On the surface, my TP-Link T2600G-28TS v3 managed switch appears to have everything that I would expect to have for some intermediate networking in the home. Most of my complaints with the device, to date, have been minor, such as the idle time-out having a max of 120 seconds. So annoying. But, for the most part, it has been quietly doing its job, almost without issue, for a couple of years now.
I recently replaced my Verizon G1100 FiOS router with a pfSense router built out of an old PC. The specs are wonderful for a router on a 300Mbps ISP link, but it is so old that the CPU does not support AES-NI. Not a big deal, as I am not planning on building any VPNs any time soon. I was going to use OPNsense for this router, but there are far more resources available on how to configure pfSense, including this awesome video by Tom Lawrence:
Thank you, Tom. I’ve been watching your videos for years now and you’ve taught me a ton.
Further, I am loosely following this three-part blog post on how to segment and secure your home network, with pfSense at the core. I think that seven subnets is probably overkill at this point. I am currently sitting at four:
Well, three, really. I still need to set up the Management VLAN/subnet (see end of post). Once Tom walked me through getting my VLANs created on the pfSense, it was time to turn to the TP-Link switch. Up until this point, I had been running a typical flat network, all on a single VLAN, and that VLAN being VLAN1. I now needed to tackle the management-end of this managed switch. Having worked as a Network Engineer for a couple of decades, I was expecting this to be a walk in the park.
switchport mode trunk
switchport trunk allowed vlan 10, 25, 68
switchport mode access
switchport access vlan 10
Right? How hard could it be? Sheesh! Turns out, TP-Link is not at all like Cisco. I knew that I wanted 802.1q VLANs, but what really is the difference between Tagged and Untagged? What the heck is PVID? And a million other questions emerged once I started diving in.
I managed to get the Unifi APs working. Seems that Tagged is used on “trunks”, as there are no trunks on the TP-Link. This is a working configuration for one of the Unifi APs:
interface gigabitEthernet 1/0/11
switchport general allowed vlan 10,25,68 tagged
So, if Tagged is for trunks, how about access ports? Untagged, right?
Now, don’t be hasty, Master Meriadoc.
It took a fair bit of reading to get this working, which is why I am documenting it here. This is a working configuration for an access port in the untrusted VLAN:
switchport general allowed vlan 25 untagged
no switchport check ingress
switchport pvid 25
no switchport general allowed vlan 1
Honestly, I am not sure about that ingress business, but this config allowed the Nintendo Switch to get an IP address in the correct subnet, so I am including it. But, based on this, I added a few more devices to the Untrusted/IoT subnet. WAAHOO!! I’m learning the computer!
The Rokus (Rokii??) presented their own challenge. My wife and I recently discovered the joys of AirPlay-ing our pictures and videos from our iPhones to the TV screen. I needed to add the Avahi add-on service to pfSense. This enables some type of bonjour/mDNS black magic to span VLANs. Installing and enabling it was all that it took. Well, along with the firewall rules to allow Trust to access UnTrusted, but not the reverse.
So far, I am taking it in small steps, as things are very, very different than on the Cisco networks I am used to. But, I think that I am getting the hang of it. There are a bunch of other features that I will eventually explore on the pfSense router. One of the first being the pfBlocker-NG add-on service that operates similarly to Pi-Hole. I have this up and running as of last night, but I am not sure how effective it has been so far. One of the major items I need to tackle is migrating my Trusted subnet from VLAN1 to a new VLAN. Until I had the Rokus and the Nintendo Switch cut over to Untrusted, I was concerned that the whole house would be taken offline when I went to do this, but now I am not so sure. Other than the wife’s laptop and iPhone, both of which can easily be directed to different SSIDs (like Guest), I think the impact of this move should be fairly straightforward. It may involve a throw-away VLAN… Always something new to learn.