Need guidance on network setup

[Rajat]

Hi Folks,

I would appreciate some guidance on planning/optimizing my network layout. I am not very well versed with network planning or network infra but have played around with different tech over a period of time.

The first pic is my current network layout. A couple of points:

* 2 separate Fiber Broadband (1 Gbps) connections from 2 different ISPs.
* 2 different LAN networks. One for laptops, phones and the other for smart devices, Sonos, smart things, firetv, PlayStation, Tp-link smart bulbs, smart plugs etc.
* One network is Orbi Mesh (laptop, phones). The other one is Netgear router flashed with DD-WRT running Astrill VPN. Some devices tunnel through the VPN.
* Have an extender as some smart devices are on different floors. This is connected to the Netgear router.
* Running Cat 5/6 cables was not an option and looking for wireless solutions. Most of the client devices are on wireless as well.
* Pi-Hole DNS is connected to one of the networks. In the past, this network was also behind a Cujo firewall. This is mostly an experiment to test if some devices are too chatty

With the new network (second image), I hope to:

* Have a load balanced, multi-wan solution that combines both my internet connections. [Considering a Qotom device with Pfsense]
* Have a switch connected to Qotom. Doing this to segregate traffic into multiple VLANs to separate traffic. Not sure if this is possible or even the best approach.
* My understanding is it’s not possible to have VLANs for wifi, so planning to have the old router as an access point to connect the remaining smart devices.
* Netgear Orbi becomes an access point as well for the other laptops and phones.

I have a couple of questions:

* Does this design make sense? I am assuming that are better ways to achieve these outcomes than the franken-network that I have
* Are there better options to multi-wan, firewall than qotom/netgate to combine multiple internet connections for gigabit load balanced scenario?
* I am assuming that the switch in the center would be able to create VLAN and separate traffic for different scenarios (Sonos, Smartthings, Firetv, PlayStation, etc). If so, what kind of a switch I should consider?
* My current router (dd-wrt flashed) for smart devices has Astrill VPN for Netflix that some devices tunnel through. Would this be overkill in the new setup or pfsense itself will suffice with OpenVPN?

Happy to hear from folks and would appreciate any guidance and feedback that you might have for me.

Best,
Rajat

 

[EngChi]

* dual WAN on pfsense obviously works ( I have done it) and not too difficult to set up. read documentation. are you planning to run additional services (DPI, etc)? if yes, size your qotom appropriately - dual Gbps with package inspection could be quite a load on CPU.
* your switch needs would determine on what you are trying to connect to it. do you need 10Gb? how many ports do you need , etc? pretty much anything will do VLANs
* the model you consider would depend on your budget, your location (are you in US, EU, somewhere else), and whether or not you want to consider used hardware.

for myself (as example)
I no longer run pfsense and went with Mikrotik Hex (https://www.smallnetbuilder.com/lanwan/lanwan-reviews/33140-microtik-rb750gr3-hex-router-reviewed) as my router. very cheap, simple , very low power consumption
I have wired the following - server, 2 workstations, 3 NAS, network tv tunner from SD, 3 access points, network phone, network printer, AVR, TVs, etc. I do not want to have them all try to chat on wireless.
I am in US and ok with using used gear - using brocade 6450 switch as I have 10Gb NAS and servers I connect to it. it may be an overkill for you if you do not want 10gb speeds or have less devices.
I use UBNT for wireless - run the wired to the ceiling of the room (one room per floor), put UAP-AC-Pro one per floor, set up controller software and forgot about any wireless issues.

 

[Rajat]

Hi EngChi,

Thanks for your response and for sharing your inputs.

* As of now, I only plan to run bare minimum pfsense config (to start with), openvpn and pi-hole on Qotom. To be candid, I am a total newbie on pfsense so will have to figure this out along the way. I am thinking a i7 Dual Core 1.8 Ghz, 8GB RAM, 64 GB HDD, 4 port option for Qotom. Overkill ?
* I don't have any 10Gb devices, mostly gigabit. Looking at 8 ports switch, but not sure if this would need to be an L3 if I am looking at some traffic across VLANs. My current understanding on VLAN setup is that I would still need to have two access points (old routers) to plug into each VLAN to segment the traffic across smart devices and laptops, given that these devices would be on Wifi.
* I am located in Singapore and budget is around 500.

In my case, running cat5 around the house was not an option. Hence need to rely on Mesh Wifi. If I could run cat5, would have considered a Ubiquiti Edgerouter or USG and then have Access Point per floor.

My main concern is if there is a way to achieve the network segmentation with only one mesh system or would I still need to have multiple access point (1 per VLAN). Also, in your dual WAN, did you achieve 700+ Mbps or better with VPN?

 

[GaryM...]

Hi EngChi,

Thanks for your response and for sharing your inputs.

* As of now, I only plan to run bare minimum pfsense config (to start with), openvpn and pi-hole on Qotom. To be candid, I am a total newbie on pfsense so will have to figure this out along the way. I am thinking a i7 Dual Core 1.8 Ghz, 8GB RAM, 64 GB HDD, 4 port option for Qotom. Overkill ?
* I don't have any 10Gb devices, mostly gigabit. Looking at 8 ports switch, but not sure if this would need to be an L3 if I am looking at some traffic across VLANs. My current understanding on VLAN setup is that I would still need to have two access points (old routers) to plug into each VLAN to segment the traffic across smart devices and laptops, given that these devices would be on Wifi.
* I am located in Singapore and budget is around 500.

In my case, running cat5 around the house was not an option. Hence need to rely on Mesh Wifi. If I could run cat5, would have considered a Ubiquiti Edgerouter or USG and then have Access Point per floor.

My main concern is if there is a way to achieve the network segmentation with only one mesh system or would I still need to have multiple access point (1 per VLAN). Also, in your dual WAN, did you achieve 700+ Mbps or better with VPN?

The most important thing you can do is keep the IOT stuff segregated form your computers and your data. IOT, let it out to the Internet but not into your network. Your cameras should have a private part on the NAS, only available to the camera. IOT does not need NAS access. Don't give everything access to your NAS. Where is your backup system?
pfSense only needs a 2 core pentium with 4GB memory. Why 2 ISP's, I have 1 ISP and 3 wan addresses, 5 if I want them? Your picture 1 is the better starting point as you have IOT off on it's own.

 

[coxhaus]

Who ever told you VLANs don't work on wireless is wrong. Maybe they told you VLANs will not work on your current wireless APs?

 

[Trip]

Router/Gateway - For hardware, x86 for sure. Unlimited distro options and you get multi-gig software-driven throughput. I'd do something like a Skylake Qotom/Protectli (example). For a distro, probably pfSense, since you'd like to run multi-WAN and extra packages with ease and reliability. Not much else can compare, all things considered.

Switching - At least L2 managed. For inter-VLAN routing, and even better policy-based routing, you'll need L3 Dynamic. For your core, I'd also add PoE and go higher pedigree. Cisco SG350-10MP, or refurb enterprise off FleaBay (HPE 2930F-8G JL258A, Juniper EX2300-C12P, Ruckus ICX7150-C12, Cisco 3560CX w/ IP Services).

Wifi - VLAN-capable, centralized single AP product. Home-run as many as possible on Cat6 or 6a UTP. For a cheap but good system, go UniFi or Omada. For high stability levels and long support, Cisco WAP. If you absolutely need one or more APs running mesh, I'd go UniFi or refurb Ruckus.

General - Plan your VLANs and subnet addressing. Backup your configs. Put in commercial quality Cat6/6a if you can.

 

[avtella]

I’d get rid of the piHole and just use the pFblockerng addon since you’re going to use pFsense anyway. It would also allow you to use much larger lists with Top Level Domain blocking if needed.


Take a look at Lawrence Systems YouTube videos for pFsense and also pFblockerng setup, it’s pretty friendly to new users as that’s what I used.