As my home network grows and I tinker around, I'm learning some new concepts but some of them confuse me

Here is my current network map:



I want to setup VLANs for:
-Segregating bandwidth usage
-Security
-Ease of firewall usage in pfsense through specifying VLAN range instead of individual IPs

My router/modem is a netgear combo and is currently the DHCP server for the network. Wired to port 1 on that combo box is the pfsense firewall, and then that's going into the input port on a Netgear JGS516PE managed switched which has another Netgear 16-port switch trunked to it using LAG on a specific port.

So help me understand VLANs. I've been doing lots of article reading but still can't quite grasp the concept.

With my current understanding;

My router/modem combo is still serving up IP's and the subnet mask VIA DHCP to everything on the network behind it - I should login to the management software on my Netgear JGS516PE and create VLAN for whichever devices that's connected to it? Or do I do that in the netgear router/modem combo? Or do I do this within the pfsense firewall?

Do I specify IP's to put inside the 'VLAN'? Does creating a VLAN assign new IPs or something? Should I be changing my standard 192.168.0.X IP designation for each VLAN to something new? This is where I'm confused.

ETA: Do I just follow this guide and use my managed switch to create the VLANs? https://kb.netgear.com/29997/How-to-Create-Layer-2-VLANs-on-NETGEAR-ProSAFE-Switches?cid=wmt_netgear_organic

If I setup VLANs on the netgear managed 16-port, can I also specify which ports on the trunked second 16-port are part of the VLANs?

Network Security:

Pick apart me security setup here and let me know if I'm missing anything:

The modem/router combo above has non-standard admin pass, WPS/UPNP disabled, all guest wifi disabled, WPA-PSK security of a strong key, 2.4ghz network is disabled completely, 5GHZ network is enabled but not-broadcasting, has some port-forwarding but on non-standard random ports

The IP cam software is using sTunnel for incoming external connections, also is using IP rules on the 'server' to block all connections besides IP ranges I specify

NAS on a non-standard port, using pfsense to block NAS from the internet, also WAN connections are blocked (LAN on same subnet only)

The pfsense box is using various firewall rules/bogon rules to block traffic to anything past the firewall (internal LAN for home devices/media devices above)

Man, I've been struggling with this too.  Just purchased a 2nd managable switch and I'm trying to set up a vlan for my security cameras at home.  my mind isn't able to grasp the concept of virtual!  I believe I have created the VLAN between my 2 switches.  I'm just unaware how I get my cameras onto that network.  Thinking my network adapter might be part of the problem.  Also very unsure of LAG when configuring the VLAN in the switches.

IIRC LAG on a Netgear switch tells the switch that the specified port set to 'LAG' is a physical trunk between switches as to allow it to act more efficiently as said 'trunk'.

Also from what I'm reading into further, when you setup the VLAN, you specify which ports you want as part of that VLAN (or a range of IPs?) and leave them as untagged ports? IE  'untagged' member is a host port and 'tagged' is your LAG port or inter-switch link.

You need to configure the switchports the cameras plug into for the specified VLAN.  How to do that varies depending on the make/model of the switch.

You will also need a router or layer 3 switch to route traffic between the two VLANs.

OP, I can't see the diagram.

VLANs are just logical separations of networks and should be their own subnet.  By default, all managed switches will have VLAN 1.  Typically it is best practice not to use that VLAN and to create additional ones as needed.

As an example, my netgear wireless router is not capable of using multiple VLANs and is using the network 192.168.1.0/24.  I have a Cisco SG300 that is a layer 3 capable managed switch.  I have created the following VLANs.

VLAN10
10.2.1.0/24
VLAN20
10.2.2.0/24
VLAN30
10.2.3.0/24
VLAN40
10.2.4.0/24
VLAN192
192.168.1.0/24

On my netgear wireless router I have a static route for 10.0.0.0/8 so all traffic destined for those networks is sent to the SG300.  The SG300 handles the routing between all of the 10.x.x.x networks as well as back to the 192 network.

So if I want a single device such as an IP camera to be on VLAN10, I have to configure Port 1 as an  access port and for VLAN10.  For my ESXi host where I want it to access multiple VLANs like I would in a production network, then I configure it as a trunk port so traffic for all VLANs could be forwarded out that port.

A VLAN is just a logical grouping of devices on the same network.  Typically they are used to reduce the size of broadcast domains and group similar user groups or functionality to a single subnet.

I'm not sure if the complication is really worth it for a standard home user or network.

You can think of VLANs basically as having multiple physical networks only virtualized so it works with the same switches.

So if you have two dumb networks say 192.168.1.0/24 and a second 192.168.200.0/24 each on their own 5 port dumb switch.

In this case you'd have a router say 192.168.1.1 hooked in to the first switch. All physical computers you plug in to that switch would live in the 192.168.1.0/24 subnet and talk to the router for their gateway to get out of the subnet.
To add the second network 192.168.200.0 you would then have to add another NIC to the router and give it another ip like 192.168.200.1. No VLANs, two networks, the router is now the device that all traffic between the networks must pass through. Firewall rules and routing can live here.

Now because this requires dedicated switches, dedicated NICs for each subnet, etc this is very expensive and a pain. Instead with VLANs you can use a managed switch with say 24 or 48 ports and TAG traffic on ports as to which network you want them to be on. Instead of two 5 port dumb switches we can simply assign ports 1-5 to VLAN 2 and ports 6-10 to be VLAN 3. In this case we're expecting the devices plugged in to these ports not to have any VLAN tags and when traffic flows in the switch will automatically tag the traffic when configured to do so. And instead of running a physical cord for each network to our router, we can run one cable and simply pass the already tagged traffic from the switch to the router with the tags still intact. In Pfsense you will create virtual NICs that accept tagged traffic in Interfaces>VLANs. Unless you screw with naming conventions your em0 will be your untagged traffic and tagged traffic will be on the em0_vlanX NICs.

So the first thing you might want to do is a create a Guest or Insecure IoT VLAN. You can go to the firewall settings and go to the interface for that network and create network ACLs allowing traffic out to the internet. Or you can create allow rules to allow specific traffic to flow one way or the other between the VLANs. Maybe you have a device in your trusted network you want to be able to hit a webserver in the Guest VLAN, you would then add an outbound allow rule from Trusted for any host to the specific IP on port 80 TCP in the Untrusted VLAN. Traffic can only be initiated one way and only that specific port can be hit.

You might also want an offline only CCTV VLAN. You definitely don't want devices on the CCTV VLAN talking to the internet or your trusted devices, so don't create those allow ACLs. Simply allow the minimal inbound traffic you need to make the networks work....

Go with used Cisco from ebay, or another enterprise class brand if you want to use enterprise class features.

OP, here is an easy to digest tutorial document covering VLANs, aka IEEE 802.1q.

IETF 802.1q

Ok so with my two 16-port switches...

On both switches I have ALL ports as untagged (U) on VLAN group 1 (port 16 incoming wan from router so is set to untagged here)
Then I have another set of devices on ports 1-8 on VLAN group 10 as untagged and then port 16 (incoming WAN) as tagged (T)
Then one group of just one device as untagged on port 14 with 16 as Tagged

On the second switch I have;

All ports tagged as untagged for vlan group 1 but port 16 marked as tagged for the incoming line from switch 1
Port 12 untagged as vlan group 40 with 16 set to Tagged (incoming WAN from switch 1)


Is this doing anything? All devices are still working and communicating and I can ping across 'vlans' that I setup. How do I verify that the setup is segregating the items?

Just setting the tagging up doesn't do it, there has to be routes for the VLANs in the router.  Additionally nothing will be isolated unless you put ACLs/Firewalls between the VLANs, something that you would do at the router level.  (Unless you're baller and go out and get Layer 3 switches).

What is "incoming WAN" is this the port to your router (aka pfsense box) or is this a cable to your ISP (ie cable/dsl modem, etc)?

For separate networks you'll want to take those ports as ONLY untagged vlan x. Ie ports 1-8 you'll want untagged traffic to be put in to VLAN 10. Not 1. Not both.

The only "Tagged" ports you should have is traffic to your PFSense Router and the other switches. All the rest of the "access" ports should be expecting and passing only untagged traffic. If you are going to use Hyper-V Tagging for VMs or create virtual NICs on a machine that will speak anything but Untagged traffic then you can allow Tagged traffic on those ports, but in most scenarios you don't want this.

My setup is this: modem -> pfsense (em0 WAN in / em1 LAN out) -> netgear switch -> netgear switch

So there is a pfsense firewall between the switches and the modem that I can set rules on - is this where I need to jump into pfsense and block traffic to specific vlans? If the VLAN's are being created at the switch level - and lets say there's two layer 2 vlan's on one switch - how will pfsense keep them from talking to each other?



Yes, as said above:

My setup is this: modem -> pfsense (em0 WAN in / em1 LAN out) -> netgear switch -> netgear switch

'incoming WAN' is the 'lan' side of my pfsense box passing traffic from my modem to the switches.

Are your computers in in vlan 1 and 10 getting IPs in different subnets you presumably have setup in your DHCP server?

If so you likely have allow rules in your firewall settings in pfsense. Go firewall>rules and remove the Any Any rules then you can set your rules how you want them...

To reiterate "access" ports should not be given access to multiple vlans, tagged or untagged.

pfsense is just acting as a pass-through firewall with the WAN/LAN bridged. The DHCP is being served from the modem/router combo unit.

That isn't going to work.  The VLANs are separate broadcast domains, that means they need routes in the routing table, DHCP scopes, ACLs/Firewalls, etc.  Modem/Router isn't going to do that for you, the Pfsense box has to.

You can't trivially firewall connections within a broadcast subnet.... By definition, hosts in a broadcast domain are found via ARP and addressed by mac address. A switch passes packets with a mac address to the correct ports by using an address table that they establish... Computers outside your broadcast domain must be routed... Via a router. Firewalls sit on routers, they apply ACLs before passing them along to their destination broadcast domain (or an upstream gateway like your ISP for it to route if the broadcast domain is not local). To do what you want you'd typically have a broadcast domain per VLAN. Each will need a DHCP server, default gateway (router), etc which PFSense can trivially do if you configure it to do so.

Also your PFSense box should be doing NAT for internet and your modem if possible should be in bridge mode so the WAN interface on your PFSense box has a publicly routable IP address...

ETA: There is such a thing as a bridging firewall or transparent firewall which can enforce some ACLs at the switching layer rather than at the routing level, but they're not as common and are more likely standalone appliances designed to do such a thing and using PFSense to do such things would not be a typical setup.

What if I served DHCP from the modem/router combo for the wifi only, and DHCP again for the wired connections only through pfsense?

Can you bridge the wireless with the Ethernet ports and just have the wifi assigned addresses from the PFSense box?  Edit: unless you can split the ISP port and the switch/wifi ports that's probably not going to work. I hate router/modem combos.

You can still do it, but all the port forwarding gets messy.

http://hakology.co.uk/2014/02/pfsense-behind-a-router/

Something like that, the router IP becomes the upstream gateway, ideally you avoid doing a second NAT layer by using a static route...

Well...I COULD just turn the modem/router combo into a dumb modem and use this as an excuse to buy a Ubiquiti AP and put that behind the pfsense box either on the switches or on one of my disabled eth2 or eth3 ports on the pfsense box

This is what you want to do.

OK - I ordered an AP-LITE and it's coming next week.

Question is - should each switch/AP be connected to its own port on the pfsense box or can they be daisy chained? also the ubiquiti AP has its own management software - but do I assign my SSID's and etc in pfsense or in the ubiquiti app?

IE:

modem -> pfsense box eth1 -> switch 1 (cameras VLAN) -> switch 2 (patched into switch 1) (smart home devices VLAN) -> AP plugged into switch 2

OR does it have to be

pfsense box eth1 -> switch 1 (cameras VLAN)
pfsense box eth2 -> switch 2 (smart home devices VLAN)
pfsense box eth3 -> AP

EDIT TO ADD;

I feel that there may also be another way?

pfsense box eth1 -> switch 1 -> switch 2 (patched into switch 1)
pfsense box eth2 -> AP

I could just use VLAN's instead of actual network adapters in any scenario due to the JGA516PE switches being managed, correct?

You need the AP to be plugged into the switch and not the PFsense box to be able to set it up, and manage it.