Which pfSense router?

treebark · October 14, 2022, 11:52am

I work from home a lot now and my Netgate SG-1000 has worked great up until now. I want to segment my network, and I tried using VLANs with my managed switch and the SG-1000 router, but it just died under the load across the VLANs.

I need gigabit speeds across the network segments. I’m looking to upgrade the hardware for the pfSense router, but not sure how many ports I need or CPU/cores for the level of performance required. I’m not currently using VPN with the pfSense router, although I have done that in the past. I’m also dual stack IPv4 and IPv6 and have a IPv6 /48 from my ISP.

I have a Unifi UAP-AC-PRO wifi access point and I’d like to set that up to connect to Home and Office networks with separate SSIDs.

A logical view of my network is segmented into

Wan
Home
Office
Server

Everything in the green box is in my home, everything in blue is in my home office (separate building), and in pink is in my garage.

I’m guessing that I will need to have a physical interface for WAN, LAN, OFFICE, SERVER on pfSense to get gigabit performance across the networks? A 4-port device might be enough, but I’m wondering if I should get 6-port? My physical hardware looks like the below image but I’m not sure how it should be connected.

The LAN network only has access to internet plus one port on the SERVER
The OFFICE network has access to any network. Sometimes the OFFICE laptop is on wifi, and sometimes plugged into the office switch.
The SERVER network only has access to internet

Questions

Where should I plug in the Unifi Wifi access point? pfSense, or the Managed Switch? I don’t want to have to buy another Wifi access point for the Office laptop.
Looks like I should plug in the 5-port office switch directly into pfSense router instead of the 16-port managed switch?
Should I plug the server directly into pfSense or the 16-port managed switch?
Should I get a 6-port pfSense router for future needs, or just get a 4-port?

I’m considering Protectli 6-port device or a Netgate device for the router, but not sure which one.

neogrid · October 14, 2022, 12:16pm

I’d say, get a router with 6 ports on.

Those extra ports you have can be placed in a LACP LAGG with a managed switch, then connect the rest of your network to the managed switch.

No idea the best way to achieve the fastest speeds across vlans but if you don’t cross vlans and your router it will be the fastest. You can setup your network accordingly, then you have cost of hardware, electricity etc to take into account.

On Protecli’s site they have some info on the possible speeds, I recall.

treebark · October 14, 2022, 4:41pm

Thanks, that’s a good idea. I think I will go for one of these https://eu.protectli.com/product/vp4630/ although might be massive overkill.

Greg_E · October 14, 2022, 6:09pm

The fastest way to cross vlans is in the switch, assuming a managed layer 3 switch. Most switches rate their inter vlan routing at full wire speed when doing this.

Tom always says “do not route storage” so you may want to trunk the needed vlans to the NAS if possible. Or multiple interfaces on the NAS to carry the needed vlans.

neogrid · October 14, 2022, 6:31pm

I have six ports on my router, I keep one of those on the “LAN” so that I can directly access the box if I have to in an emergency. The rest of my Network only uses vlans.