Network Design with Unifi and/or pfSense?

Man, this forum (and this thread in particular from last week) is exactly what I was looking for.

My small business just moved to a new commercial location, and I’m taking the opportunity to overhaul our airquotes infrastructure.
Previously, that was a Comcast Business modem/router/gateway/wifi/firewall all-in-one-garbage-device. Which, jokes aside, actually worked pretty well for a small office of about 10 employees. I let the Comcast box do our internal DHCP and act as our wifi AP. We also have a small Synology NAS, which I have had configured to run internal DNS, and as an OpenVPN server (just via port fwds off the Comcast box).

In any case, for our new office, I’d like to expand our capabilities, and the tenant setup in the OP (of linked) is kinda where I’m headed. We still will have Comcast as our ISP, but I want to just swap their box with a straight modem, or put their box in bridge mode and ignore all it’s features.

modem -> USG-Pro OR pfSense -> unifi managed switch, cloudkey gen2 -> a couple of unifi APs and 8-port managed switches

The new location is much larger than our old one, but the building only has a few existing Cat5e runs spread out pretty sparse. So the plan is to drop the 8-port guys at each cable run, and feed user workstations and benches from there. I’d also like to have our internal vlan, a guest vlan, and one for our lab/test systems, and long term planning of a vlan for some security camera.

Originally, I was going to go with a USG-Pro instead of the pfSense, so that I could manage the entire network on the one platform. However, after doing more research and catching a few of Tom’s relevant videos, it looks like I’d have some potential issues with the USG-Pro:

• Using OpenVPN (though maybe i could continue to use it via my NAS, since I can’t on the USG?)
• In the future we will likely expand to get a small block of static IPs instead of just our 1, and it sounds like the USG-Pro can’t support multiple IPs coming in through 1 port?

I have some familiarity with the Unifi stuff already; and networking and firewall whatnots in general, but I don’t have any firsthand experience with pfSense.

• Are there any further caveats with going the USG-Pro route that I’ve missed?
• If I have all the other UI stuff (cloud key, switches, APs), can I still manage all of that cleanly through Unifi, if I go the pfSense route (and just manage pfSense own it’s own)?

Thanks all, for reading and for any advice or suggestions in advance! Just stumbled in to this community today, and it been a great help so far!

There’s numerous routes you can go down but the first one I would explore is setting up pfsense, if you’re not familiar with it I wouldn’t under estimate the time it takes to set up and configure the features you want. Then add the security, access and authentication on top.

On this forum, Netgear switches get no love but in your scenario I think they give good value for money especially on 48 Port PoE switches. Once set you will hardly ever look at it, it has a crappy UI but it’s acceptable.

I’d run more cable adding duel ethernet ports at each desk/location, managing multiple switches seems more effort than it’s worth. Though you can always daisey-chain switches later, going the other way will be more hassle.

I’d have in mind LACP/LAGG between all switches and devices/NAS more for redundancy.

OpenVPN on pfsense is a great implementation, boy you’ll need to do your homework if the OpenVPN on synology is anything like QNAP. You’ll need to understand the security / encryption and which one to use, I tend to go high but I have low amounts of traffic. Definitely set it up per device, that way if it gets stolen easy to deactivate it via the RADIUS server. I’d only setup wifi with 802.11x coupled with an OpenVPN connection, that way each user has their own credentials and additional protection using better encryption. You can also secure each ethernet port to ensure someone doesn’t rock up and plug in their virus infected machine causing havok.

You might want to give some thought as to how you manage passwords, personally I like at least 256 characters, amazing how many devices place a low character limit. Users are lazy when it comes to passwords, so it will be the weak point on your network.

Have a TP-LINK EAP245, it’s gotta be said the guest vlan with vouchers is really great, just like in the hotels you can configure it with a couple of useful parameters, read the manual for details, but really handy. Also it just came to mind, with it’s second ethernet port you can daisey-chain another AP spreading the wifi more easily.

Buy a netgate device with multiple ports and bond/LAGG them to the switch, for redundancy.

Dude you’ve got a lotta work ahead of you!!

As suggested, if you’re not familiar with pfSense download a copy and put it on a VM and have a play with it. Personally i didn’t find it hard to understand at all, but I have configured many brands of enterprise firewalls, so if you have some experience it will help.

If you’re happy to pay the premium for the Unifi switches and you want to use Unifi for WiFi then I would say go for it. They’re easy to set up and work, and yes you can run them alongside pfSense quite happily and just manage the two separately. Otherwise I would also recommend looking at Netgear (as much as I dislike them) as they do work and are good value for money, but only if you know what you’re doing as you could end up paying just as much in time.

If you are able to run extra cabling then that would be better long term than using extra little switches, but if you can’t you can’t. For only 10 employees I don’t think I would worry too much about aggregating links or having redundant links and using 802.1x. That isn’t to say they are bad suggestions, but the effort vs reward might just not be worth it. Of course that will depend on the business needs, such as always needing internet/network access, fast file transfers, having publicly accessible ports etc.

Edit: You might also want to consider 2FA/MFA on your VPN access, as that is always a weak point.

I’ll +1 most of what’s been said by @neogrid and @Acestes,

pfsense all the way for your gateway / head, either as a VM (my preference) if you have server(s) or a physical box (everyone else’ preference). Will do most of what you want out of the box but port forwarding, dns, openvpn, etc will take a bit of learning (watch Tom’s videos).

The plan for using small switches at the end of the existing cable also sounds like a reasonable plan. Not idea and not what I would recommend long term but to get you in an working whilst you work out where you are actually going to want things in your new space, go for it. I also use netgear switches where “smart” bit is not so important as their vlan implementation leaves me very very frustrated sometimes but given the multiple switch idea I would go unifi though as you can then centrally manage all those devices. If you go US-8-150W you have the option of fiber if your run is over 100m and poe for your APs, phones and cameras

Bang a UDM Pro in to manage your switches and any unifi AP’s you need and you also have the option to add CCTV further down the line.

Hope that helps.

Oh yeah save that pfsense ISO download, Netgate only post their latest version. You can save and restore the configuration easily but only to the same pfsense version, can catch you out !

Excellent, thanks for the feedback so far!

Generally, it seems to be playing out as I’d expected; pfSense is the recommendation, but requires some hands on time to get it all set up and sorted, especially for a n00b.

The rest of the design is somewhat fixed for the moment.
There won’t be any plans to run more cabling (management, ship has sailed, etc etc)
The bulk of the hardware has already been purchased (I pitched the basics of the plan a while back to mgmt).

So, what I’ve got is:
[unknown routing- likely to start as just the box from Comcast]
1: US-16-150W
2: CloudKey Gen2
3: AC-PRO APs (x6; more than we need for coverage, I’ll prob only use 1-2, depending on my heatmapping)
4: US-8 switches (x5, one per each cube/bullpen area)
5: a couple unmanaged switches

So, the 16 port guy is PoE, so will power all the APs and the 5 small switches, and will get the other misc direct IT stuff plugged in, like the cloudkey, the Internet, the NAS… and that’s really all I’ve got. We don’t have any servers or anything.

And we have about 7 wired runs from wallplates, which will prob get connected in through the unmanaged switch for now, since they don’t need PoE, but I don’t have another managed switch.

We have 14 staff total. I’d say 80+ % of them use wifi, but I still want to provide them with the ability to plug in their laptops at their desk. A couple of the management folks have desktops that require ethernet, as does the MFP, etc.

The OpenVPN I’ve previously set up on the NAS was incredibly easy to configure via the built in GUI; and I’m applying it to user’s LDAP accounts (also via the NAS), so enable/disable is straightforward, as are password strength rules.

Technically, None of what I am wanting to do is necessary. I could probably continue to run everything off the Comcast box and a single unmanaged switch. But what fun is that?

Plus, I get to play around with all this stuff while at the same time building in infrastructure that should be much more easy to accommodate growth in the years to come.

I’ve got a QNAP NAS, I guess they’re similar to Synology, boy would I not trust it with the things you have ! The backplain for the drives tend to just fail, I’ve not experienced it on my NAS’s but I did buy one from Amazon Warehouse where bay 7 failed, the whole unit needs to be sent back to QNAP.

You ought to consider running those services in vms then you can easily and cheaply have redundancy. I always prefer that my planes have at least two engines

I appreciate the note. Right now, we don’t have any servers of any type; almost exclusively end user laptops.

The Synology stuff has been pretty solid though, honestly. I’ve been running a 4 bay one at home with 1 disk redundancy, and a 5 bay one at our office with 2 disk redundancy, for almost 8 years each with no issues whatsoever, and only 1 drive failure (a WD Red that died in the first 3 days).

They’ve been rock solid. Primarily it is file storage. All of the additional functionality that we use has been optional, but super convenient. I’d highly recommend one to anyone. I don’t know about some of their larger units and how they hold up with more users beating on them more often, but for 10-15 employees, with probably 50% in the office at any given time, and mainly serving files and doing enduser backups? It’s been a champ.

@Nate, Sounds like you are good to go then

If you don’t have anything to run VM’s on then for sure try and get budget for an SG-1100 to do your wan and potentially offload openvpn from your NAS. About £150 (UK) so I guess < $200 (US) (not sure where you are).

If you start to have concerns about the NAS then Microsoft 365 gives you Azure AD for logon and OneDrive for file storage.