So I am finally wanting to actually segment my home network properly (got new toys ). I have Google Fiber and replaced the google router with a pfsense box. The catch is that the WAN has to have a VLAN tag because something something google.

My end goal is to split the WAN off to a meh security LAN for my security cameras and guest wifi, with another secure LAN for my servers and computers with the ability to securely VPN into this LAN for when I am away on the road.

I have tried using a netgear l2/l3 lite switch in front of both LANs but it does not seem to play well with the odd WAN VLAN tagging that google fiber requires. I think I need to get a true L3 switch (or second pfsense machine?), but since the VLAN tagging on the WAN is such an odd bird for my experience, I was hoping that maybe someone else out there has already walked this road and could give me some advice. Thanks!

PS I can’t use the google router for anything as it does not allow you to do, well, anything, other than set a wifi password.

I’m not sure how the WAN vlan would affect your switch. The 2 should not be interacting at all.

That’s what I assumed. But something just isn’t working when using the netgear switch. I know I have the correct settings for the VLAN on the WAN side (the pfsense box has been up and running over a year), so assumed there was some other issue I am ignorant of. Wait…does netgear work with alexa?

Should also clarify that I have tried it with the most basic of setup: google fiber into the switch and single connection to a laptop

Ok, just to clarify, your wan connection is plugged directly into the pfsense box and not the switch, right?

Currently (the working configuration) it is Google to Pfsense from pfsense to my 2 LANS

The netgear switches (have 2 one older modle one slightly newer model) are both several generations old compared to the newest models. There may just be a feature of some sort they don’t posses?

Also, perfectly OK with buying a real L3 switch or putting up another pfsense if that is the ultimate solution. Mainly concerned if I get the L3 switch whether or not it will be compatible with the Google VLAN tagging or if it would be hampered like the netgear switches.

What exactly isn’t working?

When I try and put the switch in the place of the current Pfsense machine (to ultimately get me the double LAN setup I am wanting) nothing behind the switch can access the internet even though I have the incoming WAN tagged with the same VLAN settings that work with the pfsense machine when it is connected directly to google fiber.

New here so didn’t realize pictures were a thing! Hopefully these do a better job showing my current and desired set up generally.

My ultimate mindset is that the l3 lite switch just can’t do what I am wanting but again, the google wan vlan is odd to me so wanted to consult higher powers before I throw down $500ish for a real l3 switch.

desiresetup.jpg387×574 44.5 KB

I see. That second configuration is just incorrect. That is not how you establish multiple private networks. The first configuration is correct. You need to build off of that.

How many switches do you have, and how many ports on pfsense?

I am wanting to have the multiple private networks. I don’t want any talking between the security cams/guest wifi and my servers. Is that not the best way to ensure security? Thought it was, but again, that’s why I wanted to check with people who know more than me

What you want to do is good. How you are you doing it is the issue. Pfsense is a router/gateway/firewall. It needs to be between the wan and everything else. It defines what is private and public. Everything on the wan side is public, everything else is private. In your config, you are exposing your cameras directly to the internet. Lucky for you, they don’t have valid addresses.

I have 2 of the 8 port netgear switches, pfsense box has 2 10gb and can have up to 8 1gb ports (2 intel i350 quad port cards)

Do you want the switches to run dedicated lans or have multiple lans across all switches?

AHH. Photo error. Instead of that TP switch is should be an old ASUS router, then the TP switch.

What’s the Asus doing? WiFi?

Can you update the photo so I understand?

Yeah, it has ddwrt on it, so guest wifi and letting cams talk to their recording site.

desiresetup.png497×574 29.4 KB

The new servers I have are equipped with actual IPMI, so that’s the driving fear that has me wanting to make sure the not so secure stuff is totally isolated from my important machines. I know the management hardware like IPMI are usually heavily guarded and isolated in the enterprise setting, and I could just have a bad case of paranoia about the setup.

Ok, what I said still stands. You do not want a switch between wan and pfsense.

Go back to how you had it but plug the camera switch directly into pfsense.

Will do, saves me from buying a switch. Many thanks for your time on this!

Do you know how to set up vlans in pfsense so that each has its own subnet and dhcp? And do you know how to trunk vlans on the switches and tag the ports?

I do. Current setup actually has different VLANs for the cameras and my current not actual servers but servers. More than likely a misunderstanding on my end about L3 switches and how they do routing vs the routing of the pfsense box.