pfSense first time build question

[sc302 Veteran]

You have one gateway, your pfsense box.   If the isp modem is handing out a 192.168.0 address to your pfsense box, then you would have a double nat (two gateways in your terms). 

 

If your isp allows, put the modem into bridge mode so that the internet ip will go down to the pfsense box. 

 

Also, right now your only gateway should be the pfsense box.  There should be no other gateway. 

 

A gateway connects you to to a different network. The pfsense has tw different networks on it. It is your only gateway.  

 

If your switch had had more than one network on it and could route between those networks, it could become a gateway. 

[fintechfooty]

Thanks sc302 really appreciate your help. 

 

Now I'm working on VLANS which seem very tricky. There are lots of terms I'm not familiar with such as tagged and untagged, port based VLAN, 802.1Q VLAN, VLAN ID and how to set it all up. Ultimately I want to have the two main desktop computers on 1 VLAN, and Wireless on another VLAN with 3 separate SSIDS. Would you be able to break some of this lingo down for me? 

 

This is crazy! You network guys are insane. From the outside, it seems like this stuff is simple but boy is it complex. Obviously for my case it's like jumping into a fire without the knowledge of stop drop and roll and/or a fire extinguisher but so far I'm relishing the learning experience. I've got a CCNA book at home hoping it will help me build up my knowledge, and even though I'm at school I keep thinking of networking! 

[sc302 Veteran]

terminology sure helps, lol. 

 

Best thing that I can suggest is draw out how you want it to look first. We can make suggestions and changes on the drawing, finalize the drawing, then put the drawing into a config.  You need to understand it before you can configure it.  Can I configure it, absolutely...will you learn anything from it and be puzzled by it if you don't draw it out and understand it, ask @BinaryData

https://www.draw.io (it would be a good idea to learn how to draw here, it can be applied to other programs later) is a free cloud based drawing site, create your site and label it with the right ips/vlans

 

Once you have a picture of how you want it laid out, then we can start the configure process. 

 

untagged is when you have a device on the other end.  a device is considered a pc, phone, xbox, playstation, etc...it could also be a switch, but to keep it simple for now lets stick with device

tagged is when you have a switch on the other end and you need to trunk to it.  Trunking is the ability to have multiple vlans communicate over the same single physical connection. 

 

802.1Q is another word/phrase for trunking or something that supports trunking

Port based vlan is when you assign a physical port on your switch to a specific vlan, this is also known as an untagged port

VLAN ID is the numerical ID of the vlan.  VLAN 1, VLAN 2, etc

 

Why 3 separate SSIDs?  If you are going to have 3 separate, why not 3 separate VLANs?

 

 

Now you know why I said to put everything on the same network first.  Get your basics on the ground and functioning first, then worry about VLANs later.  First you need a basic understanding of how 1 network works before you can get your feet wet and incorporate multiple networks in the pool. 

 

We can go a little nuts

Network Devices on VLAN1

Wired PC's on VLAN2

SSID1 on VLAN3

SSID2 on VLAN4

SSID3 on VLAN5

Printers on VLAN6

Gaming/Roku/streaming on VLAN7

 

do you want security on your vlans, or do you want them to be open to eachother (all wireless can see everything, pcs, servers, other wireless networks, printers, gaming....and vice versa). 

 

 

How crazy do you want to get with this?

 

(FWIW, I don't like putting anything on VLAN1...nothing gets this vlan, but for simplicity sake I have left it).

[LittleFroggy]

Good evening.  I have a simple network at the house. my coax cable (Cable provider) runs into a Modem> Netgear router, which this was designed as an AP and serves Wired (Cat5) and WIFI connections. It Does allow for setting up stringent settings of blocking certain traffic, websites and such. Going back to my old days of MSFT certified network tech , Circa 2000, I have a bus topology or WIFI star. minus the cable salad.

 

works for me.

 

 @ OP.  Gateways? you have a pretty nice setup then.

[sc302 Veteran]

Froggy, sometimes you want to isolate certain networks from being able to communicate with each other ( i.e. Isolate guest network to only communicate to internet, cannot communicate with LAN equipment or be able to access configuration pages of network equipment). While it may be overkill in a home network it can absolutely be done....that all goes into the design phase.   While I can configure it, there is no learning or questions asked how or why do you do or the meaning gets lost and learning & teaching gets thrown out the window. 

 

I already asked a question, why 3 ssids?  

I also asked to draw his network up as envisions it.  This will allow me to ask more questions and come up with a game plan of how and why. This is beyond your simple scenario, no disrespect. 

[+BudMan MVC]

BD is a really bad example sc302   He says he understands something, then 30 seconds later when you ask him to repeat it back its gibberish or completely wrong.. Squirrel!!!!

 

He still doesn't grasp difference between layer 2 and 3... I bet ya!!

 

But yeah I agree - draw what you think it should look like, and we can work through how to set it up..

[BinaryData]

5 hours ago, BudMan said:

BD is a really bad example sc302   He says he understands something, then 30 seconds later when you ask him to repeat it back its gibberish or completely wrong.. Squirrel!!!!

 

He still doesn't grasp difference between layer 2 and 3... I bet ya!!

 

But yeah I agree - draw what you think it should look like, and we can work through how to set it up..

Shush you! I just take on too much, and get overwhelmed. It's a bad habit of mine. 

 

I have a partial understanding of L2 vs L3. I know I've got more to learn, which is why I haven't asked for any help, other than a desktop ESXi box.

[fintechfooty]

Awesome, well I'm almost back to learning more about networking. While I've been studying I have been watching a YouTube channel called "Eli the Computer Guy" and he's really helped me understand the basics a bit clearer. I have a couple of questions though hopefully you guys can answer along with my original request for help setting up VLAN. Hopefully I can sound a bit more educated as well lol.

 

1. He spoke about subnet masking? I think this is a logical structure right (as opposed to physical)? Now what I don't understand is the meaning of 255.255.255.0. I get that there are octets with 8 bits in each and that a portion of the subnet identifies your network, and the other portion identifys your pc, but how does that work. I mean he gave an example about a situation where he had to go 255.255.255.192 or something and talked about using bits from the last octet, but I couldn't really grasp it all that well, simply because if I had a subnet mask like that, how would a network see the IP of the pc? 

 

The way my brain is working right now is 

 

255.255.255.0 = 192.168.1.105 or whatever. The 0 tells me that the end of the subnet is supposed to be for individual PC's? Is that correct? If so where the hell would I put a pc identifier in a subnet ending in 192?

 

Anyways, subnet masking also seems to me like a VLAN kinda deal here but more complex?

 

 

 

2.  This is just a question I thought about, but if I use QoS (which I don't think I will need for my network) and I set it up on the router, what happens if I were to set up QoS on the switch? Would there just be two QoS filters, or would one override the other? 

 

 

 

3. Weirdly simple but okay, so my gateway is currently 192.168.1.1. When I connected my switch I had to use 192.168.1.2. If I tried 192.168.0.1, it wouldn't have worked. Why does the gateway need to be on the same subnet? I think I kinda answered my question while typing this out (because a different subnet means different network)?

 

 

 

Anyways, while studying I've been tinkering with my network here and there, and I found three options for me to choose:

 

MTU VLAN

Port Based VLAN

802.1Q VLAN 

 

I've chosen 802.1Q for my setup as that seems to be the most popular. 

 

I think a picture would be better for me to explain what setup I'm currently using I'll upload one up tomorrow after my exam! 

 

 

Thank you! 

 

 

Edit: sc302, I will definitely get a picture up, I forgot that you had asked me to get it up, so i'll post it up tomorrow.

 

 

 

 

 

 

[sc302 Veteran]

1.  Subnet masking is telling the computer how big of a network to communicate on/where the network starts and ends.  255.255.255.0

255 locks the digit in place

0, is all numbers

so lets take something simple:

192.168.100.1  With a subnet mask of (trying to keep it simple using the same amount of digits)

255.255.255.0

 

So essentially, 192 is locked, 168 is locked, 100, is locked, the 1 is unlocked....the computer will only communicate with other devices that contain the locked in digits that are on the same physical network.  I am keeping this very very simple for a basic understanding.  Now other numbers in the mask can raise the amount of networked devices allowed to communicate or minimized the amount of devices allowed to communicate.  255.255.255.0 is also known as a /24 or 24 bit network mask.  If you were to use 255.255.255.255 as the mask, the computer/device would only be able to communicate with itself as it is completely locked in.  You could open it up a lot by 255.255.0.0...you could imagine how big the address range would be (address range is what you can assign to computers or devices on the network).  192.168.0.1-192.168.255.254.  You could play with a subnet calculator to see what different values get you.  http://www.subnet-calculator.com/ There are network ID's and broadcast addresses that get assigned based on mask, but again lets keep things as simple as possible for now...the subnet calculator will help with a lot of information regarding subnetting.

VLANs are completely different...lets not get into that here in this question/answer.  Just try to wrap your head around subnets....but just as a brief, vlans contain different subnets and rules can be created around those subnets/vlans to be able to allow or deny traffic...it can be way more advanced than just subnetting.  

 

 

2.  QoS should be handled at the level it is needed on...if it is internet, then it should be handled at the internet firewall...if there are internal needs, it should be handled at whatever/wherever the top level is.  

 

3.  different subnets will not communicate without a router to route the traffic between them.  two subnets on the same physical network, there is no gateway/router to answer the requests.  the switch became another device on the network, which requires a unique IP address.  Each device needs its own unique IP, so yes it will get .2.  You could create a vlan...but again lets keep it simple and not introduce at that time, but the switch on the vlan (if the device supports routing) could be 192.168.0.1 or 192.168.168.1 or whatever and then you could assign ips on that vlan to other devices...keep it simple and not bring in VLANs at this time.

 

 

 

 

 

[The_Decryptor Veteran]

QoS should be put on the most bandwidth constrained point of your network, no point having it on your gigabit switch if your upload from the router is only 10Mbps, you'll hit that long before QoS on the switch will ever kick in.

 

The actual quality of QoS varies wildly from one device to another, some doing more harm than good. Generally I'd leave it disabled unless you know it's good (Like Cake or HTB+codel), or you test it and it works well

[fintechfooty]

Thank you for the replies sc302 and The_Decryptor. 

 

Sc302 I really like the subnet calculator, so thank you for the link

 

I have attached a picture showing you the network I have setup currently without any fancy configurations, just the basic layout of it.

 

This is information about what I want to do, and what I've set up already.

 

 

VLAN 1: Dads PC & My PC
VLAN 2: Gaming Devices
VLAN 3: IoT
VLAN 4: Mobile Devices
VLAN 5: Guests

 

That's what I'm thinking but do you think that's overkill?

Currently I've set up 2 VLAN's because my Access Point doesn't support Wireless VLAN. I am looking to purchase the Unifi Access Point sometime soon.

 

 

This is my switch setup right now

Port 1: PFSense Box
Port 2: Wireless Access Point
Port 3: Powerline Adapter
Port 4: Dads PC

My First VLAN 802.1Q is setup uses ports:
1,3,4

 

and my second VLAN right now uses:
1,2

Note: They're all untagged.

 

I think thats the correct way at setting it up bc I read online that I should only tag ports if I'm using a trunk?

 

It's pretty basic but I can't create any wireless VLANS.

 

 

 

 

[sc302 Veteran]

You only have to have tagged when you want to support multiple vlans on a port or lag, and sometimes it has to be tagged and untagged at the same time (advertising a default vlan to use on the directly attached device).

Vlans get complicated so I don't want to give too much right now. Still trying to get you to walk, then we can start running.

What device do you have for your wireless, we might be able to do something with that.

[+BudMan MVC]

"My First VLAN 802.1Q is setup uses ports: 1,3,4"

 

"Note: They're all untagged."

 

Then how are they 802.1q??

 

If they are untagged how is pfsense going to sort them out?  Do you have multiple interfaces in pfsense to send your 2 different vlans too?

 

As to overkill   I have 7 vlans on my network..

 

[fintechfooty]

On ‎2017‎-‎04‎-‎22 at 5:00 PM, sc302 said:

You only have to have tagged when you want to support multiple vlans on a port or lag, and sometimes it has to be tagged and untagged at the same time (advertising a default vlan to use on the directly attached device).

Vlans get complicated so I don't want to give too much right now. Still trying to get you to walk, then we can start running.

What device do you have for your wireless, we might be able to do something with that.

I have a d-link DIR-645. I've tried to find new firmware for my device but most of them all say that my WAP is not supported. 

[sc302 Veteran]

That is a router not really a wap. You can use it as one, but it doesn't support vlans. All you can do is make the port on the switch, config it as un-tagged, plug it into one of the LAN ports on the dlink, and assign the dlink an ip on that network that the port on the switch is configured for.

 

You would need a true wap like a ubiquiti unifi ap, they support tagged vlans.

 

[+BudMan MVC]

Dir-645.. Came out in 2011, it only does 300 N..  I don't even think it does 5ghz.. Its only single band 2.4 is it not.

 

Dude yeah time to update.. That devices is pretty pointless even as just an AP..

 

You can get a unifi AC pro for $130...  Or the lite model even would be like a freaking rocketship compared to your model T which retail $89..   Supports vlans!!  Plus many more features, Airtime fairness, band steering, DFS channels, etc.  Its poe so can be properly placed for best coverage, etc..