Question 2 Separate LANs on the same hardware - how?

bob4432

Lifer
Sep 6, 2003
11,671
20
81
My current network set is a basic home setup - coax comes in and is connected into a cable modem, which then goes into a router. After that it goes throughtout my condo via CAT5E to multiple GbE switches for wired and then the main router is a older "N" router, while at the other end of the condo is a "AC" based AP. This setup has served me well but the 2 current routers are being replaced because they have been dropping their WIFI abilities. I have a pair of "N" routers that will run the IOT devices and have a pair of Asus AX routers inbound for the other part of the LAN.

Now what I want to acquire - add a different network that has internet availability, with the ability to have ports forwarded to this 2nd network as well as having it able to go online. What I need to acquire is to keep these 2 networks from comminicating with each other or even being able see each other. Reason being is that I am slowly acquiring IOT devices and would like the IOT devices (Smart Outlets, Electrical Switches, Cameras, etc) which will be in the "N" LAN to be out of site from the "AX" LAN.

I have enough routers, switches & computers to accomplish this (4 routers of different generations, 5+ 5 & 8port Gb/s dumb switches, 5+ IOT devices and I believe 6 computers. I also have a RaspberryPi 4b that if possible I would like to integrate that into the mix if it doesn't cause many issues, but it is by no means a must have.

My reason for wanting do this is to isolate the two networks from each other as I am going to have IOT Cameras running Blue Iris and the cameras will need to write and have access to "N" network's computer - write to it's HDD/SSD and be able to alert me when a camera needs to let me know when a rule has been tripped and secondly so I can operate the other IOT devices when away from home. I believe I can do this and run 2 networks on the same switches, please advise if I am incorrect - again multiple dumb GbE switches w/ a router and AP on each LAN.

So, please let me know how I can have 2 networks on the same hardware that cannot even see each other.

Thanks in advance,
Bob
 

Fallen Kell

Diamond Member
Oct 9, 1999
5,760
285
126
What you really want is to upgrade to an enterprise layer 3 core switch and configure VLANs and routing rules. The core switch can then connect your various other switches (ideally), but you can also configure it as a router-on-a-stick if you need to (look that one up on google). If your other switches are managed switches, you can ideally pass the VLANs through to it with the connection back to the core switch (however, if they are unmanaged, you will only be able to specify a single VLAN that all devices that communicate through that unmanaged switch will be on by defining on the core switch that the port that connects to the other unmanaged switch is a specific VLAN). Your wireless routers will need to be configured to use the same VLAN tags for their guest, and wireless IoT networks and production networks and you would need to tag all those VLANs on the ports of the core switch that go to the wifi access points.

Basically, your core switch would have all the VLANs defined and the routing/firewall rules that allow the VLANs to communicate between each other. I would suggest 6 VLANs:
WAN
LAN
Production
Guest
IoT-Local
IoT-Internet

The WAN may not be needed and would only be needed if you need to connect the cable modem into the core switch (and not directly into your edge router).

I would make another suggestion of using the VLAN ID as the network address space for that VLAN (so for instance, Production VLAN is VLAN ID=20, make the network address space within that VLAN be 192.168.20.0/24, and your IoT-Local VLAN ID is 22, so make it 192.168.22.0/24). With all the VLANs having separate address spaces, you can easily write routing rules to be able to route between them.

Think of the LAN VLAN as the last stop before routing to the internet (i.e. your edge router will route between WAN and LAN with the WAN being the connection from your cable modem or ISP and the LAN being the connection that goes back to your network). For the other networks you have defined, if you add a rule that lets it route to the LAN network, it will then be able to communicate to the internet. You will also need to setup deny rules to prevent certain VLANs from communicating to other ones (i.e. deny Guest from accessing Production, IoT-Local, and IoT-Internet, and similarly deny IoT-Local from accessing Production, Guest, and IoT-Internet, etc., etc...).

You can possibly do it with your existing equipment (especially if your N based WiFi AP/routers can run something like DD-WRT or OpenWRT), but it will still be very complex and more likely the fail that way.

But an enterprise layer 3 switch will be what you really want to look for to do what you want to do. I personally use a Brocade ICX 6610, however, you may prefer to use a CISCO, or HP Procurve, or Juniper, etc. switch for doing this. They will mostly likely have the capabilities.
 
Last edited:

bob4432

Lifer
Sep 6, 2003
11,671
20
81
Thank you for the information. What you are saying sounds like how I would like to proceed, and just running 1 router & 1 AP sound even more appealing as the less items the better (less UPSs).

Since it appears you have the knowledge, I would like to make this a learning exercise (not holding you personally liable obviously, just if you could point me in the correct direction would be greatly appreciated). One of the older routers I have is a ASUS WL-520gU, and the other one is one of the early V1 Linksys B/G units that I use to run Tomato on both - so they are not even "N", just "B/G". Being as old as they are, I would rather not try to make it do something when for all I know it may die in the next 6mos. This is what switches I have - the 5 & 8 port versions - Cisco SG110D-08 8 Port Unmanaged Ethernet Switch.

I am on a budget since I just ordered 2x WiFi6 routers and just bought the parts for 3 new computers (2 AMDs - 1x Ryzen 5 3600, 1x Ryzen 5 5600x, 1 Intel Core i3-10100F), with 2 being built and the third sitting in boxes waiting for it to be built - in fact, that third computer, the Intel one, will be the machine that I am going to set up Blue Iris and just may convert it to my main server since it is going to be on 24/7 and that is where the cameras will be saving their video too, so I have dropped quite a bit of $$ in past couple months, especially since most of it was not planned, a lot of things just happend, and when I thought things were done, I notice my phone using a lot more mobile data than wifi data which costs $$ as I am on Google Fi, which normally is not a problem because I can connect to WiFi just about anywhere I go, but not lately. So a lot of $$ went out the door that was not planned as I usually plan these types of purchases.

Out of curiosity, since the layer 3 switch seems to be the brains behind all of this, would it go behind the main router? Since these sound like enterprise switches, are they hyper loud and only rack size or do they have any pysically smaller ones? Not a real problem, I will just have to move some stuff around.

I am going to re-read what you said, look up "router on a stick", and then re-read it again to let it really sync in. As far as the switch, I am not a "Brand Snob", I just want what works and has the best price/performance ratio and be able to possibly use the knowledge I do from this possibly used in the future, so the switch that would be the most widely used.

Appreciate the info and hope to hear back from you. We can do this via PMs or right here - it is up to you.

Again, Thank so much,
Bob

PS - FWIW, I do not know if it matters, but the 2 new WiFi AX routers I picked up were 2x ASUS WiFi 6 Router (RT-AX3000), I went with them because they were supported by Merlin firmware. If they are any problem, they are still sealed if I need to go a different route, but I do not want to spend any more $$ since a new switch looks it will be incoming :). Again, thanks for the info.
Bob

Last - is there any spot in here for the RaspberryPi 4B w/ 8GB of memory? It would not be a network speed barrier as my internet is 100Mb/10Mb atm and will be moved up to 1Gbs/35Mb/s in the not too distant future. Thanks again.
 
Last edited:

mxnerd

Diamond Member
Jul 6, 2007
6,390
973
126
Most smart switches on the market offer VLAN feature now and they are super cheap (TP-LInk, Netgear, ). Don't think you need full blown enterprise grade level 3 switches.

Personally Not experienced with VLAN though.

==

If you are considering RPI 4B, take a look at https://dietpi.com/, you can run a lot of self-hosted services (Pi-Hole/AdGuard/Unbound DNS, apache web server, SMB NAS, VPN server/client...), using it's prebuilt packages and text based installer. Not for routing purpose. Ask questions in its forum, the developer will answer about anything you throw at him.
 
Last edited:
  • Like
Reactions: Leeea

bob4432

Lifer
Sep 6, 2003
11,671
20
81
Thanks for the response. I honestly do not have an issue if I do have to go w/ a Cisco or whatever brand, even rack size to get the job done the right way as I believe that IOT devices are the weak link since they are going to be outside of my 4 walls. For security reasons, I can live with going true enterprise as long as I don't have to pay a ton of $. Plus if I have the knowledge of setting this up, I see it as just another item to further my skills, and I know I am weak in the network area, so this will only help me out in the future.

I am just hoping that the switch is not one of the ones that is a ton of $$.

I have read a bit more and I think messing with the RaspberryPi may not be the best option for this, but I have a lot of other plans for the few Pis I do have :D.

Thank you for your input, much appreciated.
Bob

PS - As far as what you have suggested for the Pi, that sounds great. I have done all the hosting on PCs over the years except DNS, so maybe I will set one up a DNS appliance. DietPi looks pretty good and I would like to sharpen my rather dull Python skill set.
 

bob4432

Lifer
Sep 6, 2003
11,671
20
81
Thanks for the comments, will look into the DNS add-on to put the RaspberryPi :)

Sent from my moto g power using Tapatalk
 

ch33zw1z

Lifer
Nov 4, 2004
35,059
14,150
146
I've been running three vlans for a while using ubiquiti devices. Started on a ER-X, now have a a UDM pro. The ER-X is about $50, the UDM pro is about $400.

Vlan tech is all IEEE standards, so you can mix and match and it *should" work.

My vlans are isolated, I only allow IoT vlan access to two IP's on my main, and that's for DNS filtering. My Guest network doesn't get access to anything else but internet mostly. Occasionally I have to enable a rule to let a couple PC's into the guest to access a server my kid runs sometimes, but I refuse to put it on my main 🤨

I use raspberry Pi's and pihole for dns filtering, work great.
 

bob4432

Lifer
Sep 6, 2003
11,671
20
81
I've been running three vlans for a while using ubiquiti devices. Started on a ER-X, now have a a UDM pro. The ER-X is about $50, the UDM pro is about $400.

Vlan tech is all IEEE standards, so you can mix and match and it *should" work.

My vlans are isolated, I only allow IoT vlan access to two IP's on my main, and that's for DNS filtering. My Guest network doesn't get access to anything else but internet mostly. Occasionally I have to enable a rule to let a couple PC's into the guest to access a server my kid runs sometimes, but I refuse to put it on my main 🤨

I use raspberry Pi's and pihole for dns filtering, work great.
This is something I think I should have done quite some time ago. Is there a VLAN primer I can read about and also any other hardware that fits the hardware I need. It has been quite some time since I have delved into something new and while exciting and fun, a bit overwhelming. Take for instance if I can find a Ubiquiti ER-X, where does it get plugged into the network, or does it matter - it is a bit late where I am so maybe tomorrow morning things will look much brighter. Greatly appreciate the info.

Also a bit confused because I thought I needed a certain level switch, but the ubiquiti equipment is coming as routers...
 

ch33zw1z

Lifer
Nov 4, 2004
35,059
14,150
146
Ubiquiti makes both routers and switches (among other things).

There's vlan tutorials for darn near any device you want to look at.

And er-x is mainly a router, but routing between vlans happens at the firewall level, on the er-x.

The er-x also has wan limitations of about 500mbps iirc. So if you have more download than that from your isp, the er-x may not be a good choice.

Ubiquiti has two product lines, both with routing and switching. Edge and Unifi, they can work together, but they have different management interfaces / utilities
 
Last edited:

bob4432

Lifer
Sep 6, 2003
11,671
20
81
Thanks for the clarification 👍

I guess I am confused as to where this additional switch/router goes when setting up, and we're the 2 Asus WiFi6 Routers I purchased needing to go back?

I will look more when I wake up for level 3 enterprise switches as I do not want this area screwed up. Out if curiosity, are there any licensing issues say I find a deal on a CISCO, or HP Procurve, or Juniper. I am assuming I just search in different forums or possibly eBay for "(insert brand) level 3 switch"?

Thanks all so much,
Bob

Out of the CISCO, HP Procurve, Juniper or Ubiquiti do they all have the same syntax or is it
brand dependent?
 
Last edited:

bob4432

Lifer
Sep 6, 2003
11,671
20
81
May be this can further help.


:cool:
Thanks Jack,
I knew I was going to harden thing up once I accepted IOT devices, I just didn't to do it all after a couple computer failures and router failures. No time like the present to get things done!

Sent from my moto g power using Tapatalk
 

Fallen Kell

Diamond Member
Oct 9, 1999
5,760
285
126
Yeah, the best bet is to go over some basic design tutorials for networks and VLANs before jumping into implementation.

Just to give an idea of what I have going, my network is basically the following:

cable modem --2x1Gbe--> LACP port on ICX 6610 switch tagged with WAN VLAN
pFsense (edge router) --40Gbe--> port on ICX 6610 switch with both WAN and LAN VLAN
Netgear Nighthawk X10 WiFi (flashed with DD-WRT) --10Gbe--> port on ICX 6610 switch tagged with Guest, IoT, IoT-Local, and Production VLANs
VM/Storage Server --40Gbe--> port on ICX 6610 switch tagged with Production VLAN

Most of my IoT devices are connected via wireless to a VAP (the wireless equivalent to a VLAN) created for IoT devices. And I have a local IoT smart home hub to control Z-wave and Zigbee devices (as well as store/run my local rules/automations for all my smart home IoT devices) which is wired to a port on the ICX 6610 which is tagged for the IoT VLAN.

If you look at my WiFi networks, I have 12 different networks (B/G/N 2.4GhZ for Production, Guest, IoT, and IoT-Local, A/N 5GhZ for Production, Guest, IoT, and IoT-Local, and AC for Production, Guest, IoT, and IoT-Local, as my WiFi router has three different radios, which I have created the 3 additional VAPs on top of the Production wireless, each of these are tagged using the same VLAN tag id as defined on my ICX 6610 switch for the cooresponding VLANs). I disabled all routing on the Nighthawk X10, and have it purely in AP mode. It does provide DHCP services as it has connections on all the networks (except for a Management VLAN that I have which my server's out of bands management interface is connected as well as the ICX 6610's network management port is connected, but neither of these require DHCP).

The DHCP was the trickiest part. I had to define different IP address ranges for each of the various VLANs in the DHCP config as well as specify various different default routes and IPs for DNS depending on the network.

My pFsense system handles my local DNS and is a DNS forwarder to lookup items it doesn't know. I have it running pfblockerng (think of it as a much higher end pi-hole as it combines firewall capabilities to block outgoing and incomming connections with DNS lookup to prevent software/malware/ads from being able to end-run around Pi-hole by removing the DNS lookup).

The pFsense is a router-on-a-stick (meaning it only has one physical connection to my network, and routes between the WAN and LAN VLAN). All other inter-VLAN routing is defined on the ICX 6610. It is your typical default deny all type of configuration, with specific rules to allow certain behavior through its firewall/routing tables. The way I have things setup, anything that I allow to connect to the LAN vlan has internet access (as LAN can be routed out to WAN which is my ISP). I have some specific denies listed (such as deny anything originating in Guest from accessing Production, and similar rules for IoT and IoT-Local), but mostly it is just allowing Guest to access LAN, IoT to access LAN, Production to access Lan, etc...).

If you go with a Brocade switch (like I have), there is a huge thread (several thousand posts) over on the "servethehome" forums about them going over setup, configuration, etc. That is where I learned how to configure mine (and what led me to purchase the switch I did).
 
Last edited:

bob4432

Lifer
Sep 6, 2003
11,671
20
81
Yeah, the best bet is to go over some basic design tutorials for networks and VLANs before jumping into implementation.

Just to give an idea of what I have going, my network is basically the following:

cable modem --2x1Gbe--> LACP port on ICX 6610 switch tagged with WAN VLAN
pFsense (edge router) --40Gbe--> port on ICX 6610 switch with both WAN and LAN VLAN
Netgear Nighthawk X10 WiFi (flashed with DD-WRT) --10Gbe--> port on ICX 6610 switch tagged with Guest, IoT, IoT-Local, and Production VLANs
VM/Storage Server --40Gbe--> port on ICX 6610 switch tagged with Production VLAN

Most of my IoT devices are connected via wireless to a VAP (the wireless equivalent to a VLAN) created for IoT devices. And I have a local IoT smart home hub to control Z-wave and Zigbee devices (as well as store/run my local rules/automations for all my smart home IoT devices) which is wired to a port on the ICX 6610 which is tagged for the IoT VLAN.

If you look at my WiFi networks, I have 12 different networks (B/G/N 2.4GhZ for Production, Guest, IoT, and IoT-Local, A/N 5GhZ for Production, Guest, IoT, and IoT-Local, and AC for Production, Guest, IoT, and IoT-Local, as my WiFi router has three different radios, which I have created the 3 additional VAPs on top of the Production wireless, each of these are tagged using the same VLAN tag id as defined on my ICX 6610 switch for the cooresponding VLANs). I disabled all routing on the Nighthawk X10, and have it purely in AP mode. It does provide DHCP services as it has connections on all the networks (except for a Management VLAN that I have which my server's out of bands management interface is connected as well as the ICX 6610's network management port is connected, but neither of these require DHCP).

The DHCP was the trickiest part. I had to define different IP address ranges for each of the various VLANs in the DHCP config as well as specify various different default routes and IPs for DNS depending on the network.

My pFsense system handles my local DNS and is a DNS forwarder to lookup items it doesn't know. I have it running pfblockerng (think of it as a much higher end pi-hole as it combines firewall capabilities to block outgoing and incomming connections with DNS lookup to prevent software/malware/ads from being able to end-run around Pi-hole by removing the DNS lookup).

The pFsense is a router-on-a-stick (meaning it only has one physical connection to my network, and routes between the WAN and LAN VLAN). All other inter-VLAN routing is defined on the ICX 6610. It is your typical default deny all type of configuration, with specific rules to allow certain behavior through its firewall/routing tables. The way I have things setup, anything that I allow to connect to the LAN vlan has internet access (as LAN can be routed out to WAN which is my ISP). I have some specific denies listed (such as deny anything originating in Guest from accessing Production, and similar rules for IoT and IoT-Local), but mostly it is just allowing Guest to access LAN, IoT to access LAN, Production to access Lan, etc...).

If you go with a Brocade switch (like I have), there is a huge thread (several thousand posts) over on the "servethehome" forums about them going over setup, configuration, etc. That is where I learned how to configure mine (and what led me to purchase the switch I did).
Thank you for the info. Would it be safe to setup the 2 Asus AX routers for the time being as my old routers are dyeing at a faster rate which is pushing my data usage through the roof. I understand I need to do more research, but I have a couple extra computers I could use for the pfsense firewall - a z68 based mb and a l z77 m/b that I could keep the i5-2500k in them or up it to an ivy bridge xeon if that would help as it does have the room to put at least 4 quality pci-e GbE (or higher?) Nics in.

I also have access to a x99 (I think it is a x99 board - it is a workstation board that supports up to V3 & v4 2011xeons and could get a 8+ core + ht if that software runs better in a highly multithreaded environment. FWIW I have 16GB of ddr3 for the board that needs that and 32GB of ddr4 for the boards that support that.

2nd question -
Could I assume that I would be ok to keep those 2 routers AX routers, install Merlin on them since it appears this setup would have other items kind of telling the 2 AX routers what to do. Please educate me if I am wrong in this area.

Again, thank you for the support as I going to a place I have not ever gone before and want to be able to play w/ IOT devices in a safe manner.
Bob

PS - just reread your post.... migraines make thinking hard...😬



Sent from my moto g power using Tapatalk
 
Last edited:

Fallen Kell

Diamond Member
Oct 9, 1999
5,760
285
126
I'm not as familiar with the Merlin firmware, but I believe it is capable of basic VLAN support. The biggest question is if you can tag multiple VLANs to a single port, which is what you need to be able to do in order to work with other network switches/equipment to extend the VLAN networks across the multiple devices.

The other question for the Merlin firmware is if it can create and tag VAPs with the same tag numbers so that you extend the networks to the wireless networks as well. I know you can do this on DD-WRT/OpenWRT/OpenTomato, but I don't know of any AX routers that are truely supported in those firmwares at this time (a couple specific chipsets are being tested at this very moment, but not fully supported, which is what I am still using 802.11ac as my fastest WiFi).

And the Merlin firmware would also need to be able to create virtual interfaces for its own connection to the additional VLANs/VAPs (i.e. so that the AP has an ip address on the different vlan subnets). Again, not sure if this is possible with Merlin. It is possible with DD-WRT, but only through command-line startup script (well at least on the hardware that I have).
 
  • Like
Reactions: bob4432

bob4432

Lifer
Sep 6, 2003
11,671
20
81
My thought process is to use the 2 AX routers as just plain AX routers w/ the Merlin firmware for stability, take a minute and understand how to set this all up, design it and do a proper approach to using PFSense as I am only maybe 24hrs into knowing I need these additional parts.

Then build the PFSense box out of parts I have here or acquire that X99 2011v3/v4 board & a xeon if it needs serious multitasking ability if the PFSense utility can do what it needs to with 2 "plain Jane" routers.

Or do the routers' Firmware need to be able to run VLANS & PFSense too?

Sent from my moto g power using Tapatalk
 
Last edited:

Fallen Kell

Diamond Member
Oct 9, 1999
5,760
285
126
The wifi routers would need to support VLANs and VAPs in order to have proper segmentation if you have IoT devices that need to communicate over WiFi or are plugged into the switch portion of the WiFi routers.

I posted about a year ago on the DD-WRT forums on my WiFi router with the configuration that I had to do (the R9000 is another name for the Netgear Nighthawk X10):

The config info is really in the 10/5/2020 1:25am post a couple down in the thread. Please note that the above is hardware specific. It does go over the various steps needed though (i.e. creating the bridge devices to bridge the wired and wireless VLAN/VAPs of the same types, setting the VLAN tags on the various devices). It does not go over setting the IP addresses, as I basically gloss over that since it is straightforward use of the DD-WRT firmware to create the VAPs and set the IPs.

I have since changed my config a bit from when I posted that, as I now use the WiFi router for my DHCP. I was originally going to use my pFsense system, but that would have required it to have connection on every VLAN, and I didn't want to do that, as I wanted to limit what it could access in case it was ever somehow breached. This is why it is limited to the WAN and LAN VLANs in my configuration. On the ICX 6610 I have firewall and ACL rules in place to prevent connections from there ever accessing the ICX 6610 switch's control IPs or creating a connection to any of the other VLANs (preventing someone who manages to use a vulnerability to gain full access/control of the pFsense system from digging deeper into my network, as they would then need to find a way to bypass the firewall on my switch, however, they can still poison my DNS if they access the pFsense box... but still better then them having a way to directly tunnel in).
 
Last edited:

bob4432

Lifer
Sep 6, 2003
11,671
20
81
The wifi routers would need to support VLANs and VAPs in order to have proper segmentation if you have IoT devices that need to communicate over WiFi or are plugged into the switch portion of the WiFi routers.

I posted about a year ago on the DD-WRT forums on my WiFi router with the configuration that I had to do (the R9000 is another name for the Netgear Nighthawk X10):

The config info is really in the 10/5/2020 1:25am post a couple down in the thread.
Thanks, I reread about the VLANS necessary support....I figured that by now the firmware would have been further along.

Oy very.

What about this proposition - run 2 completely isolated LANS - 1 w/ the 2x AX routers w/ no IOT devices on it & 1 setup w/ the old B/G/N routers I have a/ IOT ONLY on it? It may not be the perfect setup, but I feel I am going to get a good performance jump w/ the AX routers on the new machines and I am not even coming close to taxing what would be the B/G/N side, and it would be more safely setup keeping the IOT stuff off my main lan... -> is my migraine making me nuts or is this applicable? I think I have enough hardware to accomplish 2 LANS and it is not like I can sell the old B/G/N stuff for any $$...thoughts?

FWIW, we do have a minute to think through this as I just have a couple IOT devices on - 1 camera on my back patio and a couple switches.

Sent from my moto g power using Tapatalk
 
Last edited:

Fallen Kell

Diamond Member
Oct 9, 1999
5,760
285
126
That in theory would work. You could connect one port of your pFsense system to the AX router, another to the B/G/N router, and a third port to your ISP. You then designate the port that connects to the AX router as one VLAN and the port that connects to the B/G/N router as another VLAN and setup appropriate routing rules in pFsense to limit access between the two. Please note that it will not give you full separation and use of Guest networks on those WiFi routers as the pFsense as you would need to bridge the Guest networks onto a second VLAN tag and have multiple tags setup in pFsense on the port that goes to the WiFi router that has the Guest network (and be able to tag the interface in the WiFi router that connects to your pFsense system with VLANs for the main network and Guest network, in other words full VLAN control in the Merlin firmware).

But you can use it without Guest WiFi networks and just define in pFsense that the port (and thus all data to-from) of the different WiFi routers are a specific VLAN, and then you don't need VLAN support within the WiFi routers as the data will get tagged only when it goes to the pFsense system.
 

bob4432

Lifer
Sep 6, 2003
11,671
20
81
That in theory would work. You could connect one port of your pFsense system to the AX router, another to the B/G/N router, and a third port to your ISP. You then designate the port that connects to the AX router as one VLAN and the port that connects to the B/G/N router as another VLAN and setup appropriate routing rules in pFsense to limit access between the two. Please note that it will not give you full separation and use of Guest networks on those WiFi routers as the pFsense as you would need to bridge the Guest networks onto a second VLAN tag and have multiple tags setup in pFsense on the port that goes to the WiFi router that has the Guest network (and be able to tag the interface in the WiFi router that connects to your pFsense system with VLANs for the main network and Guest network, in other words full VLAN control in the Merlin firmware).

But you can use it without Guest WiFi networks and just define in pFsense that the port (and thus all data to-from) of the different WiFi routers are a specific VLAN, and then you don't need VLAN support within the WiFi routers as the data will get tagged only when it goes to the pFsense system.
I know it is not perfect but I think I will work on setting this up and work until AX stuff is more established and firmwares are more mature. For the PFSense device, what hardware would you recommend? I forgot I had found a i3-10300 CPU / b560 mb / 16GB ram a while back for very low price, I was going to use it for something else but this could easily take precedence - LMK your thoughts - that I could use for the PFSense device and add 3 or 4 Intel (which ones?, if even Intel?) GbE 1x PCI-E network cards - assuming it is easier to use 3 or 4 individual cards vs 1 card w/ 3 or 4 ports?

Thanks so much for all of your help. Will work on the AX routers tomorrow and stop paying Google data rates across the multiple phones that keep getting dropped from the wifi.

Sent from my moto g power using Tapatalk
 

mxnerd

Diamond Member
Jul 6, 2007
6,390
973
126
Used and cheap (under $30) HP NC365T quad port gigabit PCIE ethernet card with INTEL chip on eBay makes great pfSense NIC. It uses a lot less power than 4 individual NICs. It looks like 4 individual INTEL gigabit NICs to any OS. pfSense doesn't really need a lot of computing power. You can even run it in a x86 VM. Anything less than that i3-10300 will work.
 
Last edited:

bob4432

Lifer
Sep 6, 2003
11,671
20
81
Used and cheap (under $30) HP NC365T quad port gigabit PCIE ethernet card with INTEL chip on eBay makes great pfSense NIC. It uses a lot less power than 4 individual NICs. It looks like 4 individual INTEL gigabit NICs to any OS. pfSense doesn't really need a lot of computing power. You can even run it in a x86 VM. Anything less than that i3-10300 will work.
So even a i5-2500k w/ 8 or 16GB of ram?

Sent from my moto g power using Tapatalk
 

mxnerd

Diamond Member
Jul 6, 2007
6,390
973
126

If you are going to run a standalone pfsense machine that's running 24/7, I would recommend QOTOM or Protectli, both available at Amazon, that will use a lot less power than a regular PC.

You want any CPU with AES-NI feature.





==

If you already have a PC running 24/7, you can absolutely run pfSense in a VM (VMware, VirtualBox or Hyper-V) on it. Just add a quad port gigabit ethernet card.
 
Last edited:

bob4432

Lifer
Sep 6, 2003
11,671
20
81

If you are going to run a standalone pfsense machine that's running 24/7, I would recommend QOTOM or Protectli, both available at Amazon, that will use a lot less power than a regular PC.

You want any CPU with AES-NI feature.




Thanks for the suggestion. Will look @ power #s. Any way I would benefit from more LAN ports? Just wanting to buy once - whichever way I go.

Sent from my moto g power using Tapatalk
 

ASK THE COMMUNITY