Managed / Smart Switch for secure home networking

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

erraticsemotional

Occasional Visitor
Traffic passing through the switch from the WAN is not a problem. The traffic would have to be directed at the switch, which should not happen if your firewall is set up correctly. Now the switch is not immune from rouge LAN users. I thought you were talking for your home. If your talking for business then that is a different story. You may want to update your switch firmware more often. But then again if this is a business it would be better practice to put the switch management IP on a management VLAN (and subnet) that is not accessible to normal LAN users and employees.

Abailey,

It is for home use, I just want to ensure I am applying best practices. I am going to assume when you say firewall is setup probably, you mean it only accepts and passes traffic that originated from inside LAN.

My intent is to have only two VLANs one for guest WiFi, the other for my home network, but per your recommendation, I may also consider putting the switch and access point management onto its own VLAN. Again, a seemingly basic question, say my laptop is on my home network and I need to change settings on my AP / router / switch on a different VLAN, how would I change the VLAN my laptop is on to access the AP / router/switch, and how would I prevent unauthorized guests from doing the same?
 

abailey

Very Senior Member
Abailey,

It is for home use, I just want to ensure I am applying best practices. I am going to assume when you say firewall is setup probably, you mean it only accepts and passes traffic that originated from inside LAN.
Yes, exactly

My intent is to have only two VLANs one for guest WiFi, the other for my home network, but per your recommendation, I may also consider putting the switch and access point management onto its own VLAN. Again, a seemingly basic question, say my laptop is on my home network and I need to change settings on my AP / router / switch on a different VLAN, how would I change the VLAN my laptop is on to access the AP / router/switch, and how would I prevent unauthorized guests from doing the same?

There are many ways to do this. At my house I usually use the same device to administer my network so I would just use ACL's to allow only my PC to access the management devices on the management VLAN. Other things you could do would be to make an SSID to attach to when you want to manage, or a specific port on a switch you plug into when you want to manage. I use Untangle for my firewall but pfSense would also be able to do ACL's (I assume). If you really wanted to go all out you could use login ID's from radius or active directory and allow access for your ID. Anyway that is what I would do if I wanted a separate management VLAN, in reality I do not have a separate management VLAN at my house as I don't really see a need for it. My visitor network is isolated from all other networks so it is just my family on the internal network and all the management devices have ID and passwords.
 

System Error Message

Part of the Furniture
Always go for the slightly higher end when choosing between 2, usually better firmware and features. For example within the same line of netgear prosafes the lower end one supports LACP but only 1 kind whereas the higher end one supports more types of LACP with less restrictions.
 

abailey

Very Senior Member
vlans and layer 3 in a sense you tell the router not to route between them.
This exactly.
I assume anything I can do, routing wise, in Untangle, you can also do in pfSense. I have not used pfSense but my understanding is it is very good at routing. So I assume it can do this. I simply told my firewall do drop any packets originating from my visitor network that are destined for any of my internal networks (all seperated by VLANs on their own subnet).
 

System Error Message

Part of the Furniture
This exactly.
I assume anything I can do, routing wise, in Untangle, you can also do in pfSense. I have not used pfSense but my understanding is it is very good at routing. So I assume it can do this. I simply told my firewall do drop any packets originating from my visitor network that are destined for any of my internal networks (all seperated by VLANs on their own subnet).

You forgot to do the other way round. This means that your visitor network can see your main network but not communicate and vice versa for the main network. If you forgot you may not see it because many LAN things work using layer 2 detection which if you use vlans would stop but layer 3 on the other hand some things on LAN or some network applications dont distinguish between LAN and internet, only what they can get their hands on.

When you drop on the input and forwarding you must also remember to drop on the other way as well. For example dropping DNS input from internet you also have to drop DNS output towards internet as well. Same with forwarding, just copy the rule and exchange the destination and source. However you dont need a firewall filter to do this as you can do this with static routes to drop or set it to unreachable.
 

LoneWolf

Senior Member
I currently have three switches in my house.

1). A Cisco SG300-10MPP as my core. PoE+, fanless, and can be Layer 2 or Layer 3 (you'll probably never use L3). It supports every option you can think of, and is rock solid and well supported with firmware.
2). When I ran out of ports in that area, a Dell PowerConnect 2816 16-port. Also fanless, non-PoE, but managed, with reasonable features once you set it to managed mode. Note that by default, it is in unmanaged mode; you need to follow instructions to set it to managed.
3. In my TV/media area, a Netgear GS110TP PoE+ fanless 10-port. Tim mentions that Netgears are "swear-by-or-swear-at"; he's not wrong. They generally do the job, but their management GUI can be slow depending on model. They will run fine for home managed-switch setups, and are inexpensive, but it's important to know what you're getting. The GS110TP is a really great value for spaces where you need a small-space, quiet managed switch and even has fiber uplinks. Tim has reviewed this switch.

All three of these switches are silent, with solid metal chassis. All three support LAGs with LACP, VLANs, Jumbo Frames, and Rapid Spanning Tree. The Cisco and the Netgear can be linked via fiber patch, but that's not necessary (their fiber ports also have adjacent gig network ports that are either/or).
The Cisco and the Netgear work nicely if you have a couple of PoE+ access points or cameras; the Netgear has a max of four PoE ports of the ten total. Note that the Cisco SG300 has multiple models that do PoE; a P at the end means PoE, a PP means PoE+, and an MPP means Max power (higher power distribution) and PoE+.

TPLink's stuff isn't bad for being inexpensive; I might have used one in place of the Dell if I didn't get that one for free. However, all of the above three switches can be found reasonably used if you are willing to look and do your homework. None of my switches were purchased new.
 
Last edited:

sfx2000

Part of the Furniture
So after years of consumer grade networking, I'm taking the plunge into something more robust.

My plan includes an Access Point, Pfsense router, FreeNAS. I plan on using 9 wired clients, with another 5~6 wireless clients. My primary concerns with the switch is security, stability, performance, low noise, and energy efficiency.

I am looking for a 10 ~ 16 port 1GbE switch, more ports is OK. I think I may need to look into smart / managed switches to enable Link Aggregation and Vlans.

Take it from me - I'm a fairly experienced Systems Design Engineer - I've done a lot of stuff over the past 25 years - from wireless chipsets, to handsets, to system optimization to big data...

In a small LAN/WLAN - 80 percent of performance/capacity can be done in about 10 minutes - and that's enough for most - and something to consider - good enough works, eh?

So folks, like in this thread (and others) - spend 80 percent of time trying to find that 20 percent, the 20 percent that might be there, but likely not, because of variability across different clients, consumer grade WAN connections, etc...

As part of that spend - not just time, but also real money, rolling different switches, routers, etc...

Let's just say that for most folks on a home/small biz LAN/WLAN - keep it simple and flat - flat networks work better for most...

There are situations on the WAN side with converged services - e.g. Broadband/TV/DialTone, and that's where things tend to fall apart with Operator Provided Premises Equipment - used to be that folks might advise to bridge a Modem/Router/AP and replace it with something different.. Not good advise these days - better to put one's own network into the Operator's device DMZ if allowed...

Folks will tweak - that's ok, reminds me of the ugly old days of DOS - tweaking the autoexec.bat/config.sys trying to find that last little bit of free memory... a couple of years back, that might also apply to consumer grade routers as well...

I guess what I'm getting at is what is important - some folks don't have much better to do than adjust a setting, and see how it works, but others, just give me something that meets that 80 percent, and they're totally cool with it.

As for me - I'm a total packet geek, and if you've followed my posts, you know this - if it's not on the "wire" it doesn't exist, but at the same time, my home network is amazingly simple and flat...

With small networks - simple is always better at the end of the day...
 

stevech

Part of the Furniture
Take it from me - .....
With small networks - simple is always better at the end of the day...
I agree 1,000%.

In Wireless, and UNLICENSED shared-use wireless, most impairments are beyond your control, unless you are in the only house for miles around.
 

L&LD

Part of the Furniture
I tell my customers that they get 90% of my knowledge for 99% off list price (the cost to me over decades of learning by doing, or i.e. 'experience'). If they want that last 10% performance? They need to put me on payroll (one way or another). :)

(Because to keep the performance up consistently, I have to keep fiddling with their network).
 

erraticsemotional

Occasional Visitor
sfx2000,

Point taken - my network is pretty flat and simple. I just want to ensure guests (and other unauthorized people) aren't accessing my data. I will probably take the advice above and keep it to one Vlan and maybe setup an ACL for administration.

After doing some more research - I have decided aganist the TP-Link switches recommended because of negative reviews regarding their poorly translated manual / interface. I am leaning towards the HP 1920-16. I know people say its a re-badge of 3-Com swithces, but the manual is well written and seems to check all the boxes. I know I might not take advantage of the L3 features, but having clear instructions is more important to me.

Thanks again for all the help!
 

LoneWolf

Senior Member
sfx2000,

Point taken - my network is pretty flat and simple. I just want to ensure guests (and other unauthorized people) aren't accessing my data. I will probably take the advice above and keep it to one Vlan and maybe setup an ACL for administration.

After doing some more research - I have decided aganist the TP-Link switches recommended because of negative reviews regarding their poorly translated manual / interface. I am leaning towards the HP 1920-16. I know people say its a re-badge of 3-Com swithces, but the manual is well written and seems to check all the boxes. I know I might not take advantage of the L3 features, but having clear instructions is more important to me.

Thanks again for all the help!

Calling HP a rebadge of 3Com is supposed to be an insult? 3Com had some excellent switches prior to their acquisition by HP, and was a heavy hitter in that field.
 

sfx2000

Part of the Furniture
Point taken - my network is pretty flat and simple. I just want to ensure guests (and other unauthorized people) aren't accessing my data. I will probably take the advice above and keep it to one Vlan and maybe setup an ACL for administration.

Unauthorized people are not allowed on my network ;)

And I've pretty much decided not to allow guests on my network - otherwise they do tend to lose focus on company and fellowship, and instead gaze into that metal and glass fondleslab..

But as long as one keeps it simple, a good switch, along with a quality AP (or two) - pfSense does run quite well, and there are other options like Sophos UTM and the like (VyOS is interesting, but not for the timid)
 

erraticsemotional

Occasional Visitor
Calling HP a rebadge of 3Com is supposed to be an insult? 3Com had some excellent switches prior to their acquisition by HP, and was a heavy hitter in that field.

No, not at all! Just an observation from the research I've done. Most HP equipment I've owned prior hasn't been very good, hopefully the switch retains the quality associated with 3Com's legacy.
 

LoneWolf

Senior Member
No, not at all! Just an observation from the research I've done. Most HP equipment I've owned prior hasn't been very good, hopefully the switch retains the quality associated with 3Com's legacy.

HP equipment can be of two distinct divisions: Consumer, and Enterprise.

I'll agree with anyone that consumer-level equipment isn't very good, and support is poor. On the other hand, Enterprise gear (all of their business lines) is usually decent stuff. There are lines of equipment that I won't buy due to it being hard to build-to-order at the right price (laptops come to mind), but the gear is generally good. I own two of their Gen8 servers, and can attest to their quality. Their switches are reasonable gear too, though I don't own any of those. The one downside is that for a number of bits of their Enterprise gear, you may need an active support contract to get firmware updates.
 

MoBlues

Occasional Visitor
Not much help for those of us that are primarily Mac/Linux - the management util for the TP-Link switch is Windows only...
"Configuring the SG108E requires installing TP-Link's Easy Smart Configuration Utility, shown below, which supports only Windows. I was able to install the utility on both Windows 7 and Windows 8.1 PCs."​

Only the TP-LINK TL-SG2008 supports LACP LinkAgg and not sure how many groups it allows. I just picked up a used Netgear GS108Tv1 for $40USD because I wanted my editing PC and my Synology DS1515+ to have access to a Smart Switch which supports at least a group of 3+(or more) LAG setups of 2 -4 ports. [NOTE: LACP/LAG support on "Smart" Switches seemed to be limited by the group setup and so be sure to check that in the manual of the switch and double check.]

Use Case: Movement of large video (4K-1080p) files to NAS > Switch > Editing-PC > Switch > Router. This is overkill but NAS will have 2-port LACP to Switch and so will main edit PC with its Dual Intel NIC ports Teaming config/setup and then my awesome ASUS RT-AC66U router with LinkAgg support back to the switch. That's 3 grouped 2 port LAG setup on the Switch. The Netgear GS108Tv1 also supports both LAG setup and VLANs segmentation! Other research I did below was around price and of course full support of LinkAgg & VLAN, hope it helps someone else.

8-port Switch with LACP (IEEE 802.3ad) Link Aggregation & VLAN segmentation
(A) $40.00 -
Netgear GS108Tv1 Prosafe 8-port Gig Smart Switch

(B) $72.99 - Netgear GS108Tv2 Prosafe 8port Gig Smart Switch [Revsion 2 of Tv1 above]

(C) $32.99 - TL-SG108E V1 & TL-SG108E V2 & TL-SG108PE
**Supports up to 8 aggregation groups, containing 4 ports per group

(D) $37.99 - D-Link DGS-1100-08 8-Port EasySmart Gigabit Ethernet Switch (DGS-1100-08)
**Supports max of 2 groups, 2-4 ports per group (DGS-1100-08/-08P)**
**5 groups, 8 ports per group (DGS-1100-10MP) =$300

$24.99 - TP-LINK 8-Port Gigabit Ethernet Desktop Switch (TL-SG108) = NO LACP/LINKAGG
$84.79 - Trendnet 8-port Gigabit GREENnet PoE+ Switch (TPE-TG80g) = NO LACP/LINKAGG
 
Last edited:

abailey

Very Senior Member
Only the TP-LINK TL-SG2008 supports LACP LinkAgg and not sure how many groups it allows. I just picked up a used Netgear GS108Tv1 for $40USD because I wanted my editing PC and my Synology DS1515+ to have access to a Smart Switch which supports at least a group of 3+(or more) LAG setups of 2 -4 ports. [NOTE: LACP/LAG support on "Smart" Switches seemed to be limited by the group setup and so be sure to check that in the manual of the switch and double check.]

8-port Switch with LACP (IEEE 802.3ad) Link Aggregation & VLAN segmentation
(A) $40.00 -
Netgear GS108Tv1 Prosafe 8-port Gig Smart Switch

(B) $72.99 - Netgear GS108Tv2 Prosafe 8port Gig Smart Switch [Revsion 2 of Tv1 above]

(C) $37.99 - D-Link DGS-1100-08 8-Port EasySmart Gigabit Ethernet Switch (DGS-1100-08)
**Supports max of 2 groups, 2-4 ports per group (DGS-1100-08/-08P)**
**5 groups, 8 ports per group (DGS-1100-10MP) =$300

$24.99 - TP-LINK 8-Port Gigabit Ethernet Desktop Switch (TL-SG108) = NO LACP/LINKAGG
$84.79 - Trendnet 8-port Gigabit GREENnet PoE+ Switch (TPE-TG80g) = NO LACP/LINKAGG

The TP-Link TL-SG108E supports LACP. It can have up to two groups with a max of 4 ports in each group.
$32.99 - TP-LINK 8 port easy smart switch TP-SG108E
 

MoBlues

Occasional Visitor
The TP-Link TL-SG108E supports LACP. It can have up to two groups with a max of 4 ports in each group.
$32.99 - TP-LINK 8 port easy smart switch TP-SG108E

You are correct! I was thinking of the TL-SG108 model. Well, I guess I over-paid for a used 8-port Netgear by about $7 bucks, but hoping Netgear is a better product than the TP-LINK. I guess I could just return it to the eBay buyer especially if even one port fails. Guess, I will do some testing once I get it next week.
 

trek_520

Regular Contributor
How many of these switches support a Management VLAN ID? So if I have a Local Network, Guest Network, and Management Network and have a trunk port created - can I set the master or default VLAN of any of these switches? It seems that this is a feature found in more expensive units. I wonder if most trunk ports also have HDCP servers running on them? I suppose for these they have to or they will not pull an IP.

Also - I tried the TL-SG108E V2 and liked it. It does have web GUI so I think it could be managed by a Macs/Linux.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top