Return to Level1Techs.com

pfSense + Ethernet Switch - Managed or Unmanaged?


#1

So I’m moving and trying to figure out how I’m going to set up my next network. I’d like to make sure it’s pretty much futureproofed so I don’t have to do any frankenwiring down the road. My current plan is this, and I’m just looking for verification that it will work:

Run pfSense on a Dell Optiplex with 2 ethernet out ports (I’ll get a network card or whatever). Plugged into one will be a wireless router. Plugged into the other will be a network switch. Going into the pfSense machine will be my modem. I’m wondering if I will be able to manage all the devices connected to those devices through pfSense. I basically just need port forwarding, and VPN, for both the wireless and cabled devices. Will pfSense be able to manage those even if they aren’t plugged in directly? Or will I need to buy a managed switch and do it that way? Obviously, unmanaged is less expensive. Also, is there a better way for a wireless broadcast other than plugging in a router?

Thanks


#2

You don’t need a managed switch for port forwarding. You can port forward to anything on the network, it doesn’t need to be connected directly to the router.

Get an access point if you can, but it’s the same difference either way. You can plug this in to the switch, you don’t need to connect it to a second interface on pfsense unless you want to firewall between the LAN and WLAN.


#3

Managed switches are mainly used for VLAN segregation, STP, disabling any unused ports and many more stuff that unmanaged switches may not have. This is why managed are more expensive.

As what @Dexter_Kane said, access points are your best option because of it’s convenient design to be mountable to walls, ceilings or furniture. And as well for the best reliability over using routers; which BTW, you do not want to have two routers running on a same network unless you have two ISPs.

As for the services you stated, I’m pretty sure pfSense can do those things. So you might as well want to plug just your modem into and network switch out from your pfSense routing device. Then you can have anything, including an AP or APs , into the switch.


#4

There shouldn’t be any problems running multiple “router” devices in the same network, provided you only run the ISP-facing one in “routing” mode and switch the others to “bridged”.


#5

Don’t do it that way. If your PFsense box has two ethernet ports, plug your ISP’s modem into one, your switch into the other, and your old linksys (or whatever) router into the switch. Set the linksys to bridge mode, turning off NAT, DHCP, etc, so all it does is bridge wifi to your network. And that’s it, you’re done.


#6

Isn’t that what I said? One routing device (PFsense) routes, the others (Linksys) are in bridged mode. Am I missing something?


I’d also suggest setting the modem in bridged mode if it has built-in router functionality (when you’re routing all traffic through the PFsense box).


#7

Yes indeed, modem has got to be in bridged mode. You don’t want double-NAT. I figure anyone with the sophistication to know about PFsense in the first place already did that.


#8

Thanks for the responses. That seem reasonable. So basically, Internet > Moden (Bridged) > pfSense Router > Switch > All devices/AP


#9

Yeah, that’s the problem I was trying to indicate, unless you are on two ISPs which you will then have to double-NAT; one for each.


#10

Now if you want to get fancy, and want to have a private guest network with separate QOS or throttling, or a separate, secure VLAN for IOT devices you don’t trust (you should not trust), then that’s when a managed switch will come in handy.

You can set the managed switch up with different VLANs and have your home network with your main wifi on one, and a separate wifi access point plugged into another, walled off VLAN with separate rules for guests to use (and keep them from using all your bandwidth), and yet another one for IOT devices, if you really must plug in your TV, your fridge, your cofee maker etc… If you have a security camera system, you could set up yet another VLAN for that as well.

This will hopefully help protect your network should one device on your network become compromised. Attackers will be limited in what damage can be done from that device. This can be especially helpful if you are doing port forwarding as those exposed services may be open to outside attacks. Keep those systems running exposed services on a separate VLAN for better security.


#11

Yes, just that if your modem is also a router, bridge it and it’ll only do media conversion from POTS (I think) to Ethernet media.