I´m new in the forum, I work in IT, but not on the network side of the power . I have a basic acknowledge of network and the videos from Tom are helping me a lot.
My actual setup is very basic, one ISP fiber modem, an Asus router RT-AC87u and one Qnap TS-269 Pro NAS.
I would like to move to pfSense (actually I already bought a Qotom 6 LAN ports - 60GB msata and 8GB ram and I start to play around with), to have more security on my network.
I bought the Qotom 6 LAN ports with the thoughts to use those extra ports, for my NAS, my work laptop and for now my Asus router on a different network. (My plan shortly is to buy an UniFi AC Pro after the quarantine)
If you guys could help me with some question:
1 - My Qnap NAS has 2 LAN ports, I will be able to add one subnet each? I can configure one of the LAN ports to go out just via VPN, and the other just for port 32400 for Plex Media, Qsync… and nothing else(inside and out of my network)?
2 - My Asus router can continue to do the DHCP for their connections? Can I still be able to create more than 2 SSIDs? (This connection do not need to be much secure for now).
If you come out from the pfsense and go into the WAN port of the ASUS it should behave much the same as it does when it was at the head end of the network, you would have a double NAT setup. I have not really worked much with QNAP, but you should be able to use the QNAP with each NIC set for each network.
I’ve made virtually the same migration as you have from an Asus router on Merlin to PfSense (basically the same box as yours) with a QNAP on the network too. However, it took me a while to complete.
Yes on the QNAP you can assign different subnets to to each port.
You can have the ASUS act as a DHCP but from memory I don’t think those routers do multiple SSIDs, I would have to start it up and have look.
It looks like it would be easier to let PfSense do all your DHCP, then use your Asus as an Access Point for only the IoT SSID.
However, I would recommend buying a vLan capable switch (vLANS are not difficult to suss out), there are plenty to choose, I have a couple from Netgear, they aren’t too expensive but the UI is terrible. Unifi are expensive (for me) but the UI looks from this century. Depending on your physical layout you might want more ports than you think you need
If you do that then the first port on the PfSense will be the WAN, the second will be the LAN, the remaining four you can bond with LAGG, this will give greater bandwidth but the same speed. You can set up your vLANs for LAN, ISP, VPN and IoT. Then ensure you have a vLAN aware AP (I use a TP-Link EAP245 mainly because it’s not expensive) and SSIDs for each vLAN.
That set up will work sweetly but you now have a router of not much use, don’t worry I currently have more than 10 I’m trying to get shot off. Wanna buy one
For basic VLAN stuff you can potentially grab the new switch Unifi released. I have some cheap managed switches from TP-Link, they are also very easy to configure and you can get them pretty much anywhere.
If you have the money I would throw in a Unifi AP as it is just super easy to configure, but either way, you may have a ‘switch to AP mode’ for that Asus router.
As for double NAT, I am annoyingly forced to run with that and it is a pain, but you can live with it probably for most stuff. It can break / reduce stability though and it means ddns can be fun.
@LTS_Tom Can I set the NICs as Static IP correct? I like your videos, very helpful!
@neogrid Good to know the Qnap can run with the 2 ports. The AC87u has 2.4 and 5 GHz plus the Guests wifi.
If you can help me with how to set up the Asus and pfSense, in this scenario? Will I need to use a NAT 1:1 (pfSense --> Asus)?
@WieboW this will be my set up, Unif switch and AP. Now my wife and I need to work from home (Spain quarantine), and I cannot go out to check in the street shops for deals, not just the internet. In the meantime, I will play with what I have and learn.
Previously I had an asus router connected to my ISP WAN, connected to this I had a second asus router on a second subnet for my VPN.
If the Asus router could handle more than one IP address range or subnet there would have been no need for two routers. So I’m pretty certain you cannot achieve your goal.
All you would be able to do is set up your wired network as you desire, with the Asus as an access point it will be connected to only one subnet which will be broadcast over both 2.4 and 5g. You will still have a guest wifi but it will be an isolated guest wifi of the broadcast subnet, which is fine.
Just buy a 16 or 24 port switch (consider one with PoE then you won’t need an injector for your AP) and AP, then you will be able to do everything you want plus more.
Concerning VLANs and Wi-Fi, I’m not sure of the best third-party firmware for the RT-AC87U, but with the RT-AC68U, setting up VLANs for both the switch ports and Wi-Fi (“virtual wireless”) wasn’t too complicated using Shibby Tomato firmware (not supported on the RT-AC87U). It looks as though setting up VLANs in Merlin firmware requires the CLI.
I still keep a couple of RT-AC68Us around in case of an emergency, and I can configure the VLANs and Wi-FI as needed.
Good luck, there are some nice deals out there. In Ecuador, it is very hard to buy the proper equipment as the importer here (probably also with the import taxes) basically more than doubles the prices. I typically buy my stuff on Amazon US and then have a team mate bring it along on his/her next site visit; Of course for same reason as you, can’t do that right now.
I have used several super basic APs, and some routers have an AP mode, but options these days are pretty great and prices have come down a lot. Stay safe in Spain and hope things improve soon there as well!
Before I had a whole array of routers, access points and extenders for my home set up but I always had poor wifi. The root cause was having the main router on the ground floor on the floor
Once I ran ethernet cable, my life changed for the better Now I have a single AP screwed to the ceiling at the top of the house using PoE, it’s infinitely better.
The real problem with trying to re-purpose a router as an access point is that you are limited with where you can place the device. Don’t bother.
I’ve done router as AP before, even using some nasty old cheap routers that couldn’t have NAT turned off. A lot of cheaper hotels use them instead of proper APs. In a pinch, it works, as long as you can avoid a signal clash. In hotter countries, using a router as AP will likely overheat.
Most **** ‘interesting’ cheap ISP wifi routers overheat like crazy if you enable their wifi. Turning off the wifi on the router and using a separate AP if way better for placement, overheating issues. If you have no choice, you can try a USB cable and a 5V fan or a ‘light running’ 12V fan if you get very lucky to cool it. Some old cable modems used to need it (but that’s got much better now).
. I have a basic acknowledge of network and the videos from Tom are helping me a lot.
