Office Network Design and Planning with VLANs, LLDP, Rules, IoT, Guest using

It’s a longer video but I have been wanting to get this out there as a lot of people ask us about setting small business / home office networks.


We have a managed switch TPlink Jetstream 2600G and it’s a pain to setup the VLAN on that switch. Are all managed switch has the same concept on setting it up for VLAN ports? Thanks.

Depends on the switch, some are better than others. The one you have, does a bit, are you using all it’s functionality or was it a freebie?

I agree with Faust, it is switch dependant and in some cases it’s even model dependant.

Find one that you like and stick with it, I’ve settled on the Netgear switches, have a good enough GUI, functionality is sufficient and can handle the through put I need for a basic office LAN.

On the VLAN side you will need to set the default VLAN (untagged) and any other tagged VLAN’s then if you have a device that is not VLAN aware you can set the PVID of each port.

It’s a bit of a mind bend until you start using VLAN’s and then they finally click and you get that light bulb moment.

1 Like

That is so true, the enlightenment

Were planning to use all helpful functions of a managed switch especially VLANs because of unifi AP’s that we have…

As long as you’re planning to use more of the functions than less, than it’s worth learning the interface and working through it, especially if it’s for your own use. For basic uses, I’m like greenvolk and find Netgear decent enough.

Just plan on what your want in the end, and work at it port by port, you’ll get there. :+1:

1 Like

I’m planning to get our unifi AP’s onto their own Vlan as per this vid. Does the unii controller have to be on the same vlan? Currently the aps, the controller (a windows vm) and the office computers are on the same network, thats how I manage them.

As I stated in the video, you want the controller and AP’s to be on the “ALL” VLANs and you set the VLAN options in the AP itself.

Thanks, I’ll just have to re-watch the vid! : )

A few years later- still a great video!

At about 15:07 Tom starts to discuss the switch port profiles.
I didn’t catch him specifically mention that the CloudKey must be set to the “All” profile, but we can see that he configured it that way. This makes sense for a local hardware unifi controller.

My question is:
What about users who are running the Unifi Controller on a Linux server within a VM or container?

I don’t think it is best practice to use the “All” profile with a typical server, my understanding is to put my servers in some type of servers VLAN. (In the context of a homelab environment).
Should I set the switch profile to my Servers VLAN being the native network and then also include the LAN (management network) as a tagged network? Then on the server side- have the Unifi Controller docker use the LAN (management network) as it’s network interface instead of the linux server’s primary interface?

Second unrelated question:
I see that Tom has set this up with all the VLANs using the same physical interface as the LAN. I’ve seen some people suggest that if the firewall has enough interfaces, to use 1 interface for LAN and then a separate interface for all the VLANs. Does anyone know pros and cons of each? I’m leaning on doing it the way Tom has done it, but I could do either. My pfSense box has 4 NICs and I am only using 1 for WAN, leaving 3 leftover for my internal side.

Thanks all

I have 4 ports in a LACP LAGG from my pfSense box to my switch. The other ports are WAN and LAN.

All my vlans are over the LAGG, mainly for redundancy. However, if I had a vlan that had heavy traffic I might take it out of the LAGG, and either put it in 2nd LAGG or keep it on a single port. (I don’t have much traffic).

I just use the LAN as an emergency access to the pfSense box if I need it.

1 Like

Great video. I followed Tom’s examples but I’m having an issue.

I’m running pfSense connected to port 16 on my D-Link DGS-1100-16 and I have a UniFi UAP-AC-LR plugged into port 6 and a UAP-AC-M connected wirelessly to it.

The D-Link’s ports are set to Hybrid with VLAN1 as the native VLAN and VLAN10 tagged on both port 6 and 16.

I have a on SSID connected to my LAN which gets DHCP from my Windows 2016 server, works fine.

I’ve defined a second SSID as a Guest network running on VLAN10 with DHCP defined on the pFSense.

I can connect to the guest network, get an IP and DNS as defined in the scope from the pFsense. However, I don’t get Internet access.

I’ve defined the rules exactly as in the video. I also opened it up to any from any and I still don’t get out to the Internet.

I tried changing port 16 to Trunk, that broke both SSID’s.

I tried changing port 6 to Access, it didn’t change anything.


BTW Tom. I’m originally from Dearborn. My Dad grew up in Wyandotte and Lincoln Park (still have family there) and I played hockey against Southgate when I was a kid. Small world…



1 Like

I have not worked with D-LINK switches in a long time but generally the ports where the pfsense & where the AP connects should be setup to TRUNK (allow all VLANS) or what ever D-Link calls them.

A funny thing happened today.

Earlier I tried switching the D-Link to Trunk. That did not work, as a matter of fact it terminated the connection to the pfSense and the AP respectively. So I set things back to hybrid and left it for a while.

This afternoon I was watching some videos on Watchguards cloud firewall configurations. During a video on Dynamic NAT configuration the trainer happen to mention that if you ever create a new network and can’t get to the internet to make sure somebody didn’t delete your default NAT for that particular Network.

Then it dawned on me. Several years ago I used your instructions to set up openvpn along with private internet access. That configuration included setting your NAT rules to manual.

In addition to having to add a NAT rule for my guest Network I also had to modify the firewall rule for the Guest network to use the WAN_DHCP Gateway vs the default of *.

Well it took me awhile but I got there.

Now my only question, is there any way to set up alerts to let you know when your private internet access VPN goes down?

Mine goes down on occasion and I have to manually restart the service. It would be nice if there was a way to get notified rather than just stumbling upon the fact that the VPN is down.



You need to setup a killswitch for when your vpn goes down.

I do and I will but that still doesn’t notify me when it’s down…

There is a notification option somewhere in pfSense, maybe it sends out logs, I’ve never used it.

IMO it’s better that if your VPN goes down it switches over to another connection.