I am building a new network as per the diagram and I have some questions if anyone has some thoughts …
Planning on multiple subnets:
WiredLan
WirelessLan
WirelessGuest
IoT
DMZ
ManagementLan
I know I could send everything over one cable from the pfSense box to the first switch, but that doesn’t seem like the best approach ? The pfSense has six 1Gb ports, why not use them all rather than push everything through a single 1Gb port ? Very easy to run a few short cables to the switch …
The weight of opinion seems to suggest don’t use VLAN1 for anything. The Unifi switches create a default Corporate network using VLAN1 and as I understand it there is no way to modify this. So, I intend to just ignore it, leave it set to the default 192.168.1.1 (my network will use different subnets) and don’t touch it.
Should I make all 6 subnets above as VLANs (VLAN on pfSense and “vlan only” on Unifi) ?
OR
Make the WiredLAN a “real” physical network on pfSense and make a new Corporate network on the Unifi Switch for it. The other 5 networks then would then be VLANs on pfSense and “vlan only” on Unifi. Other variations worth considering ?
Just some thoughts, while I’m far from a network engineer I did switch over to pfsense and wired up my house last year.
Not sure if your subnets equate to vlans or not but vlans seem to be the way to go if you have managed switches. vLans offer more flexibility for the future while making it easier to segment the network.
Don’t really understand what you mean by wireless lan unless it’s precisely what you say, or your AP can’t handle multiple SSIDs.
I’d stick all those subnets on their own vlan including Guest for that one person who rocks up with their ethernet cable.
Get those four cables from pfsense into the switch on a LAGG/LACP because you can.
The best approach depends on what outcome you want. If you don’t have prior knowledge of pfsense don’t underestimate the effort required to get that sucker where you want it.
Don’t see OpenVPN, it might be handy if this is your home and want secure connections from the pub
So my thoughts would be to identify the max throughput of your network to your pfsense. Like are you going to have devices transferring data at gigabit speeds all the time? Then once you have an idea then you can build out. I also am not a network engineer but to answer some questions.
LAGG would probably be fine at least to the first switch. Do both the switches have SFP+ ports on them? If they do then I would link the switches together with 10Gb and save yourself some ports.
2/3 You would be correct and use VLAN’s. It is best practice to change default subnets. What I do at my house is setup a management VLAN for things like pfsense, freenas, UniFi controller and so on. Then VLAN our your guest, IoT, DMZ and so on.
Personally (as a network engineer) I would use link aggregation from the pfsense to the first switch, but your design is functional and that is really what matters. As for using VLAN 1, I would ditch it and never us it in the network. As for your last point, I would make all subnets a VLAN since I would agg from the firewall to the switch.
One thing I would point out too is that if your connection to the firewall is 1G, it is highly unlikely that you will get that throughput so link agg would be more for redundancy than performance. Being that you have many single points of failure in your network (which is fine since it isn’t an enterprise network) running a single link as a trunk between your pfsense and switch should be fine as well.
