Hi guys, after watching a whole bunch of videos from Tom (Thanks Tom), I’ve decided to try and design a home network for my planned house extension. I have a large family, there are 7 of us in the house, with teenage’s who requires lots of internet. In the family room - 1x smart TV, SkyQ STB, office - desktop, printer and Vonage viop,
rack - modem, SG3100, 2x switches, media server, rpi for hassio. Each if the kids bedrooms will have 2x ethernet jacks. 2x access points., There are numerous laptops, phones and tablets. Anyway, I think I have got everything laid out ok. Is there anything I need to change, add or delete from the plan? This is link to the layout
I’d like to know where you get your drawing skills from…
Overall, I’d say that looks like a workable layout, albeit a large one. Only thing I could see being a potential issue is any media devices controlled/managed from another network. eg. Roku, Chromecast, etc.
If you only have three things on your ‘main 10’ section, considering it’s got the VoIP and modem(?), I’d probably use the three remaining ports on the Netgate vs using a VLAN for those three things, printer included. Would make QoS and rule setting easier imho.
Thank you, I used Visio for the design work and a lot of hours. The SkyQ STB is satellite TV box here in the UK, kinda like the TiVo box in the US. I like the idea of having the Vonage on the netgate. Do you think, I should have media players(Roku etc) on the same vlan 20 as other IoT devices with strick firewall rules to allow access to the media server? Thanks
I would trust Roku as not needing to be placed on an isolated/firewalled network, but I’m less sure about any other media players you may have.
The Vonage I would connect directly to the NetGate, but you can still keep it in the same VLAN as your plan indicates. Placing it on the netgate just ensures that congestion on the link between the firewall and switch (due to inter-vlan traffic for example) won’t cause any issues. QOS on the firewall will only help prioritize the Vonage traffic as it leaves the firewall, it can’t control the link to the switch.
@EFW
I’ll have to check out Visio, sure did make a nice diagram. Lot of hours, that’s just par for the course, isn’t it… lol
Putting Vonage directly on the Netgate lets you shove it in its own subnet and isolate it, plus lets you QoS more effectively imo.
The media players, Roku/Chromecast/Etc, in an ideal world, work best if their on the same subnet as the controllers are (eg. phones, tablets, etc). This isn’t always something someone is willing to do though in the name of securing things. It’s a choice you’ll have to make, given the pro’s and con’s. Try it with them on separate vlans and see how it works, if there’s no issues, consider yourself lucky and congrats. If a device isn’t playing nice, then you’ll choose either to move it or kill it, as those are your basic options. Moving them, I would run strict fw rules and let it fly. Killing them, well, may end you up in the doghouse with someone. As always, ymmv…
@brwainer
Device trusting is subjective, some choose to trust, others, do not. Generally, there is no right or wrong answer and everyone is free to choose how big their tinfoil hat is. Personally, mine is fairly large, but most people don’t know what it even is, which is tragic, but I digress.
Why would there be a reason to move the Vonage device to the Netgate, yet keep it vlan’d? This doesn’t make sense to me as you’re giving the device a dedicated port on the firewall itself.
Doesn’t the SG-3100 have that thing where the LAN ports are on a switch, and every port is actually a VLAN anyway? I’d personally prefer reducing the number of interfaces I have to manage in PFSense.
Hi, I’ve changed the layout with the new suggestions, which can be found Here.
We don’t have a roku’s or chromecasts at the moment, but will be getting some once the media server is built and running. They will be added t vlan 10 IoT.
Safe to assume that the black lines running from the Netgate into your Unifi switch is dot1q tagged ?
If so, I’d recommend adding it to the diagram along with the interconnect going between switches.
Also, for clarity, I’d include whether or not those ports going to your Vonage device and printer are also tagged. They appear to be (hopefully) in a DMZ. Throw a note to that effect on the diagram. (seperate VLAN?) Is there an RJ11 line connecting the Cannon to the Vonage device ?
