May want to upgrade your PFsense box to something with aes-ni support and intel nics.
Can i ask the reason why you have 4 8 port switches and not one 24 port switch?
Go with unifi ac pro for ap.
You may even depending on your budget get a USG, a 24 port unifi switch, a cloud key and the ac pro and just have the entire unifi ecosystem.
1 Like
There are only 2 switches in use right now.
Only the workstation, printer, point of sale
and one nas has to be on the lan.
All other stuff is wi-fi more then enough.
The vpn runs now a week on the pfsense box.
Would a old q6600 with a intel nic work or better something newer?
Newer cause pfsense next release requites aes-ni
hmm alright any recommendations
EDIT: I got a amd fx 8320e on a 990fxa board too that I could use.
Or better something less power hungry.
Your choice if we had a budget in mind I could help you further tune what to get
ok so around € 500,- should be not a problem.
EDIT: building something myself is also no problem
Can you give a crude layout on the place?
There is another switch between the workstation, printer, pos and pc,
because I need long cable to get to the office.
So you’re saying another NAS is/has to be publicly accessible?
No, offline or sold.
So as in that one stays offline in cold storage and the other one stays online for all the LAN devices to access it?
Yes, for now one offline one on the lan.
As right now the network should look something like this:
Internet -> Firewall/VPN-> switch -> connected to 1, 2, 3
- LAN -> Workstation, Printer, Nas, POS and maybe (one pc)
- AP -> private/office wi-fi + (Customer wi-fi)
or 3. Ap -> Customer wi-fi (if its easier for me)
For the AP, you can create like a separate SSID for them and have different settings and options than the other one that is intended for your own use. I think that Ubiquiti one you mentioned in the OP can have different profiles; one for home and office usage, the other one for the customers can be on a “guest” profile. My Asus RT-AC87U has that option.
Also, are you planning to converge all of the wired devices into a single switch?
OK, that should work on the unifi pro as I can tell.
So there is only the coverage issue. Need 2 or 3 of them.
And for the the pfsense box I’m looking into something like
What switch is needed secure my LAN too? And do I need an extra router?
Normally, APs do have excellent coverage, but that would depend on whereabouts you put the AP, so just follow the most common “do nots” on planning the placement on your AP and you should be fine. Depending on the area of your home/office, place the AP where it can efficiently and effectively broadcast the signals as much as possible. My suggestion is to get one, place it at the best spot where it can get the best coverage, and if there is still a deadspot or so, you can get one more or 2 of the exact model. If your place is a multilevel building, best to get one per level, because you may end up with nothing on a different level than where the AP is placed.
Managed switches could provide you with some degree of protection with VLAN segmentation. So you would have one VLAN for your own, another for the office and a third one for the customers. That depends on what router you’re using though; pfsense should be able to do that. So when you are about to make different VLANs, plan it out first, including the switch ports to allocate to a VLAN.
Not necessarily, and not recommended to have two routers unless you have two ISPs. A single router, depending on the specs and the size of your network, should be able to handle the firewall, routing and VLAN activities, like the one you posted. If you’re dealing with a huge network, then that will be a no, because you would want a router to handle all the jobs assigned to to be able to process all the tasks transparently.
With all that being said, what is your budget?
1 Like
- the pfsense box around € 400-500 incl. so-dimms,
ssd and hdd are some spare around. - ~ € 500 for the APs are already planned.
- for the switch(s) € 2-300.
And maybe some € to connect the workstation and
the nas with 10Gb…
If you want guaranteed 10Gb throughput, you need to use Cat7 cable.
[Keeping in mind that I am not an electrician, and if you have any concerns with my following advice please consult one.]
The lower the gauge number, the thicker it will be. You want solid copper cable, not copper clad/aluminum or any other BS. Plenum isn’t required for a wood based home. The argument is that if there is a fire your whole house will burn up, you won’t be trapped inside breathing the chemicals from the wires. Shielded twisted pairs are great if you have a lot of interference, but not required. I personally went with 20AWG Unshielded Twisted Pair Cat6 in my house, I get the 1Gb throughput I expected.
Also, I use a Ubiquiti AC-HD that never goes above 11% utilization w/ 10-30 wireless devices. I have one on the ceiling in the center of my house which can extend a 5Ghz signal to my mailbox. If I am on the sidewalk, I might not have enough bandwith for Youtube, but I do for audio. (Distance is about 3 car lengths from AP through an exterior wall of my home). If you have a larger area to cover (or have a lot of walls) it might make more sense to go with 2 AP-AC Pros instead. The HD was definitely gross overkill for my home, but I didn’t want to have to touch it again at any point, for any reason, for at least 5-10 years. Either way the access points are about $300-400. I got the qotom box for $300 + $80 for sodimms from a sale on reddit. I would like to point out however that when I ordered from Qotom before, I had the processor choice as options (i5 no wifi, i5 wifi, i7 no wifi, i7 wifi) when I looked just now they had some product numbers or something.
@DaddyNugget I have a quick question about the Qotom box you use for Pfsense? I have heard the cheap Chinese Nux you can get for a DYI firewall device doesn’t last long, I assume any Qotom device is a cheap Chinese Nux, is it? And how long have you been using the device, have you had any problems with it?
I think the terminology is ‘Mini-PC’ because a NUC is a strictly Intel product. But yes the Qotom box I have is a Chinese mini-pc. No problems with the product other than what I have done to it. It sits in a cramped 4u closet with a patch panel, power strips, hdhomerun, switch, and a few other things. Although there is no air flow, the temperatures seem fine. The box does a good job distributing heat (Fanless, but all aluminum exterior). I have had it for about 4 months now, so I can’t attest to it’s longevity.
When I was looking up different options for what I wanted, I asked myself the following questions:
- How much power will this use?
- Am I better off buying a pre-made device or building my own?
- How much space will this use?
- How long will this solution last?
I used to have a Q6600 box that was a mini tower, and it would whine like a banshee sometimes. It used a noticeable amount of power, and was not able to easily fit where I wanted it (I basically had it sitting on my electrical box half leaning on a shelf). I didn’t expect it to last that long, so I looked into something better.
The newest versions of pfSense require AES-NI encryption capable processors, so I went to the Intel ARK system and narrowed down my selection to chips that fit the bill. Narrowed it down to processors that used less than 25W, compared results. I knew that the J1900 boxes were all popular, but didn’t support AES-NI. Eventually I saw that a J3455 Embedded Asrock Board would do OK, but would use more power than I wanted. The cost of building an ITX system outweighed the cost, used more power, and had less performance for my goals so I decided on a pre-built unit.
I have seen decent reviews for the ProtectLi boxes on Amazon, but they were more expensive than the Qotom variant. Since I was planning on installing my own drive for security’s sake, I wanted the best price on the firewall shell. There are numerous boxes out there, all with differing capabilities. For mine I wanted 1Gb throughput from my desktop to my WAN, so I made sure I got a box with that. I also made sure that the NIC’s were intel based due to pfSense’s hardware requirements. I used a Syba quad port NIC with my Q6600 build, and it didn’t register with pfSense. I also tried to use an on-board Realtek chip that didn’t use it’s full throughput. Then, I scored the pfSense forums for different gigabit guides/results and I found a thread where someone else recommended the exact same box I ended up buying.
So for me, I ended up with a dedicated firewall appliance, it cost more than if I absolutely DIY’ed something, but that cost will be reflected in both power savings over time, and in how much space I am saving at my house. I have a quiet box, that works well, that hasn’t given me any cause for alarm. If I could go back, I wouldn’t change my decision (although I’m sure I could have gotten away with the lesser model, I didn’t want to risk the $75 difference after dropping about $300).
I hope this helps OP.
2 Likes