Question on creating multiple Wireless VLANs for Security (IoT devices, Family WiFi, Guest WiFi)

What's weird is that when you first make your posts, I do see them in the email notification, but they dissapear from here. Very weird.

Wow, Pf-Sense sounds amazing. Maybe I will put a Pf-Sense appliance in front of that QNAP NAS, within the IoT VLAN. Both their SG-1000 and SG-3100 are reasonbly priced.

Hopefully, since 4K movies will be streaming outbound from the NAS, there won't be an issue with any Firewall overhead.

Man, it's too bad I can install PF-Sense on my SonicWALL TZ210 and utilize that hardware. It seems at least more powerful than the SG-1000.

Hmmm...what to do...

BJ

---

b1ggjoe wrote:

What's weird is that when you first make your posts, I do see them in the email notification, but they dissapear from here. Very weird.

 

Wow, Pf-Sense sounds amazing. Maybe I will put a Pf-Sense appliance in front of that QNAP NAS, within the IoT VLAN. Both their SG-1000 and SG-3100 are reasonbly priced.

 

Hopefully, since 4K movies will be streaming outbound from the NAS, there won't be an issue with any Firewall overhead.

 

Man, it's too bad I can install PF-Sense on my SonicWALL TZ210 and utilize that hardware. It seems at least more powerful than the SG-1000.

 

Hmmm...what to do...

 

BJ

---

My posts have been disappearing on me all day... only forum I've ever had that happen to me. Very odd... Even if I repost... It stays for a few and then goes away. I've gotten wise and composed in notepad which is why my formatting and grammar is terrible. ;)

4K is only what?.. 25Mbps? So, the sg1000 should do it but if you have the budget, splurge on the sg3100. The sg1000 is only good for about 125Mbps from what I've seen in tests and that is no where near what modern internet connections top out. The sg3100 is good for gigabit. If you decide to build your own, take the hardware requirements serious and ensure you select something with the aes-ni. If you are in no rush, there are rumors tha a device between the 1000 and 3100 will be announced soon.

---

netadmn wrote:

---

If you are in no rush, there are rumors tha a device between the 1000 and 3100 will be announced soon.

---

I think I have that wrong... I think the new device is replacing the 4xxx series so there will be a reasonable option between the sg3100 and xg7100

So I said, 'what the hell' LOL. I just purchased a Netgate SG-3100 w/ 32GB M.2 SATA SSD. So what I'm 'thinking' is making this then, my *Main Router/Firewall'. I'm also considering eliminating the CenturyLink Fiber Modem altogether, and replacing it with this bad boy.

I'll have to look at what VLAN options I have with this and start from there.

Then behind it, the Orbi Router+Satellite ecosystem. Also, I'm keeping the EdgeRouterX and using it as a pure Firewall to sit in front of the QNAP NAS.

As for adding additional APs on a different VLANs...either I will buy some brand-new APs or re-purpose my ASUS Routers...not sure yet.

Wife likes to buy furniture and stuff from 'Magnolia Farms' and I like to buy Network stuff...LOL...she usually wins.

I'm thinking though, shouldn't I use the SG-3100 to create and manage my VLANs from there...or should I do this with the ZyXEL switches?

Wondering if there is an advantage of perhaps using both??

Hmmm...

---

b1ggjoe wrote:

Also, I'm keeping the EdgeRouterX and using it as a pure Firewall to sit in front of the QNAP NAS.

 

I'm thinking though, shouldn't I use the SG-3100 to create and manage my VLANs from there...or should I do this with the ZyXEL switches?

 

Wondering if there is an advantage of perhaps using both??

 

Hmmm...

---

You shouldn't need the EdgeRouterX as a dedicated firewall. That would put the NAS on it's own subnet which is kind of silly IMO. Only keep the EdgeRouterX if you need to extend PoE and ethernet ports to another spot in the house and only have one ethernet drop in that room. The sg3100 is better hardware and can handle it for you. Start watching some videos so you know what you are doing... if you are not familar with VLAN access/trunk/hybrid, then get a solid understanding of how and why you use them.

You can use VLANs on both the pfsense firewall and the switch. If your WAN port is plugged directly into the CenturyLink ONT (they have ethernet hand off?) then you don't need a VLAN for WAN. If you need to jump through a switch (due to distance from ONT, etc.) then you will use two untagged VLAN ports for those interfaces.

The LAN port(s) on the pfsense box can be setup as individual untagged uplinks on access ports for the switch or you can share one interface and trunk it. Your preference. If one pfsense port will be used per VLAN, the switch ports will be configured as access ports if the VLAN assignment is one to one. Neither side will be trunked. If you plan to carry more than one VLAN over a port, it will need to be trunked (tagged) and the opposite (pfsense) end will be tagged. You setup your Orbi, APs, NAS, wired workstations, etc. as untagged ports with memgership/pvid on the VLAN you want them to belong to. Since pfsense will be DNS/DHCP for all, you don't need ip helper addresses.

Wow, I can't thank you enough for all of your help. This is freakin awesome!

At the moment, I have CAT6 running from the ONT to the CenturyLink C1100T Modem. I get pretty awesome speeds:

A few months back, I was hoping to eliminate the modem altogether and just use the Orbi as my main gateway. Since CenturyLink uses VLAN Tagging, I had to configure the Orbi with VLAN Tagging set to 201 along with the PPPoE credentials.

Oddly enough and I need to create a separate post asking Netgear about this, but I noticed that I would never even get close to the speeds in the picture above, when I used the Orbi as my main gateway. I would get probably no more than 500-650mbps up/down.

I had thought for sure, with the great hardware specs on the Orbi, that it would do a way better job of handling the routing demands with Fiber speeds. So not sure what's up with that.

I know that with the little EdgeRouterX, it had the same issue when it was first launched. Then it was addressed by enabling 'Hardware Offloading', which would then allow it to route at those speeds, but at the sacrifice of being able to utilize QoS. 

I hope to use the SG-3100 then, as my main gateway. I'm pretty sure that it will have no problem being able to handle the Fiber connection.

I'm going to have to take your various responses and create some sort of diagram to figure this out LOL.

On the EdgeRouterX...if it's not needed to protect the NAS, then your suggestion would be perfect and I could purchase a few PoE APs for another Wireless VLAN.

I'll be spending this weekend watching all of those Pfsense videos LOL

BJ

---

b1ggjoe wrote:

  

A few months back, I was hoping to eliminate the modem altogether and just use the Orbi as my main gateway. Since CenturyLink uses VLAN Tagging, I had to configure the Orbi with VLAN Tagging set to 201 along with the PPPoE credentials.

 

Oddly enough and I need to create a separate post asking Netgear about this, but I noticed that I would never even get close to the speeds in the picture above, when I used the Orbi as my main gateway. I would get probably no more than 500-650mbps up/down.

 

I had thought for sure, with the great hardware specs on the Orbi, that it would do a way better job of handling the routing demands with Fiber speeds. So not sure what's up with that.

 

I know that with the little EdgeRouterX, it had the same issue when it was first launched. Then it was addressed by enabling 'Hardware Offloading', which would then allow it to route at those speeds, but at the sacrifice of being able to utilize QoS. 

 

I hope to use the SG-3100 then, as my main gateway. I'm pretty sure that it will have no problem being able to handle the Fiber connection.

 

I'm going to have to take your various responses and create some sort of diagram to figure this out LOL.

 

On the EdgeRouterX...if it's not needed to protect the NAS, then your suggestion would be perfect and I could purchase a few PoE APs for another Wireless VLAN.

 

I'll be spending this weekend watching all of those Pfsense videos LOL

 

BJ

---

From what I've read, the Orbi doesn't have the specs to run at gig to the WAN. The sg-3100 will definitely do gig but but not over VPN. Encrytion adds a lot of overhead to the CPU and slows things down. You'll love it for your use case. If you configured Orbi with VLAN/PPoE, then sg-3100 will need the same config. If you use the switch to uplink pfsense to cl, then you will configure two access ports on VLAN 201. There are benefits to running everything through the switch (like sniffing and sending traffic flows).

the sg-3100 will give you great speeds (doing speed tests) until you decide enable QoS. With your connection you should never need it as you'll never saturate your link.QoS will slow down your speed test results due to queuing. This is NOT a bad thing. I use it to prioritize my traffic. It is moving traffic to queues to ensure I have a good experience with the real time services I care about and slowing down my email or web pages in the background that I care less about. The slow down is so minimal you'll never notice it. Most people will never ever hit their subscribed speeds. A 4K stream is 25Mbps. I have a 150/150 fiber line and with 4 people (2 adults, 2 kids) all who stream (wife works remote), we rarely ever utilize >50Mbps. essentially we've been told by our ISP that we NEED BLAZING FAST SPEED when you'll never use it. That is how they increase profits and over subscribe bandwidth.

I suggest you create an account on the pfsense forum site and also join the reddit /r/pfsense sub. Lots of helpful people in those places to help you when you get stuck. Your purchage will give you the gold sub which includes a huge book that will easly teach you advanced networking... highly recommend you do lots of reading before you jump in. Your experience will be much better if you understand what you are getting into before you try. Or, at minimum get a base config and then start adding. Don't do it all at once. Your family will thank you for less downtime too... ;)

Great feedback from everyone!! I guess my issue now, is that I need to diagram out what I currently have as far as cabling and ports.

In a perfect world, I could configue Pfsense so that each LAN port would be dedicated to a different VLAN and go downwards from there.

Unfortunately, I'm thinking that I may have to go another option and create a VLAN Trunk since I may have to have multiple VLANs on the same port, due to the limitations of how my cable and ports are currently layed out.

I'm going to try to throw something together, perhaps a simple sketch or Visio, so that you guys can see what I'm dealing with.

OBTW, Right now...since I'm still waiting on both my Pfsense Firewall and EdgeRouterX to arrive...and since I haven't installed my 24-port ZyXEL Managed Switch just yet, here's what I have layed out:

1 Gbps CenturyLink Modem C1100T  >>> Orbi Router (Router Mode) + Satellites >>> Ethernet ports

(I haven't fully setup the ZyXEL Switches just yet)

Is there any advantage if I do this:

1 Gbps CenturyLink Modem C1100T  >>> Netgate SG+3100 >>> Orbi Router (AP Mode) + Satellites >>> Ethernet ports

instead of this...

ONT  >>> Netgate SG+3100 >>> Orbi Router (AP Mode) + Satellites >>> Ethernet ports

So basically, is there any advantage in keeping the CenturyLink Modem C1100T as the primary Gateway as it stands now, then adding the Netgate SG-3100 behind it?

Thanks!

BJ

---

b1ggjoe wrote:

Great feedback from everyone!! I guess my issue now, is that I need to diagram out what I currently have as far as cabling and ports.

 

In a perfect world, I could configue Pfsense so that each LAN port would be dedicated to a different VLAN and go downwards from there.

 

Is there any advantage if I do this:

 

1 Gbps CenturyLink Modem C1100T  >>> Netgate SG+3100 >>> Orbi Router (AP Mode) + Satellites >>> Ethernet ports

 

instead of this...

 

ONT  >>> Netgate SG+3100 >>> Orbi Router (AP Mode) + Satellites >>> Ethernet ports

 

So basically, is there any advantage in keeping the CenturyLink Modem C1100T as the primary Gateway as it stands now, then adding the Netgate SG-3100 behind it?

 

Thanks!

 

BJ

 

---

Case850 has a great point which is why I previously asked your interest level... I still think your overall experience will be better with pfsense once you learn it. Just the level of flexability/options on such a system you won't get from EdgeRouterX. If you want a set it and forget it option... do that. If you want to play with traffic and have a lot more options, you were right in the sg3100 option. The EdgeRouterX may not have been a waste of $ if you could use it to extend PoE and also provide ethernet uplink elsewhere. I may purchase a couple of those.. they have great benefit if they fit in the overall design.

I'm assuming (based on previous posts) you have an ethernet hand off and already tried ONT -> ORBI? Why did you go back to the CL modem? Do you rent it or own it?

I helped a buddy do an install recently where we briged the ISP modem (xfinity) because they needed the cable modem for MoCA and wasn't preparend to pay $ for a new modem.. Since you are ethernet, I don't know how that could help you. It just adds an extra hop for no reason. The only thing I can really think of is support. Your ISP may not spend as much time with you troubleshooting your own equipment than they would if you are using theirs.... If this is important to you, it may be worth it to keep it around in case you need to revert back to prove to the ISP the problems are on their side. If you don't use ISP standard equipment... it's easier for them to blame your equipment.