Network design help/information

crc_error_79 · August 27, 2022, 12:33pm

Hello, I want to “re-design” my home network with a better layout (organized, future proof, etc), because now, “the caos rules”.

My house has 3 floors: basement (common part), ground (my parents apt.) and 1st floor (mine apt.).
With a total of 6 network: untagged (unifi devices & pfsense router), vlan 1 (my network), vlan 2 (parents network), vlan 4 (my iot), vlan 5 (parents’ iot), vlan 6 (common iot - network camera’s, etc)

Currently the pfsense it is the “center of the universe” (vlan, dhcp, dns, firewall, etc), if it crash, everything goes down.

So, to avoid that, and to reduce the router’s load, the plan is to add a layer 3 switch to each floor and move the vlans management (dhcp etc) to the unifi network.
Leaving on router: firewall, dns and the other internet related services (vpn, pfblocker, etc).

Could this work? If so, is this the best solution?
Or is it better to leave everything on pfsense (since it handles the rules for the communication between vlan & internet) and set the L3s to dhcp relay?

I drawn a sketch of the network I want to create + different wiring options.

I will use the 10gb SFP+ for the communication between L3 and L2 switches as well as the communication between the basement L3 and pfsense and the nas.
Between floors will use cat6e cables always using the 10gb connection.

I think that the best option is to use A + B but I have to check if there is space for 2 cables inside of the corrugated pipes in walls, otherwise I will opt for the option A.

For the L3s I plan to use Unifi switch XG 6, for L2s the Unifi Enterprise 8 Poe so I can power the wifi6 AP (Unifi) and the secury cameras.

I know, its an infinite post, and since Eng is not my main lang I hope that it clear…
Thanks

LTS_Tom · August 28, 2022, 11:12am

Keep everything going through the pfsense, if you are worried about the pfsense failing either keep a spare one ready or configure a matching system in HA.

crc_error_79 · August 28, 2022, 2:14pm

Thank you, but can I ask you why?
There are some limitation to set the pfsense as relay and unfi as dchp server?

If I keep the pfsense should I opt for the wiring C? Or is A+B the better?

LTS_Tom · August 28, 2022, 9:11pm

I prefer pfsense because it’s simple and my rules are all in one place.

g-aitc · August 31, 2022, 5:14pm

K.I.S.S. , way overly complicated switch hierarchy, set up vlans.

crc_error_79 · September 4, 2022, 8:39am

Sorry for the delay,
Yes I know, simple is better, but the idea was to reduce the load on the router … Also I like the unifi interface (million miles away from pfsense that looks like a 90s website).

Anyway I had to redraw the home lan because I realized that the 90% of traffic between vlan is also between floors. So I think that I will opt for layer 2 switches, or are layer 3 (set in dhcp relay) the best option?

chris · September 4, 2022, 8:58am

Is the load on pfSense an issue right now?

As to the UI: Yes, Unifi looks nicer. But the USG, at least when I looked at it a few years ago, was basically a toy relative to pfSense.

If you want to play around with things for the sake of it (not necessarily a bad thing) the changes you are contemplating might make sense. But in terms of reliability and operational complexity (think about disaster recovery) I personally have my doubts.

crc_error_79 · September 5, 2022, 7:27pm

Actually no, or at least I don’t think so…
Because I don’t know how to measure the load (the amount of data) it manages.
CPU as well as RAM usage are always very low, but I don’t know if the real worker (the lan controller) works at full speed or it is relaxed like its colleagues (cpu/ram/disk).

For the second part I am sorry but I am not sure what do you are referring but it’s my fault, eng is not my main lang.
Are you talking about the unifi software, the hardware I chose or the project I want to realize?
If it hw or project, what should I do to improve it?
Consider that is an home network for 2 families, so the worst thing it can happen is that my family or my parents can’t reach internet or nas

chris · September 6, 2022, 10:18am

It is not clear to me why you want to change anything. What do you want to achieve?

bb77 · September 6, 2022, 12:17pm

The cheaper and also the easier way to achieve this, would be to buy another identical pfSense box, configure it identically and keep it as a cold spare. If something crashes on the main box you can just connect the spare box and you’re up and running again in a few minutes. But even that is probably overkill for a home network. I for myself do regular backups of my pfSense config and I have a few spare SSDs and NICs lying arround anyways. However, now that we are talking about failing components, I should probably have a spare power supply too

crc_error_79 · September 6, 2022, 6:39pm

@bb77
Yes I think that I will do in this way

@chris
Now my home network is a mess, I have wires come and goes between router and switches without a logic.
It works but it is not the best, especially if I have to do some upgrade or modification.

Since I have to do some renovation work in the whole house the idea is to remove the existing wires and do a better job.

My first idea was to put a layer 3 switch on each floor, but since I realized (with the forum suggestion) that this is not the best option for me, I will use layer 2 switches, and I will continue with pfsense as the “brain” of the whole networks.

I’ve done a new sketch to let you figure out what I am trying to explain.

About the wiring, I want to use 2 wires to connect each switch (with aggregation, so I will have 5gb between the main switches and the router), do you think that is a good idea? or should I do a very complex and “unnecessary” (for my case) connection between all switches and these to router?
Like so:
SW1 → router
SW2 → router
SW3 → router
SW1 → SW2
SW2 → SW3
SW1 → SW3

each main switch “SW” will have a secondary switch if needed

Thanks

neogrid · September 6, 2022, 7:05pm

@crc_error_79 I wouldn’t setup the network in that way, if the switch in the basement goes your network is down.

Instead I would have a main switch connected to pfSense, then I would connect via a lagg to switches on each floor. You basically need to run cables to each floor / room in your house to one main point (where your router is). A star topology that way you only have a single point of failure. Run all the APs to your main switch or a PoE switch which is connected to your main switch.

When I wired my house, I ran two cables to every room, then put in switches in each room over a lagg.

I would run as much cable as you can, after you have gone through that pain you won’t want to do it a second time.

crc_error_79 · September 6, 2022, 7:31pm

I will do some tests to see if I can do a star network, but I have some doubts…
I have concrete walls and I am very limited to the location where to run the wires, I am going to use the conduits of antenna and phone [since I am no longer use them] but these corrugated pipes have a small diameter (16 or 20 mm) so I don’t know if I can put more than 2 ethernet cable in each conduits.

I will check and I will tell you , in meantime thanks for the reply

chris · September 6, 2022, 8:00pm

I have a somewhat comparable situation here and the following (translated to your building) works well for me:

One switch on each floor (all 1 Gbps only)
Switch in basement is connected to switch on ground floor with single cable
Switch on ground floor is connected with other cable to switch on 1st floor
All devices (APs, pfSense, PCs, IoT devices, etc.) are connected to the nearest switch
Im using VLANs (in pfSense and my 8-port Unifi switches, but others will work as well) to segregate the networks
The VLANs are optional. You can start with a flat network, if you are ok with the potential threat from unpatched IoT devices

I am using solely 1 Gbps connections. More speed is always nice, but for me it was not worth the added complexity that comes with LAGG. This setup is for a professional environment (enterprise software development).

If there are concerns for a switch being a single point of failure (and the same goes for pfSense and APs), I would recommend to have a tested(!) spare laying around. An HA setup is nice to play around. But experience teaches that quite often the additional complexity actually decreases overall availability.

dwahome · September 15, 2022, 11:21am

@crc_error_79 we do a lot of installations in concrete, it’s the primary construction material in KE, in a 20mm conduit you can run a single 12 core fiber optic cable and splice pairs on each floor thereby achieving a start topology. Use if BiDi transceivers will allow you to use 6 Core or 8 Core fiber with the same results.

My 2 Cents

crc_error_79 · September 19, 2022, 6:03pm

Thanks for the reply and sorry for the delay…
I am totally newbie about fiber, could you give me more info? links etc?
Are 12 core fiber hard to “crimp” (I don’t know the term, I mean attach the connector)? What could been the costs?

dwahome · August 15, 2023, 12:04pm

For Fiber best to use Splicing/Fusion. You can get a contractor to do it for you. Splicing kits are rather costly.

Fiber Optic Splicing Guide & Demo - YouTube

Paul · August 15, 2023, 12:12pm

You can get premade fibre cables with the connectors attached

Another option is to use Cat 6a cable , 10GB is supported upto 100 meters - use SPF to RJ45 convertors

crc_error_79 · August 21, 2023, 7:29pm

little update, running fiber was too complicated (I didn’t found any technician or shop that rented the soldering machine for the fiber), so I opted for cat8 cables (now the cost of a good cat8 or 7 cable it is the same of the 6e).

It was an hard job (because of the thickness and rigidity of the cables and the small diameters of the corrugated pipes), but now from a single poe++ switch (an unifi 24 ports), I can power everything around the house (cameras, switches, etc), without losing a single bit.