Sure, but you won’t have any VLAN capabilities with an unmanaged switch.
Yes, but that one port connected to the managed switch, will it will have same rules or for the rules, i do need a managed switch?
What i mean to say is, the managed switch is connected to pfSense box and all the ports have firewall rules so, connecting any unmanaged switch to a port on the managed switch will be protected (have rules) or i would need a managed switch to achieve it?
pfSense doesn’t, AFAIK, have the ability to assign firewall rules to particular switch ports. The switch itself may be able to, but I haven’t seen any such functionality in either pfSense or OPNsense. So in that context, I’m afraid your question doesn’t make much sense.
I understand. What I wanted to convey is if my managed switch is secured using pfSense, then connecting an unmanaged switch to this secure managed switch, will it work? Secondly will it be still protected?
I don’t know what you mean by “secured” or “protected,” and I’m not sure you do either. There isn’t a meaningful sense in which a firewall “protects” a switch, other than perhaps a management interface for that switch (which an unmanaged switch wouldn’t have)–switches are generally transparent network devices. The firewall protects devices, specifically devices on networks. I think you need to spend some serious time learning network basics, because you’re proposing a fairly complicated network design that I don’t think you quite understand, much less understanding how to implement and secure it. You’re (apparently) someone who barely understands how to ride a bicycle, asking about the finer points of space flight.
But the short answer to the questions is that yes, an unmanaged switch will likely work if you plug it into a port of a managed switch, and the devices connected to that unmanaged switch would be protected by your firewall in the same way as devices connected directly to the managed switch.
1 Like
Yes, that’s totally right. I’m new to it.
Thank you. That’s what i wanted to confirm!
Just the last thing to ask regarding this is can i connect the Access Point directly to the pfSense box or i would need it to connect it to the managed switch?
Ya, when I move to my new house will be revising, but I do like all of the control via pfsense vs cli on the brocade and having that insight into traffic and handling dhcp and everything else, vs the pfsense just becoming a gateway, and my pfsense will be moving to a beefier system anyways so even pushing through 10Gbps would be easily handled for the once in a blue moon I may need to do that between VLANs.
It all comes down to how you want to manage your environment and if you want to use VLANs vs physical ports.
You can either
PfSense
— LAN ----> Managed switch
— Optional interface 1—> Wifi Access point
Then you can create firewall rules in PFSense to block LAN and Wifi from talking to each other, and only allow what you want, if device across your LAN or Wifi need to communicate.
Or
PfSense
---->VLANs —> LAN ----> Managed Switch:
→ Assign VLAN to port(s) for LAN devices
→ Assign VLAN to port(s) to connect to Wifi Access point.
Both end with the same result, one you do not need to create VLANs in pfsense and your managed switch, the other you do need VLANs.
As for connecting an unmanged switch to your managed switch - you can do this fine, but, if you are using VLANs to isolate networks, your unmanaged switch will be on what ever VLAN you plug it into from your managed switch.
You noted you wanted to be able to power down your switch when not in use, is this because power is expensive for you? If not, just leave it running.
Personally for me:
PFSENSE: 4 x 1Gb ports
- 1 Interface for WAN from ISP
- 2 x ports bonded / LACP going to my Managed switch, giving me redundancy and 2Gb of total throughput (still only be a max of 1Gbps per session)
- VLANs as needed - Default VLAN can be your LAN , a new VLAN for your Wifi network, and then you can always add other VLANs for things like IoT devices, like security camera’s or other stuff.
Then you get even fanicer, and eventually get a wifi access point that can do multiple SSID’s per VLAN!
Now you can have an isolate guest VLAN, isolated IoT VLAN, all about control and segmentation
How would i know whether i need 10GbE?
What’s the best in terms of security practice? Second one right?
Yes, wanted to confirm as there are only 16 ports on this switch i have and i might need 24 probably, so other systems are not that important and is connected via 8 port unmanaged switch so wanted to know if i could use that.
No, the thing is except for the firewall and NAS and the Access Points, everything will be shut, including the second switch (25G/100G).
The other 1 port is empty?
Yes, its a nice adventure. Trying to learn as much as i can!
Guys,
Just a question regarding this old thread. So, my main Mikrotik Switch has SFP+ ports (there are four of them) and i want to use that to connect the pfSense. I know, i can buy a SFP+ Card for the pfSense box (lenovo tiny) but the thing is those are 2 ports and the 4 ports won’t fit in that tiny box and for the ISP, i have two of them which uses RJ45 and i only have single RJ45 as onboard Ethernet on my pfSense. Any solutions for this?
Also, very soon i want to add my other 25GbE and 100GbE switches to the line and want that filtering is done via pfSense box. So, do i connect these switches to the old main Mikrotik Switch or hook both the new switches (25GbE and 100GbE) to the pfSense directly?
SFP+ can take a 10Gb T transceiver that has a RJ45. (conventional copper networking). They are okay for short distance, 30m?. They are also power hungry compared to fiber SFP+ so you may not be able to use too many at one. Have to watch device power budget.
Is pfSense doing your routing? If it is, be advised traffic between VLANs will get no where near line-rate for 25/100 Gig, even if you had the appropriate network card.
As discussed in the other thread, you CAN use a 10G-BaseT adapter, but the power budget on the CRS305 is very limited and you can only use 1 or 2.
2 Likes
Nah, i had this idea previously but definitely do not want to use something like that.
Yes, but. what i’m trying to do is:
ISP 1 (RJ45) to PfSense (RJ45)
ISP 2 (RJ45) to PfSense (RJ45)
And then, i want to have 2 SFP+ ports by which i will connect my main switch and hook devices in that. I can install an NIC and i can have the SFP+ ports but the problem is i have two ISPs and there is only one single RJ45 on my box. So, i guess its a dead end. The other solution i see is to install 4 port Base-T (like my old I350) but after discovering the Base-T and SFPs, i prefer to use SFP to connect my main switches. Would it be beneficial in any manner or is waste of resource and would make no sense at all? In short, by using SFP, i’m trying to have lower latency and faster throughputs.
I could have also used SFP on the ISP side but the box they give does not have SFP ports. So, kinda stuck with RJ45.
Yeah, i understand. But my main switch is Mikrotik CRS312-4C+8XG-RM
Get a switch with two SFP+ interfaces like the Mikrotik CSR326-24G-2S+IN/RM and connect your pfSense with two fiber 10G interfaces creating a lagg.
Run everything else including your two ISPs over tagged VLANs. So the ISPs connect to one of the abundant (for a home lab) 24 Gigabit ports on the switch, each.
1 Like
Already having Mikrotik CRS312-4C+8XG-RM and plan to do lagg.
Umm, how would i do that?
Well, if i’m not wrong, the pfSense needs to be connected to the ISP and then either a device to the other port on the pfSense or a switch and then rest of the devices to the switch. Or am i missing something here?
@dan So, i decided to go for TP-Link Omada and i decided to get EAP655-Wall but when going through the datasheet, it has a PoE port and no Power Adapter required to power the device. So, what options do i have here? Originally, i decided to go for TL-WA3001 but the space is bit compact and sometimes i’m outside with my Laptop or phone and the network signal would not be that good i guess. What do you suggest? Should i buy a PoE switch or use some other Access Point?
Create VLAN 10 on pfSense lagg0. Create VLAN 10 on the Mikrotik switch. Assign VLAN 10 tagged to the bond1 on Mikrotik, untagged to e.g. ether1 - your pfSense now has a VLAN 10 interface that has a direct connection to port ether1 on the switch. Setup your ISP uplink there.
Do likewise with e.g. VLAN 20, ether2, and the second ISP.
That’s what VLANs are for. You connect your expensive device with few ports - firewall, router, hypervisor host, … with a high bandwidth interface to a switch, create VLANs, assign switchports to those - voila, your device now has as many ports as the switch brings, and way cheaper.
HTH,
Patrick
3 Likes
FWIW @pmh’s suggestion may sound “strange” but this topology is more common than you might expect. Among other things, this topology allows you to do cheeky things like CARP (redundant routers in pfsense) on a residential connection with a single ISP provided WAN IP.
In the enterprise world, I had a “WAN Edge Block”, where I had some traffic traverse between my datacenters “out-of-band” for various reasons. Let alone the ability to have dual ISPs, one at each datacenter, and still have the ability to route out of either site to either connection.