP mode connected to the switch LAN port.

You mean the AP would be connected parallel to the pfSense firewall? Shouldn't it be after the pfSense box?

 

[Dangermouse]

You mean the AP would be connected parallel to the pfSense firewall? Shouldn't it be after the pfSense box?

Does @Tech9 solution by inserting a managed switch not make it such that the AP is logically after the pfSense box?

 

[Tech9]

You mean the AP would be connected parallel to the pfSense firewall?

No. The WAN and LAN share the same physical interface separated by VLANs. WAN goes to pfSense and then LAN goes back to the switch on the same Ethernet cable where the AP is connected to ports defined as LAN on corresponding VLAN. It's doable, but has some performance penalty and some more complex configuration.

Googles Ruckus Access Points on Unleashed

Google something like UniFi or Omada instead. They are better fit for home installation. Ruckus is expensive, I've got 4x R750 on a deal price of $2000.

 

[CaptainSTX]

You need managed switch at ONT location with WAN and LAN VLANs/ports defined, your pfSense box with the same VLAN configuration and the AX86U router in AP mode connected to the switch LAN port. The switch configuration is similar to running pfSense box with single NIC as router on a stick.

Will this work or will the OP need a pair of managed switches, one at each end of the cable, so they can run a 802.1Q VLAN(s) since he wants to use a single cable run for both the WAN and LAN?

I have never tried to run both a WAN and LAN over the same cable using a 802.1Q VLAN. My setup uses a pair of relatively inexpensive TL SG108E smart switches which allows three VLANs to share the same cable.

 

[Tech9]

Will this work or will the OP need a pair of managed switches

It will work because the pfSense box on the other side is also VLAN capable. It plays the role of the second managed switch in your question, with data processing in between. I was actually running pfSense for some time on a single NIC HP EliteDesk Mini PC. It was working pretty well and as user experience you can't tell the difference.

 

[CaptainSTX]

It will work because the pfSense box on the other side is also VLAN capable. It plays the role of the second managed switch in your question, with data processing in between. I was actually running pfSense for some time on a single NIC HP EliteDesk Mini PC. It was working pretty well and as user experience you can't tell the difference.

Thanks. Useful information if I ever need it for a future setup.