My network is a mess, how can I make it better?

[gregsachs]

Here is a suggestion, regardless of the single box or dual box question. Dual box will definately keep your other users happier...
1: get everything working using a single 255.255.255.0 subnet, regardless of wired/wireless, etc. Use DHCP, set specific devices to fixed as needed. Use 24 bit subnet, ie 254 devices, unless you NEED more, because it is simpler.
2: Since you have a managed switch already, learn about VLANs, which will give you the ability to isolate the different types of devices as needed or desired. (This assumes you have access point(s) that supprt VLAN as well, I didn't see that mentioned.
3: Gradually move things you want to isolate to dedicated vlans, also using a 24 bit subnet, and establish the firewall rules you want between the different vlans.

 

[Octopuss]

But I do need to use different subnet for different VLANs, don't I? Otherwise I cannot use DHCP.

 

[Sealside]

But I do need to use different subnet for different VLANs, don't I? Otherwise I cannot use DHCP.

Yes. Best practice to match subnet with vlan id.
Ex:
192.168.10.0/24 vlan id 10
192.168.20.0/24 vlan id 20

 

[Octopuss]

That's a very nice idea! I like it a lot.

 

[Octopuss]

****it. Stupid crap of a server.
Can I get any other recommendations for small boxes like that?
Available in EU I might add.

@Octopuss

Install pfSense on a dedicated low power Mini PC appliance. That way you won't loose internet when you take your server down. Seems to be the root of most of your frustration.

Protectli: Trusted Firewall Appliances with Firmware Protection

Secure your network with a trusted Protectli Firewall Appliance! Fully compatible with open-source software. US-based support, warranty and repairs.

protectli.com

Netgate

Netgate is an open-source driven secure networking company that provides appliance and software-based firewall, VPN and routing solutions including pfSense

www.netgate.com

Or if you like to gamble

Pfsense-Pfsense Manufacturers, Suppliers and Exporters on Alibaba.comFirewall & VPN

Pfsense Manufacturers & Pfsense Suppliers Directory - Find a Pfsense Manufacturer and Supplier. Choose Quality Pfsense Manufacturers, Suppliers, Exporters at Alibaba.com.Firewall & VPN

www.alibaba.com

Assuming you have your server connected to a UPS, you can share out the UPS status using NUT package as a UPS master and UPS slave on other clients. I have my UPS connect to my pfSense as a master and multiple TrueNAS servers as UPS slaves.

Packages — Nut package | pfSense Documentation

docs.netgate.com

 

[unwind-protect]

If the current network works, don't touch it

 

[blunden]

****it. Stupid crap of a server.
Can I get any other recommendations for small boxes like that?
Available in EU I might add.

There are lots of those kind of boxes if you check this forum and STH has reviewed several of them as well. It depends on your requirements.

 

[Octopuss]

Well, I don't know. I want something cheap that will do what virtualized pfSense does for me.
I don't even know how to google this up, and how reputable the manufacturers are.

 

[blunden]

Well, I don't know. I want something cheap that will do what virtualized pfSense does for me.
I don't even know how to google this up, and how reputable the manufacturers are.

What kind of throughput numbers are you looking for, and what kind of features do you have enabled in pfSense? For instance, using IDS/IPS requires a lot more CPU performance than just NAT + routing + firewall.

 

[Octopuss]

I don't have the slightest idea. Honestly. I just connect the house to the internet, lol. There are four PCs/notebooks and four phones. I play games and have a torrent seedbox running on the server.

I don't even know what IDS/IPS stands for.

 

[nexox]

Let's start more basic: how fast is your Internet connection and how much do you expect it to increase in the next couple years?

 

[Octopuss]

Ah. Sure.
Currently we're on 200/100Mbit 60GHz wifi. It might get a little faster in future, but I don't expect much, and I don't intend to pay for higher speeds anyway.

 

[blunden]

I don't have the slightest idea. Honestly. I just connect the house to the internet, lol. There are four PCs/notebooks and four phones. I play games and have a torrent seedbox running on the server.

I don't even know what IDS/IPS stands for.

200/100 Mbit/s is something that basically anything should be able to handle.

IDS = Intrusion Detection System
IPS = Intrusion Prevention System

Basically, IDS and IPS require analyzing the traffic which obviously increases the CPU performance requirement to reach a specific level of throughput.

 

[Octopuss]

I don't know what it does, so I guess I don't need it

 

[blunden]

I don't know what it does, so I guess I don't need it

Correct. If you don't know what it is, you don't need it.

Basically it allows more granular filtering and blocking of potentially malicious traffic. It's used in enterprise networks, but only by enthusiasts in a home setting.

 

[Octopuss]

I don't know crap about networking, so even if it was interesting to me, I wouldn't know how to set it up properly.
I just need a box with two RJ45 ports and enough CPU to do what I need here (not much I guess). I guess I don't even need more than 1GB RAM or something.

 

[nexox]

Yeah those speeds can be handled by just about anything, if you can trunk VLANs into your router you don't even need two 1G ports, I ran my 600Mb cable connection at almost full speed off a second gen i5 laptop for years after my previous dedicated router (a rather pathetic Atom D510 system that could also handle 600Mbit cable with no problem,) failed to boot when I didn't have a VGA monitor handy.

 

[Octopuss]

That doesn't get me anywhere near buying a box though, lol.
Are there really so many manufacturers?

 

[louie1961]

The major shortcoming is the damn virtualized server that runs pfSense in a VM, so obviously, when it goes down, everything stops working.

The only way to solve this is put your router on something other than your server. I get you don't want to buy any more hardware. How about downloading OpenWRT for your backup router? Then you can have almost as much configurability as pfSense. Welcome to the OpenWrt Project

Also when I need to take the server down to do whatever, there's no internet. I do have a router as a backup, but then there's the problem of weird choice of IP addresses.

This isn't going to change regardless of how you arrange your IP ranges, subnets or VLANs. Switches can't do much without a router. Some switches may be able to pass traffic on the same subnet/VLAN, but as soon as you start crossing subnets and VLANs it isn't going to work.

One of the problems I repeatedly faced was losing access to all network when the server was down (or taken down) and I somehow couldn't connect to the switch anymore

.

The only way to solve that is put everything in the same VLAN/subnet.

Can I get any recommendations what to change and why?

Either get rid of the concept of VLANs and put all devices in the same VLAN/subnet range, or find a way to separate your routing function from your server. You could use your backup router, a raspberry pi, or any old cheap refurbished computer you have lying around. Heck it doesn't even need more than one LAN port (although two or more is easier to configure). Even an old refurb like this $88 HP would work https://www.amazon.com/HP-Prodesk-600-G2-Computer/dp/B082MPZ839

 

[louie1961]

BTW, if you decide to move the router/firewall function to a separate device with a single nic, this is a great write up I found on how to configure it.

https://www.joe0.com/2019/11/16/converting-single-nic-mini-pc-into-pfsense-router-firewall-by-using-virtual-lan-configuration-on-a-managed-switch/