Fiber connection between 2 switches in 2 seperate buildings (schematic included)
Hi, I've made an image to make my situation a bit easier to explain/understand.
I've got 2 "buildings". In building A, the internet comes in trough a ISP cable modem, goes trough a PFSense firewall and a switch, before connecting internally to all of our devices.
The problem I'm having is the red WAN data. It comes in at the firewall and is then internally routed, but I have multiple devices in our network, that need to have a direct connection to this WAN data, to each get their ISP IP's, otherwise they won't fully work.
Is there a way to setup a switch "trunk" on TP link switches, that carries all VLAN data (LAN/DMZ and WAN) across a fiber connection, or do I have to completely separate these two data lines? (e.g. install 2 switches at each building and pull 2 separate fiber connections between the two buildings?)
Hoping I made my problem clear, not easy to explain.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Your diagram looks strange, because you have WAN coming out of pfSense and going to the switch. When going from WAN to LAN, NAT translation needs to be done and L2 switches can’t do it. NATting should be done on pfSense. I think your issue is how to handle the WAN/DMZ/LAN traffic on pfSense, not the downstream configuration. Once you separate the traffic and directe it to individual VLANs on pfSense, the switches and single optical connection should be able to handle it. You make like to post your message on the pfSense forum to get some help with it.
- Copy Link
- Report Inappropriate Content
Yeah I know, that's the problem. I don't really know (yet) what I'm doing, but I know what I want to achieve. The diagram above is what I want to get working somehow.
I made a new (totally different) schematic approach, using 2 TP link switches as the base. Again, I have at this time no idea if this is possible, or if this is the way that VLAN's can work (together with PFSense)
Image is rather large, but details do matter here, so I needed to get everything "readable". My question now is, is this possible / going to work?
- Copy Link
- Report Inappropriate Content
All of that can be done, but I think some adjustment are necessary.
- What about connecting ISP directly to the pfSense WAN port? Any compelling reason for pushing WAN traffic through the switch? Well, you can do it if you really want, but you need to have a separate VLAN for it. You cannot use VLAN 10 for it.
- The ports for IP phones would need to be untagged in VLAN 20 and tagged in VLAN 50.
- If you want APs to handle multiple VLANs, they need to be connected to trunk ports. Otherwise, they can live in VLAN 20.
- I assume that you want to link VLAN 1 with the pfSense LAN and use it like a network administration VLAN.
Nice diagrams! You certainly have the skills.
- Copy Link
- Report Inappropriate Content
KJK wrote
All of that can be done, but I think some adjustment are necessary.
- What about connecting ISP directly to the pfSense WAN port? Any compelling reason for pushing WAN traffic through the switch? Well, you can do it if you really want, but you need to have a separate VLAN for it. You cannot use VLAN 10 for it.
- The ports for IP phones would need to be untagged in VLAN 20 and tagged in VLAN 50.
- If you want APs to handle multiple VLANs, they need to be connected to trunk ports. Otherwise, they can live in VLAN 20.
- I assume that you want to link VLAN 1 with the pfSense LAN and use it like a network administration VLAN.
Nice diagrams! You certainly have the skills.
- About connecting WAN to PFSense directly: this is the case now, but I have multiple TV Boxes, that require a direct connection to the ISP (with an ISP IP address) The 2 buildings both have TV boxes, so the WAN data should be able to travel across the fiber connection between buildings, otherwise I need to pull separate cables, and I want to keep it as "clean" as possible. What is the reason I can't user VLAN 10 for WAN data?
- This I don't get actually, or rather, not completely: The part that IP Phone ports would better be a trunk port, this is something that I also already saw in other VLAN video's on Youtube, where the AP itself handles the separate VLAN's trough separate SSID's. What I don't get, is what does VLAN 20 have to do with this? (I saw that I made a coloring error with the lines coming out of the top switch, being green at the bottom and purple at the top, these shoud be all purple)
- The VLAN1 is the default VLAN assigned by TP Link (I think?) so in this diagram, all VLAN1's are just empty ports, not used for anything (yet)
Thanks for the compliment on the diagrams, I do more graphical work than working with switches :-) I really need to order me some to play around with, because a simple network layout is no problem, but this VLAN stuff, especially in combination with PFSense, is really kicking my ***
Allready a big thank you for wanting to help out!
- Copy Link
- Report Inappropriate Content
Re. WAN and IPTV.
I don't want to speculate what would happen if you go ahead with your plan. The way it is supposed to be done is to bridge IPTV with a local network a router. If you do that, IPTV traffic can flow through the common trunks. No additional optical cable would be necessary.
Re. IP phone.
You don't really need to create those mini trunks. However, if your IP phones make it possible to connect workstations to them and you want to do it, you do need them.
Re. AP
If you do not want to have VLANs on your APs, and I don't really see that in your diagram, you do not need trunk ports for them. However, if you put them on ports belonging to a different VLAN than VLAN 20, their traffic will be unnecessarily routed if you, for example, you want to access a server that is on VLAN 20. In most networks, VLANs are used on APs, because everybody wants to have a guest network.
- Copy Link
- Report Inappropriate Content
KJK wrote
Re. WAN and IPTV.
I don't want to speculate what would happen if you go ahead with your plan. The way it is supposed to be done is to bridge IPTV with a local network a router. If you do that, IPTV traffic can flow through the common trunks. No additional optical cable would be necessary.
These are TV boxes located in Belgium, so it's not really IPTV, the ISP requires them to each get a direct IP address from them, not a internal IP. If connected to the LAN, they work, but with limited functionallity (no TV Guide / ...), so I have no choice, other than to connect them "directly" through the switch. At this point, I have a seperate "dumb" switch to do this and separate cabling, but at our new location, this isn't easy to do, as I have to deal with 2 separate buildings, so I would need to pull separate cables and add more switches to the mix.
So if I can achieve this, like in the drawing, taking into account your remarks.
The IP phones will each get a dedicated connection, as do the workstations, so that shouldn't be an issue. The only thing I was really worried about, was the WAN distribution possibillity in it's own VLAN, accross the trunk to the other switch.
About the AP's, that I will need to figure out later I think, when we are actually using them. The current guest network setup is now done with the Omada software, so they get a separate Guest SSID, with the "Guest Network" checkbox enabled.
I guess now it's ordering time and start the "real life" testing, so that it's almost "up and running" when we move to the new location.
I hope it works out :-)
Thanks!
- Copy Link
- Report Inappropriate Content
Time hase passed and my orders came in a few days ago (2 new switches)
I started configuring them trough Omada, but i quickly gave that up, I find that the "omada way" is far more complicated (of just to simplified?) to get things working. I then "forgot" the devices and configured them trough each web interface separately. I think I got everything working like it should. I get the expected IP ranges from the correct ports, PFSense takes care of all the firewalling.
The only strange thing I ran into, was with the WAN side. I set port 1 on the first switch as "Tagged VLAN10", and ports 2,3,4 and 5 as "untagged VLAN10" but I couldn't get an IP address from our ISP.
when I then changed port 1 also to untagged, it worked. Somebody knows what this is about? I assumed you allways have to tag the port that accepts the connection, and all other ports that the connection is "forwarded" to should be untagged?
Clearly I'm by far still no expert at VLAN's :) Hoping to be a moderate-level expert when all is setup. The schematic has also been updated to the new layout
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 1013
Replies: 7
Voters 0
No one has voted for it yet.