My TP-link AX11000 router isn't as VLAN configurable as I had hoped. New router input? *Not PFSense right now.

[NightLife]

Hey,


After a while with tp-link support tonight, it looks like the AX11000 router won't let me configure VLANs. It will only allow a user to define VLAN ID's IF it's a requirement that an ISP has per internet, VOIP and IPTV.

I guess I may be in the market for a new router. No more consumer level stuff. And before you suggest PFSense, I have little interest in setting up another PC right now, for that or BI. I'd like to stick to my Synology NAS to begin with. *Mind you, I think I read they sell preconfigured PFSense devices. I may have to look into those but it would have to be a WAP as well so I can send the feed to the TV, no?

So a great WAP router with all the best security features, including VLANs etc.

The plan is simple - begin buying and setting up IPC's, run through a Netgear GS305EPP switch (which has VLAN's etc) on their own VLAN uplinked to the new router, and out to the NAS for NVR duty. Then I'd somehow like to be able to watch the cams or a cam at a time on my TV on the main level. (Not the smartest TV but WiFi).

I know tech develops quickly so I'm repeating a previously asked Q in the hopes, in the absence of PFSense, and time marching on that there may be something new and improved which will fit my requirements.



Thanks in advance

 

[Mofo84]

I have a ubiquiti router and switch with a wireless AP. You need a wireless AP if you need wifi. Have Vlans setup. Running blue iris on a intel NUC with some Hikvision and dahua cams. Also have a Synology Nas.

 

[Griswalduk]

Hi Nightlife

I slight tweak on your set up might do. What about instead of plugging the NAS into the router if you plug it into the switch which is vlan configurable.

Internet > ISP modem > router > Netgear switch (everything into here and configure vlans accordingly)

The set up your proposing would have all the camera traffic and other data going through your router which I believe it will struggle with.

Leave the router as a link to the outside world and let the switch do what it does best.

Other ideas welcome

Good luck

 

[TonyR]

I have a ubiquiti router and switch with a wireless AP. You need a wireless AP if you need wifi. Have Vlans setup. Running blue iris on a intel NUC with some Hikvision and dahua cams. Also have a Synology Nas.

Nice cabinet setup, the upper fans (exhaust?) and lower fans (intake?) are a sweet (and likely necessary) addition.

One question: Is this some sort of child-proof cabinet pull cover (image below) that is available somewhere? Looks like you press top and bottom together and ease it off to open the doors.

 

[Mofo84]

Nice cabinet setup, the upper fans (exhaust?) and lower fans (intake?) are a sweet (and likely necessary) addition.

One question: Is this some sort of child-proof cabinet pull cover (image below) that is available somewhere? Looks like you press top and bottom together and ease it off to open the doors.

View attachment 106344

Correct top exhaust and bottom intake.
Yes they are child safety locks I got from Amazon so my 2 and 1 year old won’t open the doors.

 

[user8963]

Leave the router as a link to the outside world and let the switch do what it does best.

and how should it be possible to/from route traffic to the vlans if the router have no vlan functions?

 

[NightLife]

and how should it be possible to/from route traffic to the vlans if the router have no vlan functions?

I was pondering topology, and lying in bed before falling off trying to pull back a bit further so I could try and piece together everything, and I also thought that connecting the NAS through the switch sounded .. sound, but then each time I would hit that wall as you mention above - how do VLAN tags get passed if the router is neutered?

I went through a lot of the Netgear GS305EPP switch, and it looks pretty configurable in terms of 802.1Q VLANs and so on, so it's definitely the AX11000 which is the roadblock. It's not old at all, but when I bought it 6+ months ago it was only an attempt to have a nice consumer level router. And back then VLANs weren't even on the horizon. You live and learn, and as much as I hate to back step in anything in life, it looks like I may have to bite it this time around. Which is fine, as long as the re-step is a well thought out one. I'd like a modest, but strong, secure setup right now. Far down the road I may go all in, and begin building out things more aggressively, but for now I'd like to keep the scale down, but learn as much as I can.

So being sans VLAN tagging, does that put my AX11000 on a shelf collecting dust from here on, or is there a place for it?

Can I put the cameras, and the NAS in a VLAN and access live streaming by putting my laptop (viewing IPC), or cell (streaming IPC to TV) on the same VLAN? I'd need some rules to ensure the cameras cannot reach the internet. Not sure how to achieve that when the NAS already has access for updates etc. I don't think I appreciated the forethought which goes into networking. It's bloody fascinating, but isn't quite something one jumps into without a well thought out plan, is it?

It would be like buying a nice boat, and every time you go to buy something for the boat you had to inspect it for it's ability to torpedo your vessel. One misstep and down she goes

 

[user8963]

I was pondering topology, and lying in bed before falling off trying to pull back a bit further so I could try and piece together everything, and I also thought that connecting the NAS through the switch sounded .. sound, but then each time I would hit that wall as you mention above - how do VLAN tags get passed if the router is neutered?

I went through a lot of the Netgear GS305EPP switch, and it looks pretty configurable in terms of 802.1Q VLANs and so on, so it's definitely the AX11000 which is the roadblock. It's not old at all, but when I bought it 6+ months ago it was only an attempt to have a nice consumer level router. And back then VLANs weren't even on the horizon. You live and learn, and as much as I hate to back step in anything in life, it looks like I may have to bite it this time around. Which is fine, as long as the re-step is a well thought out one. I'd like a modest, but strong, secure setup right now. Far down the road I may go all in, and begin building out things more aggressively, but for now I'd like to keep the scale down, but learn as much as I can.

Its simple.
If you have vlan1 on 192.168.1.0/24 and vlan2 on 192.168.2.0/24 .... how should vlan1 communicate with vlan2 and vice versa? how should the vlans reach the internet?
-> router! (or maybe layer3 switch)

dont waste your time.

get a pfsense box. setup vlans. setup wireguard.
it will take 10 minutes of your life..

your tplink router should have no build-in modem, so you just connect your existing modem to your pfsense box

So being sans VLAN tagging, does that put my AX11000 on a shelf collecting dust from here on, or is there a place for it?

its to new and expensive. there is no openwrt /dd-wrt /tomato port... if, everything would be possible.

Can I put the cameras, and the NAS in a VLAN and access live streaming by putting my laptop (viewing IPC), or cell (streaming IPC to TV) on the same VLAN? I'd need some rules to ensure the cameras cannot reach the internet.

you can setup everything how you like it.. rules are your friend.

 

[NightLife]

I feel like I'm negotiating here .. ha


What if I buy a Netgate, PFSense enabled router (something like the SG-2100MAX)?

• Clone my AX11000's mac address, and plug the Netgate into my ISP modem.
• Uplink my Netgear GS305EPP switch into the Netgate
• Plug my IPC's into the switch
• Place my AX11000 into bridge mode and plug it into the Netgate

Then go to town on VLAN's DHCP pools, and firewall rules etc.

 

[user8963]

I feel like I'm negotiating here .. ha


What if I buy a Netgate, PFSense enabled router (something like the SG-2100MAX)?

• Clone my AX11000's mac address, and plug the Netgate into my ISP modem.
• Uplink my Netgear GS305EPP switch into the Netgate
• Plug my IPC's into the switch
• Place my AX11000 into bridge mode and plug it into the Netgate

Then go to town on VLAN's DHCP pools, and firewall rules etc.

i wouldnt pay that much for a pfsense box...

try to find a cheap t620 plus and add a 2x or 4x intel nic to it..

or buy a prebuild one

HP/ T620 PLUS Thin Client Quad Core GX-420CA 4/16+Intel GB 4-port -pfSense ready | eBay

Importantly, the Jaguar architecture supports AES-NI and will therefore be ready for the future 2.5 version of pfSense. May be Pro/1000 PT/ET or i340. Your unit may have 2 serial ports or be a model that has 1 serial port and 1 VGA port instead.

www.ebay.com

like this.. or just use a normal PC ...


or wyse 5070 extended

Dell Wyse 5070 Extended Thin CLient Pentium Silver J5005 4GB DDR4 16GB Win10 Pro | eBay

DDR4 SDRAM. Dell Wyse with AC Adapter. Battery/ AC Adapter Information. Input Devices. Display Port. USB Type C (mini Display Port). USB 2.0 Ports. USB 3.0 Ports.

www.ebay.com

or qotom box from aliexpress

 

[pete_c]

You can install PFSense on any box with two NIC ports or a box with one NIC port and one USB NIC. All use need is a PFSense boot USB stick.

Here main PFSense box is using a Haswell chipset DIY box using a BCM motherboard with 2 built in Gb NIC ports plus a 4 port Intel NIC card. Been running fine now for years.

Here is a short blog I wrote in 2013 DIY building a PFSense box...easy peasey stuff...

Anyone using PFSense as a firewall? (2013)

and another which is more of a copy and paste DIY configuration of PFSense.

How to configure a PFSense Firewall

Way way back here initially used Smoothwall (Linux based Firewall) and then moved over to BSD based PFSense.

In house #2 here have a Qotom 2 port PFSense box that has been running now for over 2 years 24/7. Low powered small footprint box.

Both boxes utilize GPS / PPS for time sync these days (way better than the internet).

Purchased a refurbished Protecti for a peer not too long ago. Two ports and an i5 Haswell chip style NUC sized motherboard for around $100.

Recently purchased a new Jetway to serve as a backup to primary PFSense box. I purchased this box new for $99 with free shipping on Ebay. The only way I could tell it was a Jetway was by the part number. Originally it included a 32Gb mSATA drive and 4 Gb of memory. It is a J1900 and works fine for me. It is very easy to install PFSense from a USB stick. I told a few friends about the deal and it went pretty fast. Very well built and I like it better than the Qotom-Protectli boxes out there. The Ebay seller kept upping the price on this device adding memory / higer capacity mSATA drives.

JBC390F541XA :: HBJC390F541XA19B :: Intel Celeron Bay Trail J1900 3.5" SBC Barebone :: JETWAY COMPUTER CORP.

Jetway Corporation is the worldwide leader in high end technologies for mini-ITX, IPC, POS, Industrial Motherboard, Embedded Computer, Medical Computer, Industrial Computer, consumer electronics, and motherboards

www.jetwaycomputer.com

I have an a la carte network here using a purchased Arris SB6190 (WAN1), LTE modem (phone, LAN, WLAN2) DIY'd PFSense boxes, 24 port managed TP-Link switches and Ruckus WAPs.

I get almost line speed transfers on two DIY'd XigmaNAS boxes here (FreeNAS) using Xeon motherboards, LSi firmware patched controller, SAS enterprise drives (8) and ZFS these days.

I access home LAN remotely these days using OpenVPN or IPSec VPN via VPN servers running on the PFSense box. There are no openports on my Firewall these days.

 

[user8963]

J1900

this cpu has no aes ni support.. i wouldnt buy it because you can get cpus with support for the same price

 

[pete_c]

That was a big issue especially using PFSense a few years back. The Netgate folks issued a statement then that no new versions of PFSense were going to support non AES computers which PO'd their client base. Yes you can purchase a Haswell based mITX board these days for nothing. But you cannot purchase a 6 port NIC box Nuc sized box for less than $250. There were issues initially auto enabling the use of AES then PFSense folks put a switch on it.

That said I have had no issues with multiple VPN servers running on the two J1900 boxes.

It was about the price purchasing the Jetway for $99 with 6 Intel Gb ports.

IE: If I shut off the hardware encryption on the main box I see not much of a difference.

Main PFSense box with BCM motherboard.

CPU Type:Intel(R) Core(TM) i3-4130 CPU @ 3.40GHz
4 CPUs: 1 package(s) x 2 core(s) x 2 hardware threads
AES-NI CPU Crypto: Yes (active)
QAT Crypto: No
Hardware crypto AES-CBC,AES-CCM,AES-GCM,AES-ICM,AES-XTS

J1900 in house #2

CPU Type: Intel(R) Celeron(R) CPU 3215U @ 1.70GHz
2 CPUs: 1 package(s) x 2 core(s)
AES-NI CPU Crypto: No
QAT Crypto: No
Hardware crypto

OpenVPN tunnel connected right now moving a few large files over.

Temperature: 27.9°C
Load average: 0.15, 0.12, 0.09
CPU usage:2%
Memory usage: 9% of 3949 MiB
SWAP usage: 0% of 1526 MiB

The bottleneck will always be your ISP connection anyhow even using Docis 3.1.

I did also purchase another Jetway micro PC with two NICs and AES. Running Ubuntu on this one for a new HA box to replace the Pine64 box running HA in House #2.

JBC420U591 :: HBJC420U591 :: Intel Braswell N3160 NUC Barebone :: JETWAY COMPUTER CORP. (new Jetway also same vendor for $150)
This one can also be used as a PFSense Firewall. I am making it a combo HA, Homeseer and Oracle VB box. It is running well and cool right now.

cat /proc/cpuinfo
model name : Intel(R) Celeron(R) CPU N3160 @ 1.60GHz

cpuid | grep -i aes
AES instruction = true
VAES instructions = false
AES instruction = true
VAES instructions = false
AES instruction = true
VAES instructions = false
AES instruction = true
VAES instructions = false

dmidecode -t 2
# dmidecode 3.2
Getting SMBIOS data from sysfs.
SMBIOS 2.8 present.

Handle 0x0002, DMI type 2, 15 bytes
Base Board Information
Manufacturer: NU591
Product Name: NU591
Version: 1.0
Serial Number: BSN....
Asset Tag: To be filled by O.E.M.
Features:
Board is a hosting board
Board is replaceable
Location In Chassis: To be filled by O.E.M.
Chassis Handle: 0x0003
Type: Motherboard
Contained Object Handles: 0

 

[user8963]

The bottleneck will always be your ISP connection anyhow even using Docis 3.1.

try fiber pppoe with openvpn. it will suffer. opensense have even more problems with pppoe connections

 

[pete_c]

That and try to find an ISP that will give you both symmetrical up and downloading speeds for your home.

They say they are losing money so then they go to bucket charges and data caps like cellular companies do.

Years ago managing air to ground internet traffic via satellite the only deal I could get was relating to KB/s of traffic in bucket charges to planes. Might be different now a days.

That and if you use a smart cam with facial recognition and a Chinese cloud you are helping them fill in their new facial recognition DB.

It is better than a fingerprint but not as good as a genotype database which is probably around the corner.

They already have sold this stuff to the EU, most of the pacific rim, middle east, south africa, et al.

 

[NightLife]

PFSense appliance is sorted, and will arrive on Wednesday. Thanks for all the input, it's appreciated.


Time to study some of the PFSense training vids out there. As with a lot of things there looks like there are likely multiple ways to configure the network, but only a small handful that will encourage growth and efficiency from the get go.


That could probably be a thread of shame all on it's own. How people string together all the various pieces of this networking gear in the most amusing, and f'd up ways. haha


What would be cool, in the spirit of learning, and testing would be if there was a virtual network builder online. Click on what you have - switches, routers, AP's cameras and so on, and then string them together graphically in some kind of flow chart representing your network topology, add some details where necessary and then be able to watch as those virtual cameras 'go live' and VLAN's start humming along, tags begin passing, NAS fires up and have it spot bottlenecks, security weaknesses and so on. Like debugging a program, but instead it examines your virtual network and suggests solutions to common oversights etc.

 

[user8963]

PFSense appliance is sorted, and will arrive on Wednesday. Thanks for all the input, it's appreciated.


Time to study some of the PFSense training vids out there. As with a lot of things there looks like there are likely multiple ways to configure the network, but only a small handful that will encourage growth and efficiency from the get go.


That could probably be a thread of shame all on it's own. How people string together all the various pieces of this networking gear in the most amusing, and f'd up ways. haha


What would be cool, in the spirit of learning, and testing would be if there was a virtual network builder online. Click on what you have - switches, routers, AP's cameras and so on, and then string them together graphically in some kind of flow chart representing your network topology, add some details where necessary and then be able to watch as those virtual cameras 'go live' and VLAN's start humming along, tags begin passing, NAS fires up and have it spot bottlenecks, security weaknesses and so on. Like debugging a program, but instead it examines your virtual network and suggests solutions to common oversights etc.

what many forget is traffic shaping on wan interface. there are also rare videos on youtube about this topic. some isp routers have traffic shaping including, but if you switch to pfsense and use only a modem, it will maybe a worse experience in your network.

keyword is bufferbloat which you can test on

Speed test - how fast is your internet? | DSLReports, ISP Information

Use our NEW speed test tool to test how fast your broadband or mobile internet connection really is. Read broadband news, information and join our community

www.dslreports.com

 

[pete_c]

@NightLife

Good news. PFsense out of the box with OS base is in Firewall mode. Baby steps. The GUI is intuitive. Watch the instructional videos. You cannot break PFSense.

There are many add ons and built in features. Personally here addons run are Snort, pfBlockerNG, Backup and OpenVPN client export. Run OpenVPN and IPSec VPN servers.

Connected box to an APC UPS (with APC add on), GPS/PPS for NTP server built in the PFSense, failover T-Mobile LTE modem over the years.

As mentioned above DSLReports has some great testing tools. Create a user id there for extended testing with their tools.

 

[user8963]

Run OpenVPN and IPSec VPN servers.

wireguard is available again as a package since a few months in 2.5.2.. i wouldnt waste time on openvpn. ipsec can have some benefits if you really need them, but openvpn is totally dead. it only runs single threaded and the cheaper boxes have only slow cpus. this is why most asus routers can only reach around 20mbit as max .. also some other disadvantages like always have to be connected to vpn with device or open the connection if you need it.

 

[pete_c]

Thank-you @user8963

Current running:

2.5.2-RELEASE (amd64)
built on Fri Jul 02 15:33:00 EDT 2021
FreeBSD 12.2-STABLE

Did configure Wireguard that was included (not a plugin) with PFSense 2.5.1 a while ago. Then after I configured it Netgate posted that they were removing it. Next update I did not see it anymore.

Had mostly IPv6 issues when I updated to 2.5.X. I patched it up to get it working then PFsense fixed the issues. For failover here only use IPv4 gateways and I have been told on the forum not to bother configuring failover via IPV6.

I use the OpenVPN connection PFSense Firewall to surf on my tablets / phones these days. Initially and way back used IPSec and currently while configured do not use it much.

I am using Wireguard now with PIA and I am impressed. I see clients for Linux, Windows, iOS and Android these days.