Following setup with only 2 ports possible?

[iammike]

Hi everyone,

Noob here and just starting with Opnsense.

I was wondering if the following setup https://forum.opnsense.org/index.php?topic=31738.0

Is possible with only a 2 port device? I have stupidly only ordered a 2 port device instead of 4 ports.

Any guidance would be very much appreciated

Thx

[bartjsmit]

Absolutely! Use VLAN separation to divide your infrastructure regardless of it sharing the same physical LAN.

https://www.youtube.com/watch?v=jC6MJTh9fRE

Invest in one or more dedicated WiFi access points with multiple SSID's tied to separate VLAN's. E.g. TP-Link AC1750 or Ubiquiti U6-Lite.

Note that these need separate controllers to manage them, either locally or in the cloud.

Bart...

[iammike]

Hi Bart,

Thx

I was thinking of this Wireless Access Point

https://www.tp-link.com/uk/home-networking/access-point/tl-wa1201/#overview

Would that also need a controller? And with that controller do you mean that Omada?

[bartjsmit]

Good catch!

No controller - it has a web interface: https://emulator.tp-link.com/TL-WA1201(EU)%203.0_MSSID_Emulator/index.html#ssidWireless

It doesn't need Omada and looks much simpler for a single AP deployment. If you are not planning to grow beyond a handful of switches and AP's it's fine to manage them individually. I'm on seven switches and three AP's which is definitely easier with SDN and central management ;)

[iammike]

Thx,

Approx a max of 2 switches and 3 AP's.

2 AP's inside the house and 1 outside

For switches I have ordered a zyxel gs1200-8

https://www.zyxel.com/uk/en-gb/products/switch/5-port-8-port-web-managed-gigabit-switch-gs1200-series

Will report back.

[bartjsmit]

Those are a good basis for a solid network. I was lured by the PoE and aesthetics of Unifi kit ;)

Invest in pass-through RJ-45 crimps and a parallel force tool. The lever types put unequal pressure on the crimp blades and can cause random errors: https://www.amazon.co.uk/SecuriCam-Crimping-Stripper-Connection-Connectors/dp/B09CMWSLB1 with https://www.amazon.co.uk/RJ45-Pass-Ethernet-Network-Cables/dp/B07W8VC7TS/ (other tat stores are available)

Try and put your AP's at right angles to minimise cross-talk.

Bart...

[iammike]

I looked at unifi, but a bit pricey for my cause, maybe I am looking at it wrong though.

I looked at the lawerence systems videos and it seems not that hard to setup in combination with VLAN's

[bartjsmit]

I looked at unifi, but a bit pricey for my cause, maybe I am looking at it wrong though.

You're right - it's premium kit. However, the AP's are very discreet, especially with PoE and it does clever things like optimise performance at night. You also get  more frequent firmware updates.

My core switches run off UPS so I won't get an outage if someone plugs their iPhone charger in a mission-critical mains power socket  8)

Bart...

[iammike]

Thx for the help, really appreciated

In the meantime I have come up with another question

In my living room I will place the 8 port zyxel switch.

Ports will be assigned like this

1- Opnsense
2- living room pc area
3- bedroom
4- NAS 1 - trusted
5- NAS 2 - trusted
6- Raspberry Pi - trusted
7- AP - Trusted
8- AP - non trusted

The question is about #2 and #3. (Ps: Ethernet cable from main switch is in place in both areas)

In those 2 areas I have several devices, for example
in #2 my main pc and another Pi and maybe some other testing devices.
In #3 a TV and a NUC

Area #2 is trusted but area #3 only the NUC is trusted. Should I place a switch in those areas as well (so I would need 3 managed switches) or can I do with a dumb switch or hub. My guess is 3 managed switches but not sure.

Any other comments on my idea

TiA

[bartjsmit]

Area #2 is trusted but area #3 only the NUC is trusted. Should I place a switch in those areas as well (so I would need 3 managed switches) or can I do with a dumb switch or hub. My guess is 3 managed switches but not sure.

If you have a location with network devices that need to join different VLAN's (e.g. no VLAN == LAN, VLAN 13 == untrusted) then you need a managed switch to tag the packets for the devices on VLAN 13.

Remember to make the relevant port(s) untagged instead of setting up the VLAN on the device itself. If you don't trust what is connected to a switch port, you configure the switch to be in charge of VLAN membership, not the device on the port. Untagged ports show up as green squares in the Zyxel management interface

area #3 only the NUC is trusted.

You'll need a managed switch in the bedroom to restrict NAS access to the NUC for things like streaming NAS content to your TV. Check out Emby server, Jellyfin or Plex for that as well. I run an Emby client directly on the (Android) TV.

Any other comments on my idea

Don't forget about power. My main reason for PoE was to reduce the number of power bricks around the house. They are inefficient (== hot), take up power sockets of which we don't have many, and are often ugly. Check out a PoE hat for the Pi, provided it doesn't need to be completely silent https://thepihut.com/products/raspberry-pi-poe-plus-hat There is something very elegant in using only one cable for two purposes.

Ubiquiti is not all or nothing either. If one AP needs to sit in a very visible spot, you could splash out on a ceiling mounted UAP-AC-LITE and run the controller on a Pi or as a container on a NAS.

4- NAS 1 - trusted
5- NAS 2 - trusted

You could use link aggregation for any NAS that is used heavily but measure the peak traffic first. If you max out at 20Mbps, there is no point going from 1Gbps to 2Gbps. Syncthing may be a better use of any spare ports on your NAS - run a crossover cable between them and keep vital data in two places without swamping the network with replication traffic.

maybe some other testing devices.

Have a look at Proxmox on a SFF PC. If you trawl eBay for thin clients, you could pick up a nice sandbox environment for VM's and containers. The HP T630 and Lenovo ones are nice. Companies are ditching these for laptops and they go for pennies. Budget for some additional RAM and/or storage if required. You'll want at least four cores, 8GB RAM and 128GB flash.

Sorry for the long post  :D

Bart...

[iammike]

Wow Bart lots of info you are giving me, again really appreciated.

Another question if I may,

I will have that Opnsense 2 port device so 1 port for Lan and 1 port for WAN

What is the best way to connect the 2 other switches (livingroom and bedroom) to the main switch, I have been reading up on this and the consensus is that plugging them both in the main switch would cause cascading which AFAIK is a bad thing. Better would be to plug them direct into the Opnsense router.

What do you think about this?

Ps: I am going for the Zyxel GS1900 series as Main switch

https://www.zyxel.com/uk/en-gb/products/switch/8-10-16-24-48-port-gbe-smart-managed-switch-gs1900-series

I think it's a bit better then the GS1200

[bartjsmit]

Cascade is not a problem unless you get into very high throughput situations. Those Zyxels max out at between 16 and 32 Gbps on their backplane. If you cascade them from one upstream port, that is reduced to 1Gbps, or 2Gbps if you want to run two cables between your switches.

This is why some home networking goes up to 2.5Gbps or even 10Gbps but it pays to do the math first ;)

What are the largest data flows in your network? If it is your NAS serving and streaming files, what is its maximum throughput? How many concurrent streams/downloads are you likely to have?

My sums added up to no more than 300Mbps and I'm happy with gigabit ethernet all round. Even that made the house look like Swiss cheese, I shudder to think what that would be like with everything cabled up to one location.

Bart...

[iammike]

Thx Bart (as always)

Greatest Data Flow would be main PC I guess and NAS1 as that is used for Backups and Main Storage (NAS1 will be connected to Main switch and Main PC connected to Switch #2)

What I could do is that on for example the Bedroom Switch is to limit some ports to a max of 100MiB only for example the TV's and the AppleTV but leave the NUC at 1GiB.

Will also limit the port for the Guest AP to 100MiB (maybe even lower hahahaha)

[iammike]

Cascade is not a problem unless you get into very high throughput situations. Those Zyxels max out at between 16 and 32 Gbps on their backplane. If you cascade them from one upstream port, that is reduced to 1Gbps, or 2Gbps if you want to run two cables between your switches.

Just reading this again, do you mean 2 cables from Main switch to Switch bedroom (for example)? Unfortunately that is not really possible as the current cable is underground and a 2nd one can't be added. Same with location of the switch #2.

I can replace the cable but not pull 2 through them (yellow pvc pipe with limited diameter)

[bartjsmit]

Yes, 2 gigabit connections can be bonded (LAGG, etc) to give 2Gbps maximum aggregate throughput. Note a single data flow is still limited to 1Gbps, you can just have more concurrently. It also provides failover.

If you're going to pull new cables, you're as well going for fibre instead of more copper. You would need a different Zyxel though, check out the 1930 range which has SFP+ ports. https://www.zyxel.com/uk/en-gb/products/switch/24-48-port-gbe-lite-l3-smart-managed-switch-with-4-10g-uplink-xgs1930-series

Obligatory YouTube: https://youtu.be/nlB73DqNFxY?t=577

Bart...