My home network consists of the following:
1 x 4 port firewall device running PF
1 x HPE 5130 24G PoE+ 4SFP+ 1-slot HI Switch JH325A
1 x Ubiquity EdgeSwitch 24 Lite
1 x Unifi Cloud Key
5 x Unifi UAP-LR access points
8 x mixed bag of IP cameras (Hik, Dahua, AVtech)
A few IoT Sonoff wireless devices connected by eWeLink. (not ideal)
1 x NAS
Various hardware devices for IoT setup (docker, Proxmox, Frigate etc)
Firewall is configured as such:
OPT1 - WAN with static IP from ISP
OPT2 - LAN with with IP range 192.168.1.0/24 with DHCP. This is connected to port 26 on Edge Switch. IP 192.168.1.2
OPT3 - IoT LAN connected to port 25 on HPE. IP 192.168.40.2
OPT4 - spare
All LAN points (physical wall boxes) are connected to OPT2
All PoE devices (APâs and cameras) are connected to the HPE.
APâs and Cloud Key are on ports 1-12 and Cameraâs on 13-24.
The HPE by default is VLAN1 with all ports configured as ACCESS ports.
I would like to VLAN at switch level and not firewall (less overhead)
My requirements:
- Cameras to be on their own VLAN with no internet access. I would need to access them from any network (plugged into wallbox or connected via WiFi) So OPT2 and OPT3 access cameras but not vice-versa.
- Unifi APâs and Cloud Key can be on default VLAN1. I would need access to OPT2 and vice-versa.
- All access between OPT2 and OPT3.
- Create an SSID for my IoT devices which cannot access anything besides the net. Will give them static IPâs. Because they currently âphone homeâ they need to be isolated. My plan is to have an internal IoT network which does not require devices calling home.
Hope this makes sense and all suggestions are welcome.
Regards
In pfSense, under interfaces/interface assignments, you need to assign all the VLANs to a single port. Perhaps OPT 2. Then connect your pfSense unit to one of your managed switches. The trick/difficulty becomes configuring the switch. The port to the pfSense unit needs to be a âtaggedâ port (aka trunk port) so that it passes all VLANs to the switch. Likewise, anything else on your network that is VLAN aware and supporting multiple VLANs would need to be connected via a trunked port. So in my network (which is a lot âflatterâ than yours, I only have one managed switch), I connect my wireless access point (which is multi SSID and VLAN aware), and my Proxmox servers via trunked ports. If you were going to daisy chain to your second managed switch, that would have to be a trunked port as well.
Untagged ports (access ports) only support one VLAN, and in my network I have 5 VLANs on my 24 port switch. I have to designate which ports on the switch are for which VLAN then I connect things like my NAS box to a port that is on the VLAN I want it to be on.
I do all my routing and firewall rules on my pfSense box, because it seems easier to me. Your situation may be different with your hardware. In any case, I control which VLANs can communicate with the internet and other VLANs through firewall rules in pfSense. Since you have a layer 3 switch, you could do that in your switch or in pfSense, thatâs up to you. But for me, it makes more sense to do it in pfSense.
Regarding your last paragraph, I think if you want to do VLANs at the switch you need to stop thinking in terms of physical ports on the pfSense box. control everything through routing rules on the switch or firewall rules on the pfSense box. As far as static IPs I also do that on the pfSense box through DHCP reservations. Each VLAN can be set up with a unique IP range and you can set up a DHCP server per VLAN. In pfSense under services/DHCP server, you can assign reservations by MAC address, which I find useful since I donât have to set IP addresses on any of the individual devices.
This video should help you a lot
Dude, thank you so much for the in depth reply. I am busy processing and accessing what you suggest but just wanted to thank you for taking the time to respond.
I will update when I finalize my solution.
Kind regards
G
1 Like