My network is a mess, how can I make it better?

[elvisimprsntr]

@Octopuss

Anything with Intel NICs, 8GB RAM, 32GB (min) SSD will likely run pfSense. Make sure it supports AES-NI for future proofing.

Many of us in the US use the Protectli Vaults. You couldn't go wrong the Protectli Vault FW4C
I keep a few used evilBay spares on hand for when friends, relatives, or neighbors eventually ask for advice.


Personally, I would just use the pfSense wizard and put everything on the same sub-net and VLAN, establish a working and reliable system, before jumping head first into separate sub-nets and VLAN. Life is too short to make it overly complicated.

 

[gregsachs]

Other possibility, simpler than new pc, but moving away from PFsense; go with ubiquiti. Get an old USG for under $100 US, and run controller in a VM, or look at the new unifi express unit, $149;

UniFi Express - Ubiquiti Store

Impressively compact UniFi Cloud Gateway and WiFi 6 access point that runs UniFi Network. Powers an entire network or simply meshes as an access point.

store.ui.com

which has a built in controller. It isn't as complex as pfsense, but it isn't as complex as pfsense...
The openwrt on backup router is also a good idea, at zero cost.

 

[Octopuss]

I'll be installing new standalone box for pfSense today, and have started thinking about all this again.

I presume the correct order of devices is internet->pfSense->switch->everything else, right?
Does it matter if I set the switch to static IP or set a static DHCP mapping for it on pfSense?

 

[louie1961]

I presume the correct order of devices is internet->pfSense->switch->everything else, right?

With VLANs other orders are possible, so its not the only order that will work. But it is the order I recommend.

Does it matter if I set the switch to static IP or set a static DHCP mapping for it on pfSense?

If you are going to use VLANs, I think setting a static IP is better. But you can probably get it to work on DHCP. I prefer static so that I always know the IP address of the switch to log into. You will be logging into it quite a bit at first as you set up VLANs

 

[Octopuss]

The result will be the same, the IP address won't change, so I am just curious what is the "more correct" way to do it.


Are there any theoretical benefits to placing the swich first btw?

 

[louie1961]

This may be completely wrong, but the way I set up pfSense, the pfSense box, my main LAN interface and all my switches and wireless access points are all on the same subnet: XX.XX.1.XX, with static IPs. My VLANs are on different subnets: XX.XX.2.XX, XX.XX.3.XX, etc. I don't use DHCP on the LAN/1.XX subnet, and all subnets are isolated from each other via firewall rules. Only one of my subnets can access the pfSense interface either via the web or via SSH. No DHCP on the LAN interface is kind of a security thing in my mind (maybe its false comfort, but I think it makes it harder for someone to plug into my switch and start messing with my network. Maybe not, who knows). Out of 5 VLANs that I use, 4 have DHCP. The VLAN for my proxmox hosts to access the management interface does not have DHCP as Proxmox really wants/needs static IPs anyway. I have a trusted VLAN for my PC and my wife's PC that can access anything except the XX.XX.1.XX interface. I also have VLANs for guests, IOT devices, public facing websites I self host, and one for the TVs. All of those can talk to the internet but nothing else. Finally I have a VLAN for logging into my Proxmox hosts, which is also isolated from all the others (except my trusted VLAN)

 

[louie1961]

Are there any theoretical benefits to placing the switch first btw?

I don't believe so. In fact, I think it could slow down your network. More traffic will potentially have to flow through the router rather than be handled only by the switch.

 

[Octopuss]

I thought everything has to go through the router anyway? But I don't know crap about networking, so...

 

[louie1961]

I am pretty sure most managed switches can route traffic on the same VLAN to other devices on the same VLAN without having to traverse the router.