Hi All,
So, I decided to dive into this with the hope of saying goodbye to a flat home network and hello to a more secure network setup, or so I thought.
Hardware:
- Router: el cheapo mini PC with 6 LAN ports (Intel I211-AT), i5-8365U, 8GB RAM and 256GB SSD. Current provider supplied a separate MODEM and a separate router. This mini PC replaces the router supplied by the ISP.
- Switch 1: Netgear Prosafe GS116Ev2 16 port smart switch (no change here)
- Switch 2: Cisco SLM 2008 8 port smart switch (no change here)
- WiFi: Two TL-WA1201v2 Access points (support up to 4 SSIDs with VLAN tags) To replace the WiFi capability of the ISP provided router, and a small extender that was wired to Switch 2.
With the optimistic attitude of a network noob and a tiny bit of reading @ https://homenetworkguy.com/how-to/configure-vlans-opnsense/ and @ https://docs.opnsense.org/manual/how-tos/lan_bridge.html I created a plan of action to establish a network that look like the attached PDF.
From the default setup, where R1 is assigned to WAN and R2 is assigned, I followed on to create a bridge (BRIDGE0) that now includes R2, R3 and R4. Each port is plugged into a single machine. Connectivity so far appears fine (even created some NAT rules for port forwarding).
Now it is time to implement the rest and I am not sure of the better way that would allow a balance between manageability and fl flexibility.
Before starting, I thought that it would be as simple as:
- Define another bridge (BRIDGE2) that includes ports R5 and R6
- Define 4 VLANs and with BRIDGE2 as the parent interface
- Setup the VLAN and DHCP settings so each VLAN will sit on a separate subnet and with a defined range of IPs available on DHCP.
- Setup the VLAN tagging on the necessary switch ports to mirror the tags defined within OPNSense
- Setup the WIFI SSIDs with the correct tags
- Plug it all together and go have some fun
After a little head scratching, and google searching and documentation reading, I realised that VLANs are allowed by the interface to have a bridge as a parent interface, in practice that setup is not functional.
So I moved on to setup the VLAN so they have R6 (for argument's sake) as the parent interface. So that setup worked fine (with some really relaxed dummy firewall rules).
Now, I could plug Switch 2 to Switch 1 (got enough spare ports there), start messing about with the firewall rules and call it a day. However in my mind, two cables feel better than one, i.e. having each switch on a separate router port (i.e. one on R5 and one on R6) feels as if there will be more bandwidth available when the router filters packets that are exchanged between devices that "sit" on the two switches.
The question(s) are:
1. Is there a way to achieve what I originally thought as possible with VLANs having a bridge as a parent interface (i.e. define each VLAN once, assign it once, have one DCHP setting for each VLAN etc. etc.)?
2. Is what I perceive as a bottleneck (i.e. 1 router port and two switches vs 2 router ports and two switches) really a bottleneck here?
3. If the perceived bottleneck I described in 2 above, is real and painful, how can one proceed making life easier when creating and managing multiple VLAN entries for the same tag IDs. I have 2 switches to setup, but it could easily be 3 or 4 (depending on how gear is retrofitted over time).
Thank you all for spending the time to read this, and even more if you can contribute towards clarifying next steps.
Regards,
Georgios
I've just started doing pretty much a similar configuration.
I have a smartswitch with VLANs set up - connected to the LAN on my minipc with 6 NICs acting as router - I want to be able to add in the other 4 NICs and use a physical port to assign it to a VLAN (another wifi AP to add to the Wifi VLAN) - not having much luck.
Have you had any advice direct?
Thanks
Jim
It really all depends on your uplink speed. For example if you were lucky enough to have a 10Gbps internet connection then you would need to be using SFP switches!
If you have a link speed of under 1Gbps then you are not creating any bottlenecks, what you really want to achieve is the maximum internal network speed between segments ( VLANs ) and it's the switches that handle that, not the router. The only traffic that goes via the router is that destined or coming from the internet.
Quote from: marjohn56 on March 09, 2021, 08:32:19 AM
If you have a link speed of under 1Gbps then you are not creating any bottlenecks, what you really want to achieve is the maximum internal network speed between segments ( VLANs ) and it's the switches that handle that, not the router. The only traffic that goes via the router is that destined or coming from the internet.
I must admit I did a double take on this. If the VLANs have different subnets, traffic between them has to go via the router unless the switch is L3, right? Or have the foundations of my understanding of networking just been shattered? [emoji2962]
Sorry, should have made that clear. Layer three switches required. mea culpa :-[
Quote from: Greelan on March 09, 2021, 10:00:58 AMI must admit I did a double take on this. If the VLANs have different subnets, traffic between them has to go via the router unless the switch is L3, right? Or have the foundations of my understanding of networking just been shattered? [emoji2962]
Perfectly correct. If it's different broadcast domains, i.e. layer 3 networks, the traffic
must go through some router. If that router is a "layer 3 switch" or your OPNsense - as always - depends.
Quote from: marjohn56 on March 09, 2021, 01:25:30 PM
Sorry, should have made that clear. Layer three switches required. mea culpa :-[
Phew. I figured the man who wrote udpbroadcastrelay would have to know lol
Sigh.... yes, a classic case it's not what was said but what was not said. That being said, I see there are some 8 port Cisco layer three switches going for £90, might be tempted to replace my layer 2 managed switch next to the router with one. I'll do a little research.
https://www.broadbandbuyer.com/products/36067-cisco-smb-sg250-08-k9-uk/specifications/#content