Office Network Design and Planning with VLANs, LLDP, Rules, IoT, Guest using UniFi & pfsense

Finally, a video that explains VLANs to actual humans! I wish I had seen it earlier...

I've been in IT for 20 years and this was the most succinct explanation on network design I've seen... well done.

This "best practice" video tutorial never grows old. I've used it as the basis for several SOHO setups and have never gone wrong with it. It covers all the common types of devices one might want to connect to a SOHO network. I especially like the LLDP-MED port provisioning for connecting VoIP phones having a pass-through network jack for desktop computers. The UI on the Unifi controller may have changed some since this video was made, but the same functionality is still there and this video is still just as relevant as when it came out 4+ years ago.

This should be the first watch for all that want to tinker with home networks. Tank you Lawrence for taking the time and educating us.

Tom, you make it too easy! I can't imagine how much time I would have saved if I had this video when I was starting out. That being said I think I learned more by getting lost and finding my way back. Thank you!

Tom, I've been watching your channel for a couple months and just wanted to say thanks for all great information, training and tips!!! I have been designing my dream home network for a new house that we are having built. I am starting to test some of the network hardware that I chose with the help and insight of all your experience in IT. I don't always get it the first time but I can't count how many times now I am working on something and think "boy did Tom have that right!" or "that's what he meant by that!". Thanks Tom!!!! And,now I finally joined your RUclips channel and I'm also going to check out your website!

Hi Tom, thanks for the great video. I've been trying to get my UniFi cameras on an isolated VLAN for the exact reasons you described. One of the mistakes I had been making was giving the G3 a static IP so when I set the port to the 'video' profile I lost connection to the Protect server. But having watched this I've got it all sorted. Keep up the good work.

Tom, this is an excellent video and covers a number of configuration consideration I need to address when revamping my home/lab network. I'm a retired systems programmer/Architect for the past 12 years, networking is new to me beyond the basic home router setup. I'm able to use your videos in my education on more complex networking configuration concepts, so, thanks and keep up the great videos.
Regards

Fantastic. I made some changes to address my particular setup (pfsense as a virtual machine within truenas scale with multiple bridged vlans), but this remains a fantastic resource --- 4 years later. Thank you!

Exactly what i’m doing for my customers ))) Good job bro!

Tom, this is one of the best explanations of secure networks I have ever seen. Thank You for doing this.

Great setup and great explanation!
I like the fact that you made the LAN into an IT management zone and make the regular users connect to another zone (OFFICE). This way, the pfSense anti-lock out rule will always bring the pfSense UI to the management zone and not back into the user network.
If there is IT staff on-site, they get to have ports to the LAN zone in their office. If there is no IT staff on-site, which is common in small businesses, I use a VPN to get into that zone. Of course, I always keep an available untagged port on that zone (VLAN) on the main switch just in case the VPN fails for some reason and I need a physical access to the management network to repair something.

I appreciate ALL of your networking videos. Especially pfsense. Thank you!

GREAT VIDEO!!! Very informative...keep up the good work Tom

Really loved the video! great explanations, nice and easy to follow! something easy to get people thinking!

Thank you Lawrence that is exactly the same as my network. FYI, one thing that needs to be added is dhcp snooping needs to be disabled on vlans due to bug on usw Mike

I saw this last November and thought that moving the cameras to a separate VLAN and only allowing it to talk to the NVR from a separate subnet was cool. Did it with our office's hikvision cameras just last week. The unifi switch was a bit iffy when I configured each port in the port manager but managed to get it to work. My boss liked the suggestion so much as I explained that it was a great security measure in case someone outside would disconnect the camera/s and connect it to a laptop or a malicious raspberry pi, but he immediately got the gist of it. Thank you!

I can’t tell you how much this video has help me. Thanks! And keep it going

Fantastic run through, thank you!

Great video - thank-you! I sat through the whole one to just revisit pfsense tinkering as I haven’t tinkered in a few years. Such great tutorials though and so clearly explained and demonstrated!

Hey Tom, great video. One really important step you missed in the video was creating the networks in the Unifi controller as well. It is not shown in the video and took me ages to work out. Lucky you had an older video from 2017 that should this step. Once I completed this step as well we were away and working perfectly!! Thanks for the amazing content. Keep it up!

Thank you for doing this Lawrence

You have made a fan out of me with these type of videos. Keep em coming bud!

It was very informative. Thank you for the video and the work on it.

Great Vid specially explaining LLDP

Love this, thank you

Thanks for the time and effort.

Ooh. Just got my sg1100 and erx combo working. It's quite a solid setup for home use. Thanks for the useful reviews. Definitely will use this so my cameras are not flat with my other devices.

best video of the year! great work!

Great video! I've only just discovered your channel and you cover this stuff very well.
I would be interested to hear more about designing subnets for route aggregation and stuff like VLAN tagging.

Really great video gives me some ideas for my own home network

Passed links to your videos and channel to family and friends and told them to subscribe. Thanks.

Thanks bro you are a great presenter

This is fantastic! Thanks

3:45 Interface -> Assignments -> VLANs (Creates IOTCrap VLAN & iface)
6:00 DHCP Server
8:30 Firewall Rules
15:00 Unifi switch VLAN settings
26:15 Shows physical devices and connections

Thank you.. the more I see you make videos on the SG-3100 the more I am considering upgrading to it from my USG. I had thought about the ER-4 but pfsense looks quite nice.

great content - thanks

Great video, can't wait for the same with a Untangle router, I would like to compare what you have done vs. what i have done with home/small business networks for VLAN, and IoT isolation. I have been able to get 5 or 6 of my fiends to move away from the cheep all-in-one router/WiFi solution once they understood how vulnerable their home networks are with a flat addressing plan.

Excellent video :)

Lawrence, you have a great full fan from da UP eh! Thanks for the excellent content

Thanks for this

You are awesome!

Nice one Lawrence 👍

Cool thanks a bunch Tom , yes there are additional features one can add in pfsense like pfblocker , snort , VPN , adding to Zabbix server for monitoring , running virtualized etc , but great for home use as is .… keep smiling and have a great one :-)

Stellar job again

This is so good.

Really liked this one! Big fan of pfsense and was happy to see pfsense tied in with something as nice as the ubiquiti stuff

Great video, you gave me ideas howto setup my new network, it used to be flat🤣. Your Pfsense tutorials gave my 6yo laptop a new life and provided me with new insights👍

Awesome video

When creating the pfsense firewall rules on each VLAN you don't need to create a rule blocking access to the firewall's web interface as all traffic is blocked by default unless there is another rule granting access (assuming the default deny configuration has not been changed in the main pfsense settings). In the example used in the video for the locked down VLANs you have a rule granting access to everything other than the private networks. As the pfsense web interface is on the private network, access will still be blocked by default with this rule.

Yes please do Untangle!

You're good.

Hey Tom, thanks for all of the help! I am setting up a SOHO network now with a Netgate SG-3100 and unifi ap and have had trouble finding the right guides for getting it setup (I am fairly new to all of this). Is there anyway you'd be able to organize a playlist from the videos you have for getting pfsense setup in a manner that would be useful for a home office/small business?

Another nice thing to do with Cameras switch ports is they should also be protected by only allowing the Mac address of the camera.

Hello , This is great for people to understand basic networking, the only thing i would change is Intra-VLAN routing on the router.
For example, a VLAN want to communicate with another VLAN, The packet will need to go all the way to the router to be routed, then go back to the switch.
A layer 3 managed switch with Intra-VLAN routing, route the traffic without reaching the PFsense router, but all vlan gateways should point to the switch interface IP ( Layer 3 ).
if a PC on the PC network ( PC VLAN) want to open a camera ( CCTV VLAN) , the router would be involved , in a small office its fine but i recommend a layer 3 switch to handle your intra-vlan routing.
Thank you,
Nader

Nice one Tom

Love ya work very informative indeed thanks chap. And yes could you do Untangle equivalent, please?

Thanks for making this video. I tried to do this a year ago and never got it working. Your video had the missing pieces I needed to get it working. I now have a secure IoT and Camera network.

Thanks! Wondering what I would miss if I try the same setup using omada firewall.

Also a good reason to set the static IPs manually on each device is that if the router (DHCP server) ever goes down, they can still talk to each other. I did that with my servers at home. the rest of the devices are managed by the DHCP server.

Great vid. I manage a private school's network with pfsense, cisco switches, and unifi access points and a vpn to another campus. Separating students from teachers, restricting what students can touch is the game. We'll be adding voip phones soon, seeing how that is setup on unifi switches is nice. I'm so used to cisco's command line.

Excellent video, I really appreciate the hint on using lldp-med to inform the phones what vlan to use.

I just started researching youtube for training, and maybe I will eventually find a video that has the Office network & planning not just in the Firewall software (i assume pfsense dashboard for assignment only). I REALLY NEED A DIAGRAM, OR DRAWING OF SOME SORT... I will keep looking though. Thanks for the info

Tip: The problem you discuss at 3:00 can be mitigated with IPv6 addressing. :)

Where do you put the printers (and stuff like that)?? I use to put them on a seperat VLAN and only allow access to the printserver/smtp for scan.

great video; how would you handle EPOS?

Interesting detail I hadn't observed before this walk-through is pfSense firewall rules are created/applied per interface. My experience is with Checkpoint and it's not the case there (at least it wasn't the case 10 years ago).

Weird seeing a cameras link state at 1gbps.. Good work!

Howdy. I appreciate your videos. I'm late to the party. I have a Protectli with Pfsense on it. And a tplink tl-sg1024DE behind it. At this point I think I want/need 5 or 6 VLANS. Would you recommend having pfsense to control the vlans and trunk to the tp link switch OR have the switch to handle the vlans?

Similar Untangle Video would be great!

I suppose another way to do it would be to have a LAN, a WAN, outside access rules, and then point to a Layer 3 switch on the internal LAN which can route, create vlans, ACL's and so forth.

Tom for President #2020

Hi Tom. Thanks for another great video. Not sure if you said it in this video, but I know I've heard you comment/remind us that when you setup VLANs this way, it's all on one physical cable/port. Meaning, bandwidth can be a factor. So when you have a Netgate 4100 for example, I would ask why not utilize the four ports and spread those networks/VLANs across them? Maybe LAN and OFFICE on one port, CAMERAS on one port, and the rest PHONES/GUEST/IOT and a third? Maybe keep one port open for future needs. Again, looking for the Pros/Cons on this design. Thanks in advance.

you mentioned that the usg doesnt have all the features needed in the firewall rules could you use the usg pro?

Hi Tom! Thank you so much for the video. I would like to know how you were able to put 2500baseT Speed duplex for the LAN Network?
Etherchannel?
Thanks again

This is an awesome tutorial. One thing I am uncertain of though -
I have a UCG-Ultra with defined networks / VLANS. If I put a USW-PRO-MAX behind it and have clients connected at 2.5 (but on different vlans) - connectivity between those devices would be limited to the routing speed of the UCG correct? Or am I way off base?

One challenge (I've not tried this on the Unifi yet so it may not be challenging on better kit) - IoT things like TVs and Streaming Players and ChromeCast that want to be found by broadcast packets. I guess it means that the adults in the house need to be on the same network as these devices, but we can keep kids and guests off so they can't change what we're watching on the TV.
I guess this is like your printers. Ours also likes broadcast but we can hand configure IP address in clients if needed.

So I followed this guide, as I am new to UI but not pf/opn but I cant connect to a IoT SSID now.

Hi Tom, apologies for questioning an old video, but I thought it pertinent. Could you please do a video explaining how you would set up an office / home environment with a network that has over 253 devices, so keeping .1 as the gateway and .255 as a broadcast, if you had 300 devices how would you configure PFSense securely to segment and talk across the networks? Thanks.

Liked the video. Would have liked to see what the UniFi dashboard looked like with the pfsense appliance matched up with the UniFi switch and AP.

7:40 Yes! And that's why I hate UDM Pro :-) Anything like this config would be too complicated there.

How do the phones and devices know what vlan network to connect to? Is that with the dhcp reservation? I’m just confused because you didn’t show reserving the phone ?

Would it be beneficial to get a Ubiquiti Edge Switch (ES-16-150W) instead of a Ubiquiti UniFi Switch? What are the pros and cons?

While I do get why some people often pick up on blocking addresses normally associated with internal LAN addresses, there's another thing to bear in mind; ISPs now are starting to use CGNAT, so you're going to see "internal" IPs in some WAN connections.

Hey Tom, great video. I see that the LAN network (192.168.5.0/24) is more like a management network for the devices - firewall, switch, camera, etc. I believe the VLAN for this network is the default VLAN 1 right?
So, I'd like to ask, what if I want to change that VLAN ID to something else? Is it possible?

Add the raspberry pi on using a Ubiquiti Nanoswitch or similar and the camera won't even be offline to attract attention beyond the time it takes to plug that in.

I have been looking for an example that I can use in my home lab. My goal is to replicate a similar network topology for professional development. Thanks!

Hi! Thanks for the video.
I noticed that you put an explicit block rule in the firewall configs for "This firewall" over all interfaces... I thought it was block by default?
In my personal setup I have an alias called "PrivateNetworks" consisting of "192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8", all of my interfaces are in the 192.168 range, and my allow rules all say "Destination !PrivateNetworks"... Above these allow rules i configure any rules that hit nodes on the private network / across subnets.... Is this sufficient??? I'm pretty new to writing my own firewall rules

I've found the Cloud key extremely limited - on the first one at least, mongodb will break if you turn up the logging.

Everything looks great. Had a few questions.
Once you setup the VLans in pFsense, do they automatically show up in the Unifi switch?
Regarding the Unifi Protect network, wouldn't blocking the cameras from accessing the internet block firmware updates when they become available or would it try and pull the update from Unifi Protect?
Worse case scenario, someone disconnects the switch from the pFsense box and plug it in to their pc or Raspberry Pi, would they have access to all VLans if it they make it appear they are a switch?

Hey Tom. I'm not quite tracking what you're saying about the port 443 that you changed to 10443. Where is it assigned by default in the settings? There's so much to learn. It's overwhelming but I'm getting there. Thanks for your videos. Hopefully I get a nice segmented network going on at home.

Hey Tom! Great video as always. I’m attempting a simple VLAN home setup for NVR. I’ve got a pFsense box on a Qotom AliExpress PC with only two Ethernet ports. I understand I need a managed switch for VLANS, but I’m guessing you need it to be connected directly to pFsense and Then NVR to switch, can’t have a dummy switch in between pFsense and managed switch?

What would you propose for multiple cameras? A POE switch on your port you set up for the camera in your example (like a dumb poe switch extending that 1 port) or map more ports to the smart switch?

I wouldn’t have thought routing HD Cameras through the FW would be a good idea. Maybe it’s quite common I don’t deal a lot with CCTV side of things.

Tom, Thank you again for another great video. I have a question. If I'm running the UNIFI controller on a PiHole, do you really need the Cloud Key? What is the major function of the cloud key other than remote network access?

Can you do a video like this, but address VLANs by MAC address and or port and MAC VLANs on the same network?

Hi Tom - Thanks for doing all the great content you create and sharing it with the community. I’d like to ask / request if you’d be willing to do a video for your followers on how to get Sonos setup on a separate VLAN to your controllers and get the connectivity working between them using tools on PFSense like Avahi or PIMD? I’m transitioning a home network away from a basic configuration to a more secure network design ahead of a 1GbE Fibre being installed later in the year and would like to get all these elements created. I’m using a Netgate 4100 Base with a Ubiquiti Unifi 24 PoE switch, two Ubiquiti Unifi U6 Pro’s, Several Ubiquiti USW Mini Flex’s and several G4 Bullet Cameras communicating to a Cloud Key Gen 2 Plus. I’ve got most of what I want in place but the Sonos VLAN to Controller VLAN connectivity is the last part Id like to get working. Any advice would be very helpful. Best wishes from Perthshire in Scotland!

Hi Tom! Hoping that you can make a tutorial about running PFSense with Windows Active Directory. Where AD has the DHCP and DNS instead in PFSense :D

With all these vlans. Cross talk packets must go back to the router right?
If i am moving a large file from device A to Device B will that go back to router to change vlans?
How often would One need to worry about saturating the GB link?

i'm a bit late to finishing this video, though i'm not completely through yet, Is there any reason you're not doing the routing in the switch vs pfSense? It doesn't look like you're doing a lot of rule sets in this case. Or is that switch not capable? I've recently started looking for a decent l3 managed switch with poe for my home use. The ones we use at work or very expensive and maybe that's why. I'm seeing different levels of managed poe switches in my searching. I've messed with a couple other brands; but still no unify.