Feedback needed for my first network setup with vlans

I am a freelance software engineer by trade and have never done any proper network management. I have never even used vLANs until recently. I have an small office for my freelancing business that I recently designed a network for and would be interested in any feedback from anyone who actually knows what they’re doing.

I have a Netgate SG-2100 PF Sense router, it has 1 WAN and 4 LAN ports.

The building my office is in takes in a fiber line and converts it to Cat6 in the basement somewhere and sends that up to my office, that plugs into my WAN port.

My Router, switches, and NVR are located in a small locked network cabinet.

Screenshot 2024-11-19 111215981×985 84.9 KB

My 4 LAN ports would connect to:

1: 16-port TP Link “Smart” switch which will handle 3 different tagged vLANs: (Trusted, Main, and VOIP)

Trusted and Main have free range to talk to each other, the main difference will be Trusted is connected to 1 specific Ethernet port that I connect my laptop into and that vLAN will be allowed to reach into other vLANs for config/management purposes.

2: 8-port TP Link “Smart” switch configured for MTU vLANs so each port is isolated and can only send packets to the uplink port which goes to PF Sense. This is my “Isolated” vLAN and will have the wireless router for my Guest WiFi Network (which will also isolate wifi clients so they cannot talk to eachother). I have a smart lock Wifi hub which will connect to that. I will also have my office printer wired up to the switch as part of my Isolated network (and PF Sense will allow both Trusted and Main vLANs to connect to the printer)

3: PoE Switch for security cameras

4: NVR for security cameras

(PF Sense will have LAN ports 3 and 4 sharing their own vLAN)

For IP addresses I plan to use: 192.168.(vlan tag).xxx

I have the following vlan tags planned:

Trusted: 10
Main: 20
Voip: 30
Isolated: 50
Cam: 90

Does this make sense. Is there anything I am missing or should consider changing?

At some point I want to also do something similar at home then setup a Site-to-Site VPN between my home and office networks. (Both are on gigabit fiber connections with the same ISP) Then I could have cameras and an NVR at home too and have all cameras across both locations record to both NVRs so even if someone steals the actual NVR or it gets destroyed in a fire or something that locations cameras will still have recordings I can access at the other locations NVR.

Not sure I actually know what I am doing but these are my thoughts …

I would stick networking kit (router, switch, AP) on a management vlan, create a Guest vlan, create a printer vlan. My Netgear switches and TP-LINK AP ask for the management vlan in their configuration. If you want guests and users to be able to print then having the printer on its own vlan might be the best option, though you can also just have a rule allowing access to the printer IP for guests.

If your AP can handle vlans then it makes sense to have a Guest and non-Guest SSiD.

The other thing I would recommend is to have a free port on the router for the LAN that you just access in the event things go wrong and you need to reset pfSense.

Try to use as few rules as possible, get one vlan working then use that as a template for the others.

Personally I like to connect my router to my switch over LACP LAGG connections for all vlans, that way if there is a problem with a cable there is some redundancy.

Thanks for that. The AP is very bare bones, its a $25 wifi router from Walmart in AP Only mode, so I only have the guest network on because I could not separate out the two networks onto separate vLANs. I suppose if I ever wanted a non-guest wifi I’d probably just buy a second one of those to keep them on different vLANs.

The switches let me set the IP for their management interface so I assume if its within the range for a specific vLAN than it can only be managed from/on that vLAN?

Guests don’t need to print but I figured it was probably safer to keep it off the main vLAN just in case it got compromised or something. Idk if hacking printers and moving though a network from that is a real thing or not but I figure why risk it if I can isolate it easily enough.

That’s right, though say if it’s on a 10 subnet, I’d keep at least one port on the same subnet so that the switch could still be accessed directly in the event of something going wrong on the network.

For a first design you have made a very good job, congratulations! A lot of good insights have made their way into it already.

Your Trusted VLAN practically has the role of the management VLAN mentioned by @neogrid. It may seem to be overkill, but I would follow@neogrid with is recommendation to separate management and Trusted into 2 different VLANs. Technically you can have many VLANs on a single router port. You would put all the management interfaces of equipment and servers into that Management VLAN and ensure that only IPs from within that VLAN can connect. You already have a dedicated router port for Trusted to connect the Laptop if something goes wrong. That is useful. As already mentioned by @neogrid this would then be the reserved port for Management VLAN. For convenience you might want to add a “jump host” but that is already more complicated than you are currently willing to go.

You don’t seem to have any services exposed to the Internet, but if you will have, you want to put those in a separate VLAN (e.g. DMZ). The same applies to servers that should be reachable from different VLANs, e.g. Service VLAN. Technically you could put a given server in all VLANs that need to use its services, but regarding security I would not do that and rather route the traffic through the firewall, even if that gives lower performance.

I assume the AP and the PoE Switch you have are not manageable and that is why you connected them directly to the pfSense. In case you are wondering how you structure this network in case you get more network devices than you can connect to your pfSense: you need manageable devices that are all capable of VLANs, then you can connect them to your Main switch instead of to the pfSense.