Help with network setup. Public wifi/Pos lan/ip tunnel. Could unify be solution?

Hello.

Im getting a new provider and have been struggeling to make this network durable from before as it exceeds my network skills and today its seems like very unstable and poor contact between some units in network. My goal is to make the best failsafe network as possible within some suitable pricerange.

Short version challange: Business with its own lan and critical functions. with guest wifi and sharing internet access through antenna.

My network setup today is:

200/200 opt fiber internett from supplier.

Inteno XG6846 as modem and router.

LAN1 ip: 192.178.168.x

from here its just one cat5e cable to a switch.

Cisco SG100-24

From this switch most things are connected with cable.
These are critical for business.
(Things connected in this LAN are following
6 computers
1 NAS
4 printers
4 POS systems with
4 POS card payment.
10 CCTV Cameras
1 CCTV Server
3 Sound mixers
1 AP for Guest Access
XX - wireless users)

Also here im sharing the internet connection through 2 x Tp-link CPE710 antennas.
Both antennas has same ip adress as my lan1 but dont show on my router.
Antenna is connected to cisco switch today.

Otherside at antenna is connected to the WAN port in an Apple Extreme. This gives me two warnings *Setup over wan and * Double Nat.

LAN2 ip: 10.0.0.x

(Lan2 is my home network and have all home things thinkable from AP´s, printers, apple tv etc.)
(LAN2 only have internett access though tplink antenna.)

I have the following challenges in this setup.

*Should i have a second switch and double wan for lan1 as failback, since this is the most important network with the POS systems and rest.

*LAN1 & LAN2 share internet (200mbs). Also guest AP. Can I set maximum internett bandwiths?
Bandwith: AP´s guest max 50mbs and lan2 max 200mbs and Lan1 150mbs?

*Not any visibility or access between lan1 and lan2.
But it would be nice to have one computer or user to establish a connection to cctv server or nas, but dont want to see computers or units or possible to print on lan1 from lan2.

*Should be able to reach router/modem Inteno from Lan2

*LAN2 must be able to maintain own setup as dhcp and routing if internet connection fails or antenna breaks.

*Possibility for remote access to Lan1 and Lan2 - Should be able to remote access NAS and CCTV server in LAN1. Also have a server in Lan2 thats needs remote access.

Hope anyone could advice me with both setup and products.

A map of how you want to set this up would be helpful but UnFi switches and access points along with a pfsense firewall should be able to achieve what you are looking to do. We don’t recommend the UniFi routing equipment due to it’s lack of features.

Thanks for your reply.

Are you thinking of a map like this? :slight_smile:

Close enough, but yes with a series of subnets and proper rules it should work using a pfsense and UnFi switches & AP’s.

Nice, ive also looked some at these tplink series that you have some recent videos.
How should i build this network with subnets and rules in the pfsense firewall?
Thats my biggest struggle. Wild guess from my side that this involves vlans and and qos?
Could you help me with an example? or maybe point me to some videos?

Would a netgate SG-3100 do the works?

The SG3100 is good but check the Netgate site to see if the VPN speed works for your purposes. I have a video talking about network design and rules here https://youtu.be/ouARr-4chJ8

Thanks, alot of good videos there for the netgate. Well, with kind of more understanding ive tried on a new map. No rules yet. Does this network design seem doable?

Yes, except it’s not needed to have the site 2 home network router as you could instead create a separate network in pfsense to send over to site 2.

Ive had that in mind and was usure. What will happend if the antenna link to site2 gets faulty or destroyed? Will site2 be totally unmanaged? Cause i dont want my home network to stop working if this happens.

If the antenna goes down you won’t have internet and you could statically assign the IP addresses so the systems on that network can still talk to each other.

If there is a way to solve this, maybe with a simple unit, that takes on local dhcp in home network?
As i want the network to work as seamless as possible and fewer bottlenecks the better im thinking. With the router in site2, is it best to have it connected to a lan port or use the wan port?
would this add extra safety or just create a bottleneck?
If i have a second router in site2 i would be able to have a second 4g wan in backup. I could also do this in site1.

Ok. Yes, internet will be down for sure. What worries me is that i will lose contact with the pfsense router, and it seems like awful lot of job to set a static ip for all units in my home network. If i understad your correctly.

I was able to set this up with Pfsense and tplink access points. Separate lan for site2, with open vpn working fine aswell. And only one router in the network.

Now ive met other challanges.

I want to create a Site3 through the Site2 antenna, and with the equipment i have today it should be possible with vlans, and all sites would be routed from main router at Site1.

At the remote sites (Site2 and Site3), are there any way to have a 4g backup?
So if i loose the remote connection to main site and then also internet, the remote sites would have a way to access internet? (accesspoint with 4g routingbackup?)

-S