Building my lan: do I need a managed switch for my VLANs? (2024)

I'm setting up my new network at home and I'm new to pfSense.
Now I have an Edgerouter-X with an unmanaged switch to serve my lans.
I have three VLANs, the main one (untagged), a guest one (vlan2) and a iot one (vlan3).
All these three VLANs are trunked on a port of the ER-X to an Unifi AP with multiple SSIDs. Other switched ports of the ER-x serve the main lan only through unmanged switchs.

I'm setting up a pfSense box using a Firebox XTM5 with an upgraded CPU (Q9550) and 4GB of RAM. This unit has 6 1Gbit lan ports so I'll use two of them for WAN primary and backup connections.
My idea is to have one port with all VLANs (untagged, vlan2 and vlan3) that should go to the AP, then have cabled ports for every VLANs:

• eth0: WAN1
• eth1: WAN2
• eth3: trunk VLANs (untagged, vlan1 and vlan2)
• eth4: untagged port (main lan)
• eth5: vlan2 tagged (guest lan)
• eth6: vlan3 tagged (iot lan)

Can this layout work?

Any suggestions?

@valepe69

You can get by without a managed switch only if all the devices for the VLANs can be configured for VLANs. Given your guest and IoT LANs, I'd say not. If you were, for example, setting up a guest WiFi and the AP was the only device that needed VLANs, then an unmanaged switch would be OK. Other devices would just ignore the VLANs.

Managed switches are cheap, so why not get one? I have one here that I use strictly as a data tap, in addition to my main switch.

dhcp and dns are nothing but tiny little packets.. That is not going to be any sort of hit on performance.

Where you could see issues would be if your routing between these vlans.. And users moving large amounts of data.. At gig speeds?

My idea is to have one port with all VLANs (untagged, vlan2 and vlan3) that should go to the AP, then have cabled ports for every VLANs:

that makes no sense... If you have the ports, then just use individual uplinks for each vlan.. This removes any hairpin for intervlan traffic.

You don't need both a trunk, and then specific interfaces in each vlan.. Pfsense really won't even let you do that - unless those are switch ports and not interfaces? And it would create a loop anyway.

edit: DOH!!! Read the post John ;)

Your trunk is to your AP... That is fine - duh!!! ;)

edit2: Man I need more coffee.. No you can not do that.. You would connect your AP to your switch.. And trunk that connection. Not an interface on pfsense. Pfsense is not going to let you put multiple interfaces on the same vlan.. Unless these are switch ports on your pfsense box?

An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 23.09.1 | Lab VMs 2.7.2, 23.09.1

@valepe69

I'm assuming your LAN is 1 Gb, as that's been common for years. Will that be a bottle neck? As for the amount of traffic, there will be no difference with a managed switch or not. You're sending out exactly the same traffic, VLAN tags and all.

Perhaps you should read up a bit on VLANs so you have a better idea of what you're doing. A VLAN makes a network appear as physically separate networks. Sometimes, a VLAN is used to separate traffic on the same cable, such as the guest WiFi I mentioned. They're also often used with VoIP phones, where the phone and computer data are carried over the same cable. They are also used to separate networks at a different location. In this instance you could have a remote switch that splits off the different networks. So, you have to look at what you're trying to do and go from there.

@valepe69 said in Building my lan: do I need a managed switch for my VLANs?:

if two devices on my untagged lan should transfer large files, is this traffic checked by pfsense only at the beginning (firewall, etc)

Pfsense has zero to do with the conversation - no firewall rules will be checked...

As to switch - how many ports, what budget?

If pfsense box doesn't have switch ports - then no you can not connect your AP to 1 port, and then put other ports in the same vlan you send to your AP.

Connect your AP to your switch... Then you can either use a single line, or lacp for connection from you switch to your pfsense to carry the vlans. Or you could use specific interfaces as uplink for each vlan.

An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 23.09.1 | Lab VMs 2.7.2, 23.09.1

@valepe69

When files or other data are transferred between VLANs, then they must go through pfsense, unless you have some other router or layer 3 switch to do that..

Any suggestions about a good managed switch for home use?

Avoid TP-Link. My main switch is a Cisco, but there are plenty of other decent brands.

There are many a smart switch that will work.. All comes down to what features you want/need, how many ports, and what your budget is..

But yeah with JKnott - I would avoid tplink, they don't really seem to understand how vlans are suppose to work ;) Many a thread on here even about that.

An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 23.09.1 | Lab VMs 2.7.2, 23.09.1

@johnpoz

And I have stopped using my TP-Link AP that had that "feature".

Yeah, and your happy so far I take it - did you get your controller running how you want it?

One thing I would suggest with your switch.. If you think 5 ports is enough, get an 8 port model or higher. If you think 8 is enough, get 16 min, etc. Can never have too many switch ports ;) Always plan for growth and wanting to connect something extra now and then even, etc.

Also don't be afraid of too many features ;) Even if you plan on never doing L3 or advanced ACLs like multicast, etc. You never know what you might want to do 6 months or a year from now. So as long as your ok with the budget, get something that will allow you to grow both in ports and things you might do from a features standpoint.

An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 23.09.1 | Lab VMs 2.7.2, 23.09.1

@johnpoz

Not yet. I have to take a few minutes to create a certificate for it. My one complaint is you can't specify which 802.11 versions are allowed, though you can block 802.11b. With my TP-Link, I only allowed n. I did set 5 GHz to 80 MHz channels and now see well over 300 Mb down. My TV, on 5 GHz, now gets around 60 Mb, but used to get around 11 on 2.4.

@johnpoz said in Building my lan: do I need a managed switch for my VLANs?:

If you think 5 ports is enough, get an 8 port model or higher. If you think 8 is enough, get 16 min

Absolutely! Take this advice.

A good switch will last a long time. Get one with decent thermal properties (heat kills switches) and it will, for all intents and purposes, last forever.

@johnpoz said in Building my lan: do I need a managed switch for my VLANs?:

Can never have too many switch ports ;)

Something like this might be adequate for a home user.

haha - that might be a bit of overkill.. For starters they LOUD as F!! And suck juice like you have a nuc reactor in your back yard ;)

And lets just say its a bit expensive for your typical home budget ;) hehehehe

An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 23.09.1 | Lab VMs 2.7.2, 23.09.1

Not sure what you mean by help you speed up your lan traffic? If the switch is rated gig - it should pass traffic at wire speed, be it 40$ smart switch or a $200 model ;)

Unless your talking about routing the vlans at the switch, and not your pfsense? In that case you would want a L3 capable switch.

For 200, I would think you should be able to find something great.. Its a touch over your 200 budget.. And not sure how that might change for the EU market.. But for example this cisco sg350-28 would be a killer switch for home use... I have the sg300 (previous model)

https://www.amazon.com/Cisco-Sg350-28-28-Port-Gigabit-Managed/dp/B01HYA38CA

And they are easy on the juice as well!

My sg300-28 has a couple more years of support on it.. But lets say I spilled some beer on it or something, and it took a dump.. I would go with the sg350 line..

An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 23.09.1 | Lab VMs 2.7.2, 23.09.1

@valepe69

I'm using D-Link DGS1210-24
Uses around 20W (Max)
Nice switch and the 1210 series can do MAC filtering and 802.1x

https://www.amazon.de/D-Link-DGS-1210-24-Glasfaser-l%C3%BCfterlos-energiesparend/dp/B0036DRHHC/

I don't know if the 1210-28 is "the future" , seems like 1210-24 is not available on ie. Amazon.com
https://www.amazon.de/D-Link-DGS-1210-28-1000Mbit-SFP-Slots-l%C3%BCfterlos/dp/B008R7114W/

Both should be around 50% if your budget.

Watch out for the models ending with P - Those are PoE and have FAN's

Edit:
Seems like the 28port uses less power 17w compared to the 24port (Amazon info , not from the DS).
The extra 7€ would earn them self in power savings.

Wonder why D-Link is so expensive on Amazon.com (close to 50% more)
Thought everything was cheaper "Over there"
That's why Cisco 2xx/3xx are so popular there

/Bingo

While used enterprise gear can be had for cheap on ebay.. And hey if your going for come cert or something and want to play with that - that is for sure an option.

But to be honest - enterprise gear is normally not very friendly on the electric use, and sure they can be freaking LOUD.. For a lab you turn on when playing might be fine. But some good deal you got on some enterprise gear might be reasonable upfront... What is the difference in electric use 3 years down the road while its sucking 150W idle 24/7 vs that small business line only using 20W full juice..

You might eat up any cost savings in the 1st year, depending on what you pay in electric..

An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 23.09.1 | Lab VMs 2.7.2, 23.09.1

@johnpoz

I spend 2 days behind a dual set of C9300's (Nexus), routing fiber conns.
https://www.cisco.com/c/en/us/products/collateral/switches/nexus-9000-series-switches/datasheet-c78-742283.html

I LOVED my Boose QC25's

But compared to a C7500 the 9300 is "quiet"

@bingo600 said in Building my lan: do I need a managed switch for my VLANs?:

C9300's

Don't those things have like 1100W power supplie(s).. Prob sound like little jet engines, can work as a space heater while you at it ;)

An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 23.09.1 | Lab VMs 2.7.2, 23.09.1

@johnpoz said in Building my lan: do I need a managed switch for my VLANs?:

@bingo600 said in Building my lan: do I need a managed switch for my VLANs?:

C9300's

Don't those things have like 1100W power supplie(s).. Prob sound like little jet engines, can work as a space heater while you at it ;)

The 45xx has 1100W , the 65xx up to 3000W

The 6509 ie. has a FAN "Blade" just consisting of fans for cooling the horizontal blades. And then the PSU's has FAN's ....

But i still think my 4 days besides an old 7500 was the worst ... Didn't have any ear protection back in those days.

The 6509-V-E is a strange beast , cards are vertical.

@johnpoz
This is a fast little bugger:
Cisco Nexus 93180YC-EX switch architecture

The Cisco Nexus 93180YC-EX Switch (Figure 2) is a 1-Rack-Unit (1RU) switch with latency of less than 1 microsecond that supports 3.6 terabits per second (Tbps) of bandwidth and more than 2.6 billion packets per second (bpps).

The 48 downlink ports on the 93180YC-EX can be configured to work as 1-, 10-, or 25-Gbps ports, offering deployment flexibility and investment protection. The uplink can support up to six 40- and 100-Gbps ports, or a combination of 10-, 25-, 40-, 50-, and 100-Gbps connectivity, offering flexible migration options. All ports are connected to the Cloud Scale LSE ASIC.

@valepe69
Sorry for hijacking

/Bingo

Just in case anyone is interested.

Cisco SG-350 series data sheet:
https://www.cisco.com/c/en/us/products/collateral/switches/small-business-smart-switches/data-sheet-c78-737359.pdf

I searched for the specs of the suggested switches and I split them in two families:

• L3 switches like Cisco SG 350-xx
• L2+ switches like D-Link DGS 1210-xx

With L3 switches I could offload to the switch the inter-VLAN traffic, inter-VLAN communication access but with a more complicated handling of the lan (I have to manage two devices for rules, etc).
With L2+ switches all rounting and firewalling is handled by pfSense so a easier handling but with the risk to saturate the physical link from the switch to the router (but I can aggregate two ports to partially solve it).

Am I right? And what do you suggest between them?

Thank you again

@valepe69 You always have to coordinate the configuration between pfsense, Switch and AP's. The VLAN assignments on the switch, AP and your interface and VLAN configuration in pfsense must agree. No avoiding multi-point configuration. Doing some inter-VLAN routing on the switch shouldn't complicate things too much.

I am impressed by your thoughtful approach to this! I look forward to hearing what the best practice recommendation is from those more experienced than I. Even though my Cisco SG-220 is L2 only I'll note the recommendations for the future.

@valepe69

IMHO L2 switches are adequate for most "Normal usage".
The L3 switches will offload the "router" , but usually their ACL set is limited and if it is not statefull , you are in for a mess.

I'd go for L2 , and if more routing capacity is needed , spend the $$ on a larger router (pfSense).

If you have heavy server intercommunication or backup or ... Just put them in the same Vlan .. No router needed.

/Bingo

Keep in mind that just because your switch supports L3, doesn't mean you have to use it.. Or you can use both L3 and L2 at the same time.

The only thing L3 capable switch gets you is options.. While an L3 switch can route, and L2 can not.. What will you be doing 6 months from now, or a year.. If you get L2 I can tell you for sure you won't be doing any sort of routing on your switch - unless you buy a new one ;)

My sg300 is in L3 mode, and capable of routing. I'm just currently doing L2 on it only.. But its there is I want to test something, or wanted to do that.

An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 23.09.1 | Lab VMs 2.7.2, 23.09.1

What JP said id correct , you would have the possibility to route if you get a L3 switch. And don't need to enable that at the beginning.

I'm purely L2 , and everything has to pass my pfSense.
I have not missed L3 yet ....

The reason you would get an L2 over an L3 is cost savings, and no plans of ever routing on it. I have no idea what I might want to do different on my home network, or what to test out..

If a more feature rich switch is in your budget - I would say get it.. Like I said you can never have too many features or options..

Like buying a car, not getting fully loaded. And then winter comes and gawd daggit, wish my seats were heated ;) Damn it what do you mean have to roll down these windows by hand.. What no SiriusXM? The radio only gets AM? WTF!!! ;)

An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 23.09.1 | Lab VMs 2.7.2, 23.09.1

@johnpoz said in Building my lan: do I need a managed switch for my VLANs?:

The reason you would get an L2 over an L3 is cost savings, and no plans of ever routing on it.

Totally agree - It was cost & 24/7 power usage , that made me chose the 1210's , i also have a few HP-1820. But like the D-Link's better , featurewise.

My home net is so small , that i don't have to think (worry) about segmenting due to # of clients.

I purely segment for security reasons , hence i would not want to do any L3 on the switch.

But you'll never know ...
When you might just wished you had ...

For example - the unifi switches, all L2.. But the cost is inline with a sg350.. Why would I get that L2 vs a switch that can do L3 and more..

The USW-24 is $225 has 26 ports total, and 2 of those you have to use sfp module (extra cost)
The sg350-28 is $229 has 28 ports total, and can use up to 4 sfps (combo ports)

Why would you not get the L3 capable switch. And 2 more ports for $4 ;)

But hey if you can find say a 24 port L2 that does all that you want currently. And is half the cost of 24 port that can do L3.. Then you might want to do that - but to be honest you find prob not all that much difference in cost.

An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 23.09.1 | Lab VMs 2.7.2, 23.09.1

The 28 (24 plus 4 Dual) port DGS-1210-28 is $138 incl. shipping on Amazon.de

https://www.amazon.de/D-Link-DGS-1210-28-1000Mbit-SFP-Slots-l%C3%BCfterlos/dp/B008R7114W/

/Bingo

@bingo600 said in Building my lan: do I need a managed switch for my VLANs?:

DGS-1210-28

That good price... I show it as 193 here

An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 23.09.1 | Lab VMs 2.7.2, 23.09.1

Just bought a DLink DGS-1210-28.
Where can I find some tutorials how to setup it?

Thanks

@valepe69 said in Building my lan: do I need a managed switch for my VLANs?:

Just bought a DLink DGS-1210-28.
Where can I find some tutorials how to setup it?

Thanks

Google is your friend here.

The D-Links come with a default ip :
10.90.90.90 , and i think admin/admin for login.

@valepe69 said in Building my lan: do I need a managed switch for my VLANs?:

@bingo600 ok thanks.
Any tips about what to do and not to do setting up the switch? My LAN is composed by few VLANs.
Router will assign DHCP to the devices in these VLANs and it will allow or deny inter-vlan traffico.
Thanks again

It might be smart to define the L2 vlans early.
The you can set the switch management ip to belong to a Vlan

During the initial management ip setup - Do NOT save the config , until it works.
That way you can always reboot , and get back to factory defaults.

I seem to remember you can factorydefault the switch , by pressing a thin thing into the little reset hole , and wait for all switchport leds to lihht up yellow.