Office Network Design and Planning with VLANs, LLDP, Rules, IoT, Guest using UniFi & pfsense

Поделиться
HTML-код
  • Опубликовано: 23 дек 2024

Комментарии • 298

  • @823Labs
    @823Labs 3 года назад +61

    I've been in IT for 20 years and this was the most succinct explanation on network design I've seen... well done.

  •  3 года назад +37

    Finally, a video that explains VLANs to actual humans! I wish I had seen it earlier...

  • @tomferrin1148
    @tomferrin1148 Год назад +2

    This "best practice" video tutorial never grows old. I've used it as the basis for several SOHO setups and have never gone wrong with it. It covers all the common types of devices one might want to connect to a SOHO network. I especially like the LLDP-MED port provisioning for connecting VoIP phones having a pass-through network jack for desktop computers. The UI on the Unifi controller may have changed some since this video was made, but the same functionality is still there and this video is still just as relevant as when it came out 4+ years ago.

  • @jeffmeyers3837
    @jeffmeyers3837 Год назад +3

    3:45 Interface -> Assignments -> VLANs (Creates IOTCrap VLAN & iface)
    6:00 DHCP Server
    8:30 Firewall Rules
    15:00 Unifi switch VLAN settings
    26:15 Shows physical devices and connections

  • @clydebryant2665
    @clydebryant2665 5 лет назад +28

    Tom, this is an excellent video and covers a number of configuration consideration I need to address when revamping my home/lab network. I'm a retired systems programmer/Architect for the past 12 years, networking is new to me beyond the basic home router setup. I'm able to use your videos in my education on more complex networking configuration concepts, so, thanks and keep up the great videos.
    Regards

  • @greenmountainitsolutions4722
    @greenmountainitsolutions4722 5 лет назад +34

    Tom, you make it too easy! I can't imagine how much time I would have saved if I had this video when I was starting out. That being said I think I learned more by getting lost and finding my way back. Thank you!

  • @viaujoc
    @viaujoc 4 года назад +7

    Great setup and great explanation!
    I like the fact that you made the LAN into an IT management zone and make the regular users connect to another zone (OFFICE). This way, the pfSense anti-lock out rule will always bring the pfSense UI to the management zone and not back into the user network.
    If there is IT staff on-site, they get to have ports to the LAN zone in their office. If there is no IT staff on-site, which is common in small businesses, I use a VPN to get into that zone. Of course, I always keep an available untagged port on that zone (VLAN) on the main switch just in case the VPN fails for some reason and I need a physical access to the management network to repair something.

  • @bobhcs
    @bobhcs 3 года назад +5

    Tom, I've been watching your channel for a couple months and just wanted to say thanks for all great information, training and tips!!! I have been designing my dream home network for a new house that we are having built. I am starting to test some of the network hardware that I chose with the help and insight of all your experience in IT. I don't always get it the first time but I can't count how many times now I am working on something and think "boy did Tom have that right!" or "that's what he meant by that!". Thanks Tom!!!! And,now I finally joined your RUclips channel and I'm also going to check out your website!

  • @peterdee1900
    @peterdee1900 4 года назад +8

    Hey Tom, great video. One really important step you missed in the video was creating the networks in the Unifi controller as well. It is not shown in the video and took me ages to work out. Lucky you had an older video from 2017 that should this step. Once I completed this step as well we were away and working perfectly!! Thanks for the amazing content. Keep it up!

    • @crankharder123
      @crankharder123 4 года назад +3

      Think i just ran into this as well. Lots of detail there that is missing. Presumably about what the VLAN & DHCP settings should be inside the unify controller - but no clue.

  • @tpagden
    @tpagden Год назад

    Fantastic. I made some changes to address my particular setup (pfsense as a virtual machine within truenas scale with multiple bridged vlans), but this remains a fantastic resource --- 4 years later. Thank you!

  • @patricwinger5199
    @patricwinger5199 2 года назад

    This should be the first watch for all that want to tinker with home networks. Tank you Lawrence for taking the time and educating us.

  • @adrianvesnaver
    @adrianvesnaver 2 года назад +2

    When creating the pfsense firewall rules on each VLAN you don't need to create a rule blocking access to the firewall's web interface as all traffic is blocked by default unless there is another rule granting access (assuming the default deny configuration has not been changed in the main pfsense settings). In the example used in the video for the locked down VLANs you have a rule granting access to everything other than the private networks. As the pfsense web interface is on the private network, access will still be blocked by default with this rule.

  • @MarvinFroeder
    @MarvinFroeder 2 года назад

    Thanks! Wondering what I would miss if I try the same setup using omada firewall.

  • @ejbully
    @ejbully 4 года назад +2

    I appreciate ALL of your networking videos. Especially pfsense. Thank you!

    • @emmettbradford6983
      @emmettbradford6983 4 года назад

      Google BRADFORD TECHNOLOGY 🌎🖥️🖨️🖱️⌨️ great nationwide internet reseller company helping a lot of people save money 💰 on internet service

  • @eointhomas2914
    @eointhomas2914 Месяц назад

    I always come back to this video 🙏 I work in an MSP and it’s very rare to see Vlans being used in small medium business

  • @alejandrovelasquez247
    @alejandrovelasquez247 4 года назад +4

    Another nice thing to do with Cameras switch ports is they should also be protected by only allowing the Mac address of the camera.

  • @itpugil
    @itpugil 11 месяцев назад

    I saw this last November and thought that moving the cameras to a separate VLAN and only allowing it to talk to the NVR from a separate subnet was cool. Did it with our office's hikvision cameras just last week. The unifi switch was a bit iffy when I configured each port in the port manager but managed to get it to work. My boss liked the suggestion so much as I explained that it was a great security measure in case someone outside would disconnect the camera/s and connect it to a laptop or a malicious raspberry pi, but he immediately got the gist of it. Thank you!

  • @peterfrenchsa
    @peterfrenchsa Год назад +1

    Great video - thank-you! I sat through the whole one to just revisit pfsense tinkering as I haven’t tinkered in a few years. Such great tutorials though and so clearly explained and demonstrated!

  • @AlbaTech
    @AlbaTech 5 лет назад +16

    Hi Tom, thanks for the great video. I've been trying to get my UniFi cameras on an isolated VLAN for the exact reasons you described. One of the mistakes I had been making was giving the G3 a static IP so when I set the port to the 'video' profile I lost connection to the Protect server. But having watched this I've got it all sorted. Keep up the good work.

  • @Red1Wollip
    @Red1Wollip 4 года назад +2

    Tom, this is one of the best explanations of secure networks I have ever seen. Thank You for doing this.

    • @emmettbradford6983
      @emmettbradford6983 4 года назад

      Google BRADFORD TECHNOLOGY 🌎🖥️🖨️🖱️⌨️ great nationwide internet reseller company helping a lot of people save money 💰 on internet service

  • @mikelawson3304
    @mikelawson3304 5 лет назад +10

    Thank you Lawrence that is exactly the same as my network. FYI, one thing that needs to be added is dhcp snooping needs to be disabled on vlans due to bug on usw Mike

  • @lightingman117
    @lightingman117 3 года назад +1

    14:50 I'm confused. Why wouldn't an allow only to WAN interface rule not work? Or not be easier/better?

  • @MajesticBlueFalcon
    @MajesticBlueFalcon 5 лет назад +5

    You have made a fan out of me with these type of videos. Keep em coming bud!

    • @emmettbradford6983
      @emmettbradford6983 4 года назад

      Google BRADFORD TECHNOLOGY 🌎🖥️🖨️🖱️⌨️ great nationwide internet reseller company helping a lot of people save money 💰 on internet service

  • @DonGerico
    @DonGerico 4 года назад +1

    Thank you.. the more I see you make videos on the SG-3100 the more I am considering upgrading to it from my USG. I had thought about the ER-4 but pfsense looks quite nice.

    • @emmettbradford6983
      @emmettbradford6983 4 года назад

      Google BRADFORD TECHNOLOGY 🌎🖥️🖨️🖱️⌨️ great nationwide internet reseller company helping a lot of people save money 💰 on internet service

  • @jbb6372
    @jbb6372 3 года назад +1

    Really loved the video! great explanations, nice and easy to follow! something easy to get people thinking!

  • @RM-hy4so
    @RM-hy4so 3 года назад

    I can’t tell you how much this video has help me. Thanks! And keep it going

  • @BrettMartin84
    @BrettMartin84 4 года назад +2

    Thanks for making this video. I tried to do this a year ago and never got it working. Your video had the missing pieces I needed to get it working. I now have a secure IoT and Camera network.

    • @jmcbri
      @jmcbri 4 года назад

      I don't get it. If the iot crap is blocked from private networks, how do you use those devices? Wouldn't you allow the mothership ip on wan only, and allow on LAN?

    • @BrettMartin84
      @BrettMartin84 4 года назад +1

      James McBride most iot crap wants to work inside and outside the home. To do this it needs internet access not lan access. Eg ecobee thermostat works from app -> internet -> lan > thermostat. Not directly from device to app. Therefore if you are giving an unknown device both lan and wan access it could do whatever it wants on your lan and send it over the internet. By making an iot network that can’t access the lan you secure your lan. It’s the opposite for cameras. You want them to have lan only access and no wan access.

  • @ronaldvargo4113
    @ronaldvargo4113 5 лет назад +2

    Great video, can't wait for the same with a Untangle router, I would like to compare what you have done vs. what i have done with home/small business networks for VLAN, and IoT isolation. I have been able to get 5 or 6 of my fiends to move away from the cheep all-in-one router/WiFi solution once they understood how vulnerable their home networks are with a flat addressing plan.

  • @VredesbyrdNoir
    @VredesbyrdNoir 3 года назад +1

    Great video! I've only just discovered your channel and you cover this stuff very well.
    I would be interested to hear more about designing subnets for route aggregation and stuff like VLAN tagging.

  • @naderbarakat3001
    @naderbarakat3001 4 года назад

    Hello , This is great for people to understand basic networking, the only thing i would change is Intra-VLAN routing on the router.
    For example, a VLAN want to communicate with another VLAN, The packet will need to go all the way to the router to be routed, then go back to the switch.
    A layer 3 managed switch with Intra-VLAN routing, route the traffic without reaching the PFsense router, but all vlan gateways should point to the switch interface IP ( Layer 3 ).
    if a PC on the PC network ( PC VLAN) want to open a camera ( CCTV VLAN) , the router would be involved , in a small office its fine but i recommend a layer 3 switch to handle your intra-vlan routing.
    Thank you,
    Nader

    • @eDoc2020
      @eDoc2020 2 года назад

      AFAIK most L3 switches are stateless. This makes it hard or impossible to allow TCP connections from subnet A to subnet B without also allowing subnet B to initiate connections to subnet A.

  • @mx2ce782
    @mx2ce782 2 года назад +1

    Lawrence, you have a great full fan from da UP eh! Thanks for the excellent content

  • @rudypieplenbosch6752
    @rudypieplenbosch6752 4 года назад +1

    Great video, you gave me ideas howto setup my new network, it used to be flat🤣. Your Pfsense tutorials gave my 6yo laptop a new life and provided me with new insights👍

    • @martintimmermans8952
      @martintimmermans8952 4 года назад

      Nice to hear you improved your lan! :D Just not sure if I understand the relation to an old laptop? Or are you now using it as your pfsense instance and routing all (including incoming/outgoing) over 1 physical port? :P If yes, are you using any IDS/IPS functions and/or VPN tunnels? What performances are you getting out of an old laptop? You could consider getting something cheap/power efficient, ie from Aliexpress (like I did).. Just search for pfsense and you'll get tons of options, anywhere from a simple j1900 to a nice i7 :)

    • @emmettbradford6983
      @emmettbradford6983 4 года назад

      Google BRADFORD TECHNOLOGY 🌎🖥️🖨️🖱️⌨️ great nationwide internet reseller company helping a lot of people save money 💰 on internet service

  • @joefunk462
    @joefunk462 2 года назад

    Hi Tom. Thanks for another great video. Not sure if you said it in this video, but I know I've heard you comment/remind us that when you setup VLANs this way, it's all on one physical cable/port. Meaning, bandwidth can be a factor. So when you have a Netgate 4100 for example, I would ask why not utilize the four ports and spread those networks/VLANs across them? Maybe LAN and OFFICE on one port, CAMERAS on one port, and the rest PHONES/GUEST/IOT and a third? Maybe keep one port open for future needs. Again, looking for the Pros/Cons on this design. Thanks in advance.

    • @LAWRENCESYSTEMS
      @LAWRENCESYSTEMS  2 года назад

      Using vlan instead of individual ports is for convenience

  • @Jamesaepp
    @Jamesaepp 4 года назад +1

    Tip: The problem you discuss at 3:00 can be mitigated with IPv6 addressing. :)

  • @RM-hy4so
    @RM-hy4so 3 года назад

    Passed links to your videos and channel to family and friends and told them to subscribe. Thanks.

  • @davidbarnett1826
    @davidbarnett1826 2 года назад

    I just started researching youtube for training, and maybe I will eventually find a video that has the Office network & planning not just in the Firewall software (i assume pfsense dashboard for assignment only). I REALLY NEED A DIAGRAM, OR DRAWING OF SOME SORT... I will keep looking though. Thanks for the info

  • @TechUniversity1
    @TechUniversity1 4 года назад +1

    How do the phones and devices know what vlan network to connect to? Is that with the dhcp reservation? I’m just confused because you didn’t show reserving the phone ?

  • @Setola
    @Setola 5 лет назад +7

    best video of the year! great work!

  • @mziminski
    @mziminski 5 лет назад

    I have a question: at 29:28 when you plugged the phone in to the office network, how did the switch know that it was a phone? I really like the passthrough function and how you can allow a computer to get the office network through the passthrough port. But how does the switch know the phone is a phone and the computer is a computer?

    • @LAWRENCESYSTEMS
      @LAWRENCESYSTEMS  5 лет назад

      most all VOIP phones support the LLDP protocol.

    • @mziminski
      @mziminski 5 лет назад

      @@LAWRENCESYSTEMS what did you do on the phone VLAN to have it accept the LLDP protocol?
      Sorry if this sounds like such a basic question. I'm just trying to wrap my head around it.

    • @mziminski
      @mziminski 5 лет назад

      @@LAWRENCESYSTEMS After re-watching the video, I see how it's done (18:17). It's not anything on the firewall, but the LLDP is set in Unifi and you choose the VLAN for the phones. If Unifi realizes that it's a phone, it'll tie into the the .30 VLAN. Great video!

  • @FSCMV6
    @FSCMV6 5 месяцев назад

    This is an awesome tutorial. One thing I am uncertain of though -
    I have a UCG-Ultra with defined networks / VLANS. If I put a USW-PRO-MAX behind it and have clients connected at 2.5 (but on different vlans) - connectivity between those devices would be limited to the routing speed of the UCG correct? Or am I way off base?

  • @akletke1
    @akletke1 5 лет назад +1

    Great vid. I manage a private school's network with pfsense, cisco switches, and unifi access points and a vpn to another campus. Separating students from teachers, restricting what students can touch is the game. We'll be adding voip phones soon, seeing how that is setup on unifi switches is nice. I'm so used to cisco's command line.

    • @springbok4015
      @springbok4015 5 лет назад +1

      Might want to do the same for the teachers.

    • @akletke1
      @akletke1 5 лет назад

      @@springbok4015 Teachers have their own restrictions.

    • @jcnash02
      @jcnash02 5 лет назад

      I hate Cisco’s command line, but their GUI is improving on the SG switches.

  • @zxcvb_bvcxz
    @zxcvb_bvcxz 5 лет назад +3

    I've found the Cloud key extremely limited - on the first one at least, mongodb will break if you turn up the logging.

    • @peterpain6625
      @peterpain6625 5 лет назад +1

      Same here. Went to a vm which is working flawlessly.

  • @QuickQuips
    @QuickQuips 4 года назад

    Ooh. Just got my sg1100 and erx combo working. It's quite a solid setup for home use. Thanks for the useful reviews. Definitely will use this so my cameras are not flat with my other devices.

  • @ifscale3
    @ifscale3 5 лет назад +1

    Excellent video, I really appreciate the hint on using lldp-med to inform the phones what vlan to use.

    • @viaujoc
      @viaujoc 4 года назад +1

      Another way of doing that, if you don't like adding broadcast or multicast traffic to your network, such as LLDP, is to supply option 132 (named "VLAN ID") in the DHCP leases on the OFFICE interface pointing to the PHONE VLAN ID (300 in this video). This way, when an IP phone boots up, it will first get an IP address in the OFFICE (untagged) network. When the IP phone sees that an option 132 is supplied, it will immediately release that IP address, start tagging its traffic on the VLAN ID received in option 132 and make a new DHCP request on that VLAN. The nice thing about this is that the traffic that passes through the PC port at the back of the phone will remain untagged in the OFFICE network. Most IP phones on the market support VLAN configuration with DHCP option 132, it is really easy to set up. Of course, you still need to create a port profile on the switch to supply the tagged PHONE VLAN.

    • @basiliodiaz1411
      @basiliodiaz1411 4 года назад

      @@viaujoc Is this entered in the Additional BOOTP/DHCP Options section? Should it be entered as a String or Text? Is the Value format (vlanid=300)? Thanks, in advance.

    • @viaujoc
      @viaujoc 4 года назад

      @@basiliodiaz1411 It is indeed entered in the Additional BOOTP/Options section in the pfSense DHCP Server for the OFFICE interface (the interface on the untagged VLAN). It is not clearly documented how the option should be entered: as a string or an integer, with or without quotes. I guess it depends on how the phone firmware was programed to handle that setting. In my case, I am using Yealink T4 phones and I have configured option Number 132, Type String and Value "300" (with the quotes in the field). You should check your IP phone documentation about how it handles the VLAN ID option in case this method does not work for you, many phone will support more than one format. In my case "VID=300" (still including the quotes) would probably work too.
      If you have many brands of phones on your network with different VLAN ID option requirements, you may need to configure each brand to expect a different DHCP VLAN ID option number in the phone configuration: Yealink on option 132, Cisco on option 133, Fanvil on option 130, ... This way, you may avoid struggling to produce a single format that will satisfy every brand at the same time.
      Don't forget to also tag the switch port with the Voice VLAN. This is a personal experience: I cursed during an hour trying to find a working DHCP option that would allow my phone to boot and all that time I had forgotten to add the switch port as a tagged member on the voice VLAN.

    • @basiliodiaz1411
      @basiliodiaz1411 4 года назад

      @@viaujoc I failed to mention that the phones are Mitel 5320's. I found some information indicating to try Option 43 but failing that, to use an Option between 128-132. I'll give that a try and see what works. Thank you for your reply.

    • @viaujoc
      @viaujoc 4 года назад

      @@basiliodiaz1411 Mitel phone seems to use a single "Magic" configuration string for VLAN ID, TFTP server address and other basic settings on option 43 or 156. Some guy seems to have figured it out: unixwiz.net/techtips/mitel-ipphone-networking.html. pfSense does accept to push option 43 in the Additional option, maybe you should try it out. In this case, because the DHCP option supplies more than the VLAN ID, you have to push it both on the OFFICE (untagged) VLAN and on the VOICE VLAN.

  • @Wilksey37
    @Wilksey37 Год назад

    Hi Tom, apologies for questioning an old video, but I thought it pertinent. Could you please do a video explaining how you would set up an office / home environment with a network that has over 253 devices, so keeping .1 as the gateway and .255 as a broadcast, if you had 300 devices how would you configure PFSense securely to segment and talk across the networks? Thanks.

    • @LAWRENCESYSTEMS
      @LAWRENCESYSTEMS  Год назад

      If you want them all on the same network just use a /22 instead of a /24.

  • @richardcorfield9926
    @richardcorfield9926 4 года назад +1

    One challenge (I've not tried this on the Unifi yet so it may not be challenging on better kit) - IoT things like TVs and Streaming Players and ChromeCast that want to be found by broadcast packets. I guess it means that the adults in the house need to be on the same network as these devices, but we can keep kids and guests off so they can't change what we're watching on the TV.
    I guess this is like your printers. Ours also likes broadcast but we can hand configure IP address in clients if needed.

    • @richardcorfield9926
      @richardcorfield9926 4 года назад

      Looks like I need an MDNS Repeater - yay for more standardised network protocols rather than the pick-some-port-and-code-it we had in the 90s when I was coding these things.

  • @LordHog
    @LordHog 5 лет назад +1

    Would it be beneficial to get a Ubiquiti Edge Switch (ES-16-150W) instead of a Ubiquiti UniFi Switch? What are the pros and cons?

  • @vadim282
    @vadim282 5 лет назад +4

    Exactly what i’m doing for my customers ))) Good job bro!

  • @thespecialist75
    @thespecialist75 Год назад

    So I followed this guide, as I am new to UI but not pf/opn but I cant connect to a IoT SSID now.

  • @CrankyCoder
    @CrankyCoder 5 лет назад +3

    Really liked this one! Big fan of pfsense and was happy to see pfsense tied in with something as nice as the ubiquiti stuff

    • @emmettbradford6983
      @emmettbradford6983 4 года назад

      Google BRADFORD TECHNOLOGY 🌎🖥️🖨️🖱️⌨️ great nationwide internet reseller company helping a lot of people save money 💰 on internet service

  • @dominiquerichardson
    @dominiquerichardson 5 лет назад +1

    you mentioned that the usg doesnt have all the features needed in the firewall rules could you use the usg pro?

  • @Fisher1374
    @Fisher1374 4 года назад +1

    Hey Tom, thanks for all of the help! I am setting up a SOHO network now with a Netgate SG-3100 and unifi ap and have had trouble finding the right guides for getting it setup (I am fairly new to all of this). Is there anyway you'd be able to organize a playlist from the videos you have for getting pfsense setup in a manner that would be useful for a home office/small business?

  • @brandonbolla9937
    @brandonbolla9937 8 месяцев назад

    With all these vlans. Cross talk packets must go back to the router right?
    If i am moving a large file from device A to Device B will that go back to router to change vlans?
    How often would One need to worry about saturating the GB link?

  • @francismori7
    @francismori7 5 лет назад +5

    Would you do the same network but with a regular USG? Or the USG Pro?

    • @cfgdr3
      @cfgdr3 5 лет назад +5

      I second that request. For my USG (using Unifi) it's easy to set up the different networks/VLANs. I can segregate all of the different networks, but I can't seem to grasp which way to setup the firewall rule to block the IOT VLAN from communicating with other VLANs, while allowing the OFFICE VLAN to initiate a connection to an IOT device. I either have to allow all access both ways (in essence having no firewall), or block all inter-VLAN communication .
      Help with (or a guided video) setting up the IOT rule, AND setting up the RFC19 profile would put a lot of us Unifi junkees at ease.
      I did find the part where Tom set up the port profiles extremely simple the way he did it. Thanks Tom for all that you do.

    • @sitte24
      @sitte24 5 лет назад +1

      Take a look at the videos from Crosstalk Solutions, I think he did show the config at least in one of his videos

    • @cfgdr3
      @cfgdr3 5 лет назад +1

      @@sitte24 I saw that video, but he uses the EdgeRouter (EdgeMax controller) for the segregation. I just wasn't able to follow along on my USG (Unifi controller.) They are similar, but the way to setup the firewall rules is different. Also, I don't know how to set up the RFC1918 rule.

    • @markloughtonUK
      @markloughtonUK 5 лет назад +2

      I would also love to see the same setup using a USG. It makes me nervous that he didn't use one. I have a unifi network (switches and WAPs) but haven't decided what firewall to buy yet.

    • @ppetrix
      @ppetrix 5 лет назад

      Yes please Tom do the USG. Thank you for your videos.

  • @woxit6107
    @woxit6107 3 года назад

    Thanks for the time and effort.

  • @mattviverette
    @mattviverette 2 года назад

    Wouldn't you want to block SSH to the firewall from the VLANs, instead of just 10443. I assume SSH would be preferable to HTTPS for trying to access the firewall from a compromised device in the VLAN. (Maybe you don't have SSH enabled on the firewall.)

  • @MadMike78
    @MadMike78 4 года назад +1

    I'm new at this and had a question about the Office vlan for computers and the phones. How does the switch know which device to issue out an IP address to? I see you have it plugged into one port but the phone and the computer get two different IP addresses. I understand you have vlan setup but I don't know how the switch knows which device is asking for an IP.

    • @luckbeforeleap
      @luckbeforeleap 4 года назад +1

      Ethernet frames sent by the phone to the switch will include a VLAN tag, but frames sent from the laptop to the switch will not.

  • @bennettgould5546
    @bennettgould5546 3 года назад +1

    Can you do a video like this, but address VLANs by MAC address and or port and MAC VLANs on the same network?

  • @TRD_2zz
    @TRD_2zz Год назад

    Why have the source as IOTcrap net on the (Block Firewall Web Access) rule and as (any) on the other networks?

  • @asdf51501
    @asdf51501 3 года назад +1

    I suppose another way to do it would be to have a LAN, a WAN, outside access rules, and then point to a Layer 3 switch on the internal LAN which can route, create vlans, ACL's and so forth.

  • @Daniel-ud6od
    @Daniel-ud6od 5 лет назад +2

    Where do you put the printers (and stuff like that)?? I use to put them on a seperat VLAN and only allow access to the printserver/smtp for scan.

  • @NinoM4sterChannel
    @NinoM4sterChannel 5 лет назад

    Also a good reason to set the static IPs manually on each device is that if the router (DHCP server) ever goes down, they can still talk to each other. I did that with my servers at home. the rest of the devices are managed by the DHCP server.

  • @martincerveny2284
    @martincerveny2284 4 года назад +1

    7:40 Yes! And that's why I hate UDM Pro :-) Anything like this config would be too complicated there.

  • @IamDoQtorNo
    @IamDoQtorNo 6 месяцев назад

    Howdy. I appreciate your videos. I'm late to the party. I have a Protectli with Pfsense on it. And a tplink tl-sg1024DE behind it. At this point I think I want/need 5 or 6 VLANS. Would you recommend having pfsense to control the vlans and trunk to the tp link switch OR have the switch to handle the vlans?

  • @stevenmishos
    @stevenmishos 3 года назад

    Interesting detail I hadn't observed before this walk-through is pfSense firewall rules are created/applied per interface. My experience is with Checkpoint and it's not the case there (at least it wasn't the case 10 years ago).

  • @rider275
    @rider275 2 года назад +1

    I have been looking for an example that I can use in my home lab. My goal is to replicate a similar network topology for professional development. Thanks!

  • @SimpleFlyTech
    @SimpleFlyTech 5 лет назад +3

    Weird seeing a cameras link state at 1gbps.. Good work!

    • @sitte24
      @sitte24 5 лет назад +1

      It sure is weird because it is not needed, even with the 4k resolution. But hey it looks nice

  • @ElementGeekium
    @ElementGeekium 3 года назад

    Am I reading it wrong, or are his rules backwards? ex; the PASS action being used with source of guest and destination of all other networks.. that would allow the guest network to communicate with devices on other networks rather than block it, no? I haven't got much experience with pfsense so perhaps there's something I'm missing here. Is it the "Invert Match" option that makes this valid?

  • @oorcinus
    @oorcinus 3 года назад

    Isn’t there a limit to 4 or 8 SSIDs per AP? And doesn’t the throughput drop dramatically the more SSIDs you create, due to all the beaconing? How smart is it to create a ton of SSIDs, one per VLAN, and is there a way around it?

  • @Trevor_Green
    @Trevor_Green 5 лет назад

    What would you propose for multiple cameras? A POE switch on your port you set up for the camera in your example (like a dumb poe switch extending that 1 port) or map more ports to the smart switch?

    • @LAWRENCESYSTEMS
      @LAWRENCESYSTEMS  5 лет назад

      ideally mapping more ports to the smart switch.

  • @Crazy--Clown
    @Crazy--Clown 2 года назад

    Great Vid specially explaining LLDP

  • @JB-tz9pi
    @JB-tz9pi 3 года назад

    Hey Tom. I'm not quite tracking what you're saying about the port 443 that you changed to 10443. Where is it assigned by default in the settings? There's so much to learn. It's overwhelming but I'm getting there. Thanks for your videos. Hopefully I get a nice segmented network going on at home.

    • @LAWRENCESYSTEMS
      @LAWRENCESYSTEMS  3 года назад

      you do that here docs.netgate.com/pfsense/en/latest/recipes/remote-firewall-administration.html

  • @peters8858
    @peters8858 2 года назад

    Hi Tom - Thanks for doing all the great content you create and sharing it with the community. I’d like to ask / request if you’d be willing to do a video for your followers on how to get Sonos setup on a separate VLAN to your controllers and get the connectivity working between them using tools on PFSense like Avahi or PIMD? I’m transitioning a home network away from a basic configuration to a more secure network design ahead of a 1GbE Fibre being installed later in the year and would like to get all these elements created. I’m using a Netgate 4100 Base with a Ubiquiti Unifi 24 PoE switch, two Ubiquiti Unifi U6 Pro’s, Several Ubiquiti USW Mini Flex’s and several G4 Bullet Cameras communicating to a Cloud Key Gen 2 Plus. I’ve got most of what I want in place but the Sonos VLAN to Controller VLAN connectivity is the last part Id like to get working. Any advice would be very helpful. Best wishes from Perthshire in Scotland!

    • @LAWRENCESYSTEMS
      @LAWRENCESYSTEMS  2 года назад +1

      Newer SONOS systems do not work properly across VLAN like the older ones do.

    • @peters8858
      @peters8858 2 года назад

      @@LAWRENCESYSTEMS I appreciate you reaching out and replying. In this circumstance, what would you recommend as a viable alternative? Perhaps setting up a dedicated tablet on the same VLAN thus negating the need to have the controller / devices trying to traverse the VLANs?

    • @LAWRENCESYSTEMS
      @LAWRENCESYSTEMS  2 года назад +1

      @@peters8858 I have a video on building pfsense home firewall rules ruclips.net/video/bjr0rm93uVA/видео.html and your phone is an IOT device.

  • @dadson1996
    @dadson1996 3 года назад

    How would one handle single PFSense with multiple NICs aggregated to multiple Unifi Switches (where cross LACP is not possible)

  • @m.m.m.c.a.k.e
    @m.m.m.c.a.k.e 2 года назад

    Thanks bro you are a great presenter

  • @lanceeilers5061
    @lanceeilers5061 5 лет назад

    Cool thanks a bunch Tom , yes there are additional features one can add in pfsense like pfblocker , snort , VPN , adding to Zabbix server for monitoring , running virtualized etc , but great for home use as is .… keep smiling and have a great one :-)

  • @nvelopd
    @nvelopd 5 лет назад +2

    Yes please do Untangle!

  • @rammartinez6873
    @rammartinez6873 4 года назад +1

    Hi Tom! Thank you so much for the video. I would like to know how you were able to put 2500baseT Speed duplex for the LAN Network?
    Etherchannel?
    Thanks again

    • @viaujoc
      @viaujoc 4 года назад +1

      The SG-3100 is connected internally to the switch at the back at 2.5GBase-T
      Here is the description from Netgate web site:
      2x 1GbE, configured as dual WAN or one WAN one LAN
      four-port 1 gbps Marvell 88E6141 switch, uplinked at 2.5 gbps to the third port on the SoC for LAN.
      So, in reality, the pfSense "PC" inside the SG-3100 box has only 3 physical ports: two at 1Gbps that are exposed as RJ45 connectors at the back (WAN and OPT1) and one 2.5Gbps connected by the circuit board to a Marvell switch which is exposing four 1Gbps RJ45 ports (LAN1 to LAN4).

  • @fudgemelons
    @fudgemelons 4 года назад +1

    Hi! Thanks for the video.
    I noticed that you put an explicit block rule in the firewall configs for "This firewall" over all interfaces... I thought it was block by default?
    In my personal setup I have an alias called "PrivateNetworks" consisting of "192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8", all of my interfaces are in the 192.168 range, and my allow rules all say "Destination !PrivateNetworks"... Above these allow rules i configure any rules that hit nodes on the private network / across subnets.... Is this sufficient??? I'm pretty new to writing my own firewall rules

  • @AlbertChen777
    @AlbertChen777 4 года назад +1

    Do you have any suggestions for the performance degradation when an AP host multiple SSID?
    Having a LAN, Guest, IOT that is 3 vSSIDs

    • @emmettbradford6983
      @emmettbradford6983 4 года назад

      Google BRADFORD TECHNOLOGY 🌎🖥️🖨️🖱️⌨️ great nationwide internet reseller company helping a lot of people save money 💰 on internet service

  • @rickhernandez2114
    @rickhernandez2114 2 года назад

    Question:
    I see the physical ports lan2, lan3, lan4 are empty. Would it not be a little better to have those other networks physically on the seperate links. Even maybe just the IoT network

  • @jeffluongo7103
    @jeffluongo7103 5 лет назад

    Liked the video. Would have liked to see what the UniFi dashboard looked like with the pfsense appliance matched up with the UniFi switch and AP.

    • @EciOwnsYou
      @EciOwnsYou 5 лет назад

      It doesn’t show anything. Only shows UniFi hardware. Otherwise blank.

  • @finitevoid4520
    @finitevoid4520 5 лет назад +1

    great video; how would you handle EPOS?

  • @Saywhatohno
    @Saywhatohno 2 года назад

    Is there a course we can take to learn how to set-up small business network?

  • @Setola
    @Setola 5 лет назад +3

    Do you (anybody else is welcome too :)) know which of these configurations are not feasable with a Unifi USG both in the UI and by CLI?

    • @springbok4015
      @springbok4015 5 лет назад +2

      All the router/firewall configurations shown here can be done through the USG UniFi GUI.

  • @verdedenim662
    @verdedenim662 Год назад

    just curious if you could 'consult' on the creation of a SOHO network setup?

  • @DJKidNyce
    @DJKidNyce 5 лет назад +1

    Everything looks great. Had a few questions.
    Once you setup the VLans in pFsense, do they automatically show up in the Unifi switch?
    Regarding the Unifi Protect network, wouldn't blocking the cameras from accessing the internet block firmware updates when they become available or would it try and pull the update from Unifi Protect?
    Worse case scenario, someone disconnects the switch from the pFsense box and plug it in to their pc or Raspberry Pi, would they have access to all VLans if it they make it appear they are a switch?

    • @LAWRENCESYSTEMS
      @LAWRENCESYSTEMS  5 лет назад +3

      As I said in the video, you need to create them both on the pfsense and UniFi, the NVR is pushing the firmware updates so as long as it has internet access it will push them to the camera, if someone has physical access they can move what ever port they want.

  • @wdahoi3153
    @wdahoi3153 Год назад

    This is a nice PFS VLAN+FW demo.
    Under FW Rules 》IoTcrap: Why is there a GREEN CHECKMARK PASS allowing PrivateNewworks alias???
    Shouldn't it be a RED X for block? Is this a doozy mistake or what am I missing?

  • @bof0079
    @bof0079 4 года назад +1

    any chance you could do this but with untangle ?

    • @emmettbradford6983
      @emmettbradford6983 4 года назад

      Google BRADFORD TECHNOLOGY 🌎🖥️🖨️🖱️⌨️ great nationwide internet reseller company helping a lot of people save money 💰 on internet service

  • @atthasabi4554
    @atthasabi4554 2 года назад

    Hi, Thank you for this tutor, I have question : How can make the LAN & Vlan can communicate ? (i have printer with LAN) and want to be access or print from laptop on vlan access

    • @LAWRENCESYSTEMS
      @LAWRENCESYSTEMS  2 года назад

      Via the firewall rules ruclips.net/video/bjr0rm93uVA/видео.html

  • @mazemakes
    @mazemakes 5 лет назад +2

    Very good video! It left me wondering, could a port be set up in a way that anything plugged into it gets on the guest Network, but if I plug in my laptop, based on the Mac address it gets to the regular lan? (I know this is not secure but it would be convenient in some cases)

    • @airdropbeats8434
      @airdropbeats8434 5 лет назад

      Short answer is yes. There are multiple network access control (NAC) systems that does dynamic vlans based on a pre defined setup. This will in most cases increase the security of your network, if setup the right way.

    • @sitte24
      @sitte24 5 лет назад +2

      You just need a radius server, enable radius on the LAN and radius assigned VLANs in unifi. Then devices can authenticate theirself either by MAC (little insecure as you mentioned) or if the devices support 802.1X they can authenticate theirself with own credentials (Laptop should be capable of this feature, for windows you will need minimum the pro version and activate the feature at first). For Guest Devices you can set up a fallback vlan with own firewall rules if the radius authentication will fail, that would be comfortable and secure, but it's more work in the beginning

  • @pepeshopping
    @pepeshopping 5 лет назад +1

    Printers do not go discover devices on the network. They provide mDNS (bonjour) so the DEVICES can find the printer through multicast.
    Trivial to get them to work over subnets (Avahi).

    • @LAWRENCESYSTEMS
      @LAWRENCESYSTEMS  5 лет назад +3

      The ones that do work that way are easy, but that is not true of all printers.

    • @nemisis010
      @nemisis010 5 лет назад +1

      @@LAWRENCESYSTEMS Especially the usual cheapo bubblejets that most households use.

    • @viaujoc
      @viaujoc 4 года назад +1

      Old networked Lexmark printers used to be very chatty with broadcast traffic and dislike being in a different subnet than the PC sending the print job. I even saw network printers that did not even have the ability to configure a default gateway, so everything had to be in the same subnet... or you would have to create very odd NAT rules in the firewall in order to make the printer believe that the print job was coming from its own subnet.

  • @ianbird6997
    @ianbird6997 Год назад

    Nice one Lawrence 👍

  • @johnmcquay82
    @johnmcquay82 4 года назад

    While I do get why some people often pick up on blocking addresses normally associated with internal LAN addresses, there's another thing to bear in mind; ISPs now are starting to use CGNAT, so you're going to see "internal" IPs in some WAN connections.

  • @msofronidis
    @msofronidis Год назад

    Excellent presentation for a very powerful tool ready to be used by a SOHO user/admin. I would alos like to ask a question if anyone knows. Can I setup any LAN port on a netgate 2100 or 4100 as WAN for VPN failover? Thank you in advance to anyone that knows.

    • @LAWRENCESYSTEMS
      @LAWRENCESYSTEMS  Год назад

      The ports can be assigned to different purposes.

  • @abdraoufx
    @abdraoufx 5 лет назад

    Extra measure for the outdoor camera would be prevent Mac address change. Does ubiquiti switch support this?

    • @jcnash02
      @jcnash02 5 лет назад +1

      Abdrouf yes. It was near where he showed the LLDP-MED stuff

    • @abdraoufx
      @abdraoufx 5 лет назад

      @@jcnash02 awesome, do you know if it also supports private vlans? (port isolation)

  • @bjre.wa.8681
    @bjre.wa.8681 3 года назад

    I'm not quit as experienced with network design as most to the followers. What's been confusing me is What software are you using for developing the network? Is it, say MS Server 2019? I'm just not seeing what is going on here?

  • @joebleed
    @joebleed 5 лет назад

    i'm a bit late to finishing this video, though i'm not completely through yet, Is there any reason you're not doing the routing in the switch vs pfSense? It doesn't look like you're doing a lot of rule sets in this case. Or is that switch not capable? I've recently started looking for a decent l3 managed switch with poe for my home use. The ones we use at work or very expensive and maybe that's why. I'm seeing different levels of managed poe switches in my searching. I've messed with a couple other brands; but still no unify.

  • @jitendrakhairnar8152
    @jitendrakhairnar8152 3 года назад

    What do you do for live?

  • @3waver
    @3waver 4 года назад +1

    Similar Untangle Video would be great!

    • @emmettbradford6983
      @emmettbradford6983 4 года назад

      Google BRADFORD TECHNOLOGY 🌎🖥️🖨️🖱️⌨️ great nationwide internet reseller company helping a lot of people save money 💰 on internet service