My Networking Adventure

[dipsylalapo Supervisor]

So after putting up with crappy WiFi around the house and after months of debating, I finally caved and decided to do something about it. 

 

I went away and bought a couple of Ubiquiti APs plus an old desktop for pfSense.

 

Now I did a bit of reading up on best ways to set up, common pit falls and watched a few video tutorials. I arrogantly thought this would be a piece of cake, and of course I was wrong

 

Credit to Ubiquiti, the APs were a doddle to set up, even with my lack of networking knowledge. The pfSense box on the other hand not so easy. After struggling to install it, configure the NIC and get any kind of basic connection, I gave up after 3 hours of tearing my hair out. 

 

There was clearly more to to the set up than I'd anticipated. If anyone has any pointers or things to read up on before I make another attempt at the weekend, please feel free to post. Keep an eye out for an update later this week

 

Here's what I'm working with. 

• UniFi AC Lite AP (x2)

• HP Compaq 8200 Elite SFF (this is being used for the pfSense box)

  • Intel Core i5 2400 3.1GHz

  • 2GB RAM (DDR3)

  • Intel Pro 1000 PT

• TP-LINK TL-SG108E

 

Here's what I'm trying to achieve

 

and the issues :P

 

• When I had pfSense working, WAN was reporting 1000BaseTx, LAN however was only reporting 100BaseTx. I have 200Mpbs internet so really need Gigabit. 
• After setting up and attaching the switch to the pfSense box, I was not able to access the switch. It was throwing an error with the message "Host IP address and switch IP address must be on the same subnet" I hadn't changed any of the subnet settings, so not sure why this was happening

[Jason S. Global Moderator]

i've seen the name "pfSense" before, but i dont know what it is.... software firewall?

[Mindovermaster Global Moderator]

Oh, @BudMan....

[dipsylalapo Supervisor]

Just now, Jason S. said:

i've seen the name "pfSense" before, but i dont know what it is.... software firewall?

Yeah it's an open source software firewall. It can be run on pretty much any hardware for the basics, but it's pretty powerful. 

[Circaflex]

are there any VLANs in your config? did you bridge your modem to the box, or did you leave it DHCP?

 

This seems to be a pretty good guide to setting pfsense as a router https://www.tecmint.com/installation-and-configuration-of-pfsense-firewall-router/

Edited August 30, 2018 by Circaflex

[sc302 Veteran]

The ip of the switch must be on the same subnet as the host/gateway

 

In simpler terms if you have a 192.168.1.x network with a network subnet mask of 255.255.255.0, all of your devices must have a unique number starting with 192.168.1 and ending with a unique final number on the network.  This is its address.  

 

Think of 192.168.1 as your street and the final number as your street address...It is hard for two houses to sit on top of each other so you can't have two of the same final numbers...the network won't like it.  And if you have anything other than 192.168.1, it would exist on a different street and have no way of knowing how to get there (this is where routing comes into play and instructing traffic on how to get to where it wants to get to...without that instruction it will create errors or simply not work.    Traffic can easily find where it needs to go if it is on the same subnet (street), when traffic needs to go to different subnets (streets) it needs a router/route tables to assist with knowing where to go.

[+BudMan MVC]

Your going to have to give some details of what your doing exactly... Because you install pfsense and then follow the bouncing ball.. I would think my 8 year old grand daughter could follow a bouncing ball..

 

3 hours ago, dipsylalapo said:

• • Intel Pro 1000 PT 

• TP-LINK TL-SG108E 

So you have 1 nic?  And your trying to do vlans with a switch that doesn't really support them - What version and firmware are you running on this tp-link 108e?  If its v3 and latest firmware you might be in luck.  But if its v2 or before good luck they don't let you remove vlan 1 from every port.

 

Happy to walk you through your install, But your going to have to give us more to work with other than you tried for X hours.. What are you plugging the wan into?  Are you able to access the gui once you install pfsense? etc. etc..  If you really have only 1 nic in that box I would suggest getting another one, and get a switch that actually handles vlans correctly.  The dlink DGS-1100-08 does.. Same price point tp-link.

 

I have run pfsense since version 1 of it.. So pretty sure we can get you up and running if you don't have hardware problems - like ###### POS that can not do vlans and you only have 1 nic

[Circaflex]

5 minutes ago, BudMan said:

So you have 1 nic?

Would it matter if that NIC is a dual port? Or would it still be recommended to have two separate NICs? I know most of the cookie cutter guides suggest two separate NICs and I'll be honest, I did not search all that much for that model and if it works that well with pfsense.

[+BudMan MVC]

if you have dual port your good..

 

But I read

>Intel Pro 1000 PT

 

As 1 port nic.. Which sure you can do if your switch supports vlans - but his drawing doesn't even show that.. So really at a loss to what he is doing without some more details.

 

edit: So just noticed this

>WAN was reporting 1000BaseTx, LAN however was only r eporting 100Base T x

 

So that kind of says he has 2 nics?  Or dual port?  if its not coming up gig then you have problem with cable or switch/nic - and yeah what IP range your using very helpful.. And what you setup on the switch for a gui as well..

[Circaflex]

3 minutes ago, BudMan said:

if you have dual port your good..

Got it, we'll have to see what OP has. There is both a Intel Pro 1000 PT single and dual port model available. Unless he is pairing that with the onboard NIC, guess we'll need clarification. 

[+BudMan MVC]

If that switch is v2 or v1 - shoot even v3 I would return it... The latest firmware is suppose to fix it.. But not so sure.. I don't think they understand how to do vlans to be honest on their low end consumer stuff.. Its really broken that you can not remove a port from vlan1.. It makes not possible to isolate your vlans, and pretty much just junk - really not any different than just a dumb switch.. There are plenty of other options that are at the same price point.

 

Because if he wanting to do vlans with his AP he is going to want switch that can actually do vlans.

 

V3 has this

Published Date: 2018-01-05     Language: English     File Size: 421.27 KB

Modifications and Bug Fixes:

New Features/Enhancement:
1.The port can be removed from VLAN1
2.The port of VLAN1 can choose tagged/untagged

Notes:

1. For TL-SG108E_V3
2. Your device's configuration will not be lost after upgrading, which means you don't need to configure your device again after upgrading.

 

Seems they have V4 out now - you would hope it has fix.. But they do not update the v2 or v1...

 

[dipsylalapo Supervisor]

15 hours ago, Circaflex said:

are there any VLANs in your config? did you bridge your modem to the box, or did you leave it DHCP?

 

This seems to be a pretty good guide to setting pfsense as a router https://www.tecmint.com/installation-and-configuration-of-pfsense-firewall-router/

No VLANs at the moment. Modem was set to bridge only. That's one of the guides that I was using. 

[dipsylalapo Supervisor]

15 hours ago, sc302 said:

The ip of the switch must be on the same subnet as the host/gateway

 

In simpler terms if you have a 192.168.1.x network with a network subnet mask of 255.255.255.0, all of your devices must have a unique number starting with 192.168.1 and ending with a unique final number on the network.  This is its address.  

 

Think of 192.168.1 as your street and the final number as your street address...It is hard for two houses to sit on top of each other so you can't have two of the same final numbers...the network won't like it.  And if you have anything other than 192.168.1, it would exist on a different street and have no way of knowing how to get there (this is where routing comes into play and instructing traffic on how to get to where it wants to get to...without that instruction it will create errors or simply not work.    Traffic can easily find where it needs to go if it is on the same subnet (street), when traffic needs to go to different subnets (streets) it needs a router/route tables to assist with knowing where to go.

Great explanation, thanks. If I remember correctly, pfSense was set to 192.168.1.x and the switch (as it was something that I'd already had) was set to 192.168.0.x. I'll have a look at correcting that  

[dipsylalapo Supervisor]

13 hours ago, BudMan said:

if you have dual port your good..

 

But I read

>Intel Pro 1000 PT

 

As 1 port nic.. Which sure you can do if your switch supports vlans - but his drawing doesn't even show that.. So really at a loss to what he is doing without some more details.

 

edit: So just noticed this

>WAN was reporting 1000BaseTx, LAN however was only r eporting 100Base T x

 

So that kind of says he has 2 nics?  Or dual port?  if its not coming up gig then you have problem with cable or switch/nic - and yeah what IP range your using very helpful.. And what you setup on the switch for a gui as well..

There are three NICs in total, one onboard, plus two on the card. Another issue I had was trying to set up the WAN and LAN on the dual NIC card, but for some reason, during the pfSense setup, I wasn't able to use only the NIC

[dipsylalapo Supervisor]

13 hours ago, BudMan said:

If that switch is v2 or v1 - shoot even v3 I would return it... The latest firmware is suppose to fix it.. But not so sure.. I don't think they understand how to do vlans to be honest on their low end consumer stuff.. Its really broken that you can not remove a port from vlan1.. It makes not possible to isolate your vlans, and pretty much just junk - really not any different than just a dumb switch.. There are plenty of other options that are at the same price point.

 

Because if he wanting to do vlans with his AP he is going to want switch that can actually do vlans.

 

V3 has this

Published Date: 2018-01-05     Language: English     File Size: 421.27 KB

Modifications and Bug Fixes:

New Features/Enhancement:
1.The port can be removed from VLAN1
2.The port of VLAN1 can choose tagged/untagged

Notes:

1. For TL-SG108E_V3
2. Your device's configuration will not be lost after upgrading, which means you don't need to configure your device again after upgrading.

 

Seems they have V4 out now - you would hope it has fix.. But they do not update the v2 or v1...

 

I'd bought the switch a while back so am stuck with it for now. I'll check the FW version and see if it's something that can be fixed. 

 

Is it better to create the VLANs using pfSense, the switch or even the APs? Eventually I'd like to have all my smart devices on their own VLANs. 

[+BudMan MVC]

If you want to use vlan then you need switch and AP that support them.  The unifi sure do, so you need a switch that supports them as well.  The only question is if that switch you have actually does, if you can not remove vlan 1 from specific ports then it doesn't  Its really no better than some dumb switch if all ports are forced to be in vlan 1 even when you add other vlans too them.

 

The hardest part of about setting up dual nic is actually knowing which nic is which   Its best to figure out the mac of the specific nic, then when you setup the interfaces you can tell by the mac listed which interface you want as what, ie wan or lan.. Its very common to flip them and then have issues.

[dipsylalapo Supervisor]

8 minutes ago, BudMan said:

If you want to use vlan then you need switch and AP that support them.  The unifi sure do, so you need a switch that supports them as well.  The only question is if that switch you have actually does, if you can not remove vlan 1 from specific ports then it doesn't  Its really no better than some dumb switch if all ports are forced to be in vlan 1 even when you add other vlans too them.

 

The hardest part of about setting up dual nic is actually knowing which nic is which   Its best to figure out the mac of the specific nic, then when you setup the interfaces you can tell by the mac listed which interface you want as what, ie wan or lan.. Its very common to flip them and then have issues.

I'll take a look at the switch when I get back tonight. 

 

To be fair, I think with pfSense, if you have a display hooked you can figure them out with a bit of trial and error. 

 

More stupid questions..

 

Am I correct in understanding that you can segregate networks either via a VLAN or subnets? Is there a preference or best practice or does it depend on what I want to do?

 

I feel like there are some fundamental questions that I need to answer about exactly what I'm after before I try again.  

[DaveLegg Developer]

VLANs are almost like having physically separate networks for each vlan - each device can only see traffic on the vlan that they're on.

 

Subnets are slightly different. You can't communicate with other devices on a different subnet without going through a router, but if you were to have a network configured as 192.168.0.x for example, and connect a PC to it with it's IP set to 192.168.1.5, you'd still be able to see any broadcast traffic on 192.168.0.x if you used a sniffing tool in promiscuous mode (e.g. Wireshark).

 

VLANs give you actual isolation, if the port you're connected to doesn't output traffic for a specific vlan, there's no way you're seeing any of the traffic on that vlan.

[+BudMan MVC]

16 hours ago, DaveLegg said:

if the port you're connected to doesn't output traffic for a specific vlan, there's no way you're seeing any of the traffic on that vlan.

Unless your using that POS switch from tplink that doesn't actually isolate the vlans - and every port is part of vlan 1 without any way to remove it

 

Dave gave pretty good run down.. This can be confusing to someone new to networking for sure.  A vlan and network are really the same thing.. They are used interchangeable.. When you say your going to vlan your network... You could be doing it with a switch that supports vlans and doing all on say 1 switch, or sure you could use multiple dumb switches and use a different switch for each vlan/networrk.. 

 

Where it can get even more confusing for new to networking is a vlan can be tagged or untagged/native..   If all your doing is connecting your dumb switch to an interface in pfsense it would all be untagged traffic..  If your going to put more than 1 network on the same physical interface then your going to have to tag the vlans so that the router/nic can know which traffic belongs to which vlan/network.. You can still have a vlan that is untagged/native - but all other vlans on that interface have to be "tagged" or will not be able to isolate them.

 

Same goes for a switch.. You put your ports into whatever vlan you want.. Connect to a device they will be untagged.  Connected to another switch or router and this port going to have more than 1 vlan on it - then they have to be tagged.  Picture always worth 10,000 words.. You create multiple networks/subnets all physical like this..

 

So you could do it with physical isolation of your network/subnets... Lets say 192.168.0/24 and 192.168.1/24

 

 

You route between these networks but all devices that are on the same network are isolated with just dumb switches, not vlan capable.. You have 3 physical interfaces, 1 for your wan/internet and 1 each for your 2 networks..

 

Then you can do with with vlan capable switches and AP... And now you can put any device on any network/vlan you want via configuration of the port on the switch or what SSID you connect to on your wireless.. All of these vlans will be different networks at layer 3, ie 192.168.0, .1, .2 /24 etc..

 

Now all these vlans if tagged can connect to just 1 physical interface on the Router.. And router knows what traffic is on which network via the tag... Or you could use physical interfaces for your different vlans to the router without tagging them..

 

 

Does that help?  So you See here there are some vlan/networks that are all on the 1 physical interface and tagged so router/firewall can tell them apart.  While vlan 80 comes in on its own physical interface an not tagged (it could be - but that is for later time).. So you can create networks with physical isolation where all devices connected to the same "wire" lets call it.. At layer 2.. Or you can vlan it (virtual network) and isolate the wire of each network virtually with "tags" on the traffic so the routers and switches can keep the different networks isolated.

 

In the above examples with vlans 50,60 etc.. Those would all be different networks... Lets say 192.168.50/24 and 192.168.60/24 etc..  The vlan ID, the number you assign to the vlan when you configure it in your switch/router is nothing more than an ID.. just some number (within specific range of numbers) Most the time you try and match those up.. So for example my network/vlan that is 192.168.9/24 uses vlan ID 9..

 

So you see here, while I have only 3 vlans defined on my router (pfsense) there are other networks connected to different physical interfaces.

 

 

So for example my Lan network, which is 192.168.9/24 is setup on my switch as vlan 9, so some ports on the switch are on vlan 9.. Some are on other vlans..

 

 

I hope that is not too much information at once... Any questions just ask!!!

 

 

 

[dipsylalapo Supervisor]

No that helps a lot! These posts have been way more useful than the stuff that I've been reading. I'll have to read it all through a few more times just to make sure that I do understand it all. 

 

I had a look at my switch at the weekend and it's a v1 so I'll have to replace that to implement VLANs. 

[+BudMan MVC]

Any questions just ask, been doing this stuff a long time and running pfsense since its version 1.01

 

The switch is still usable as a dumb switch.. But yeah it can't actually do vlans..  Its no different then trying to run vlans over a dumb switch..  Which is just borked, but if all your devices understand tags you could do it.. Just not secure at all.. Just have to setup every device to understand what vlan your wanting it to be on via tag..  That is if the device nic driver/os supports it, etc.