How to prioritize and selectively filter internet traffic within a home and office?

[striving4]

I'm installing a structured wiring panel with 24 Ethernet runs and 11 coax runs. Currently using Comcast. Want to be set up for possible future with ATT, dish, etc. I want to be able to give some of the internet network first dibs and greatest privacy (12 Ethernet wall outlets), some of the network on parental controls for kids (2), and some for guest network (10). We want 3 levels for both hardwired and wifi access. I assume I need a combination of one or more switches and one or more routers. Considering
NETGEAR 24-Port Gigabit Rackmount Smart Managed Plus Switch, though not sure about programming.
Wondering about dual vs. tri-band router and whether I need a separate switch for each level/band? Thank you!

 

[nigelivey]

A decent router/firewall appliance is required for managing bandwidth per network or client, I always recommend PfSense (open source), a managed switch is required if you want to segregate the network using vlans but you could use dumb switches if you have multiple interfaces on the Pfsense appliance. Some knowledge is required to setup rules, Qs and limiters but you'll learn a lot in the process! I personally would then use access points run back to the switch (PoE), this gives you the flexibility to locate them where needed.

 

[kanewolf]

You will need a router that is more than a typical home router because you want wired guest network. That means that your router has to support multiple DHCP and VLAN tagging to handle your access point with guest requirement. Business class routers can do what you want. The Ubiquiti edge routers for example.

I would not recommend a wireless router. Use the access point method.

 

[striving4]

A decent router/firewall appliance is required for managing bandwidth per network or client, I always recommend PfSense (open source), a managed switch is required if you want to segregate the network using vlans but you could use dumb switches if you have multiple interfaces on the Pfsense appliance. Some knowledge is required to setup rules, Qs and limiters but you'll learn a lot in the process! I personally would then use access points run back to the switch (PoE), this gives you the flexibility to locate them where needed.

 

[striving4]

A decent router/firewall appliance is required for managing bandwidth per network or client, I always recommend PfSense (open source), a managed switch is required if you want to segregate the network using vlans but you could use dumb switches if you have multiple interfaces on the Pfsense appliance. Some knowledge is required to setup rules, Qs and limiters but you'll learn a lot in the process! I personally would then use access points run back to the switch (PoE), this gives you the flexibility to locate them where needed.

 

[striving4]

Thank you so much for your help. I’m not an IT person so I’d like to ask you to spell some of this out more specifically if you have the inclination. Is this how your idea would work? Comcast coax from to street to modem; Ethernet from modem to pfSense switch (something like the SG-3100, which will need programming to create the 3 networks); pfSense switch to three PoE switches (one for each network (brand/model recommendations appreciated)); Ethernet cables from the PoE switches out to the rooms; each of the 3 networks will have its own wifi router in one of the rooms (plugged into one of the Ethernet runs and powered by the switch (again, brand/model recommendations appreciated)). I don’t think this is the most economical approach but I gather you like it for the firewall service. Thanks again.

 

[striving4]

Thank you very much for your help too Kanewolf. I think your idea is similar to the other but I’d like to ask if this is it (sorry for redundancy if you’ve seen my other response): Ethernet from modem to Ubiquiti non-wifi router (something like the Edgerouter PoE (ERPOE-5), which will need programming to create the 3 networks (I’m not familiar with DHCP and VLAN tagging and so am wondering how to tag our 3 networks)); this doesn’t have enough ports for the Ethernet outlets so I would link this to three switches (one for each network (brand/model recommendations appreciated, PoE?)); Ethernet cables from the switches out to the rooms; each of the 3 networks will have its own access point or wifi router in one of the rooms (plugged into the wall and powered by the switch (again, brand/model recommendations appreciated)). A couple questions: can I configure or program the edgerouter to priorities the networks? Also, is there a benefit to access points vs. routers? Thanks again.

 

[nigelivey]

Thank you so much for your help. I’m not an IT person so I’d like to ask you to spell some of this out more specifically if you have the inclination. Is this how your idea would work? Comcast coax from to street to modem; Ethernet from modem to pfSense switch (something like the SG-3100, which will need programming to create the 3 networks); pfSense switch to three PoE switches (one for each network (brand/model recommendations appreciated)); Ethernet cables from the PoE switches out to the rooms; each of the 3 networks will have its own wifi router in one of the rooms (plugged into one of the Ethernet runs and powered by the switch (again, brand/model recommendations appreciated)). I don’t think this is the most economical approach but I gather you like it for the firewall service. Thanks again.

You will need one interface for the WAN and at least one other on the LAN, if you have a managed switch you can just create the required Vlans on the Pfsense box as virtual interfaces on the 1 physical LAN NIC basically creating a trunk, you can then assign access ports for each vlan on the L3 switch. It depends which route you wish to go down. If you are using dumb switches you are going to need a physical interface for each network as you suggested above. Bare in mind that out the box some configuration will be required even for basic connectivity (DHCP scope for each vlan, firewall rules and assigning gateways) but there are lots of tutorials on Pfsense.
Do not use wireless routers use access points (layer 2 devices) no routing.

MODEM------PFSENSE ROUTER---------MANAGED SWITCH-----------WIFI AP / HOSTS

You for example can create 4 vlans. (100/200/300/400)

These can all be assigned to the physical NIC (192.168.100.0/192.168.200.0/192.168.300.0/192.168.400.0)

DHCP range on a /24 192.168.100.20 - 192.168.100.254 vlan100 192.168.200.20 - 192.168.200.254 vlan200
192.168.300.20 - 192.168.300.254 vlan300 192.168.400.20 - 192.168.400.254 vlan400

The default gateway will be the same for all, the single WAN.

1 port on the managed switch will be assigned as a trunk port with allowed vlans 100/200/300/400 this attaches to the LAN port on the Pfsense box.

The other ports on the managed switch can then be assigned as access ports for any of the vlans ports 2-5 vlan100 ports6-9 vlan200 etc etc

You can allow routing between vlans or not, by default no hosts on any vlans can talk across the vlans.

Your APs powered off the switch can be given a fixed IP for management purposes below xxx.xxx.xxx.20 (below the DHCP scopes) and then attached to the access port for the required vlan.

I hope that makes sense

 

[kanewolf]

Thank you very much for your help too Kanewolf. I think your idea is similar to the other but I’d like to ask if this is it (sorry for redundancy if you’ve seen my other response): Ethernet from modem to Ubiquiti non-wifi router (something like the Edgerouter PoE (ERPOE-5), which will need programming to create the 3 networks (I’m not familiar with DHCP and VLAN tagging and so am wondering how to tag our 3 networks)); this doesn’t have enough ports for the Ethernet outlets so I would link this to three switches (one for each network (brand/model recommendations appreciated, PoE?)); Ethernet cables from the switches out to the rooms; each of the 3 networks will have its own access point or wifi router in one of the rooms (plugged into the wall and powered by the switch (again, brand/model recommendations appreciated)). A couple questions: can I configure or program the edgerouter to priorities the networks? Also, is there a benefit to access points vs. routers? Thanks again.

You do not need to have an access point for each network with VLANs. A single access point can support multiple SSIDs with independent passwords. Each SSID would map to a VLAN and be independent of the other two. You have to have network hardware that understands VLANs and will keep them separated.

The edgerouter would have a single input and then multiple independent outputs. One for each wired subnetwork you want to create and one for your WIFI (IMO). You could run independent switches for your wired networks or use VLAN tagging and a single managed switch.

 

[striving4]

Thank you so much for your help. I’m not an IT person so I’d like to ask you to spell some of this out more specifically if you have the inclination. Is this how your idea would work? Comcast coax from to street to modem; Ethernet from modem to pfSense switch (something like the SG-3100, which will need programming to create the 3 networks); pfSense switch to three PoE switches (one for each network (brand/model recommendations appreciated)); Ethernet cables from the PoE switches out to the rooms; each of the 3 networks will have its own wifi router in one of the rooms (plugged into one of the Ethernet runs and powered by the switch (again, brand/model recommendations appreciated)). I don’t think this is the most economical approach but I gather you like it for the firewall service. Thanks again.

You will need one interface for the WAN and at least one other on the LAN, if you have a managed switch you can just create the required Vlans on the Pfsense box as virtual interfaces on the 1 physical LAN NIC basically creating a trunk, you can then assign access ports for each vlan on the L3 switch. It depends which route you wish to go down. If you are using dumb switches you are going to need a physical interface for each network as you suggested above. Bare in mind that out the box some configuration will be required even for basic connectivity (DHCP scope for each vlan, firewall rules and assigning gateways) but there are lots of tutorials on Pfsense.
Do not use wireless routers use access points (layer 2 devices) no routing.

MODEM------PFSENSE ROUTER---------MANAGED SWITCH-----------WIFI AP / HOSTS

You for example can create 4 vlans. (100/200/300/400)

These can all be assigned to the physical NIC (192.168.100.0/192.168.200.0/192.168.300.0/192.168.400.0)

DHCP range on a /24 192.168.100.20 - 192.168.100.254 vlan100 192.168.200.20 - 192.168.200.254 vlan200
192.168.300.20 - 192.168.300.254 vlan300 192.168.400.20 - 192.168.400.254 vlan400

The default gateway will be the same for all, the single WAN.

1 port on the managed switch will be assigned as a trunk port with allowed vlans 100/200/300/400 this attaches to the LAN port on the Pfsense box.

The other ports on the managed switch can then be assigned as access ports for any of the vlans ports 2-5 vlan100 ports6-9 vlan200 etc etc

You can allow routing between vlans or not, by default no hosts on any vlans can talk across the vlans.

Your APs powered off the switch can be given a fixed IP for management purposes below xxx.xxx.xxx.20 (below the DHCP scopes) and then attached to the access port for the required vlan.

I hope that makes sense

Impressive. I think I understand some of this. I hope I'll be able to make sense of it all once I get the hardware and find the tutorials. I do have a few follow up questions.
1. By LAN NIC and L3 are you referring to the managed switch?
2. By "Hosts" do you mean the PCs and TVs plugged into the Ethernet outlets?
Regarding hardware....
3. Should I stay with my surfboard modem for Comcast?
4. What PFSense routers can you recommend?
5. What managed switches can you recommend?
6. Can I use 1 AP for all VLANS? What APs can you recommend?
7. The guest network may be renters. If I want them to be able to access their own wifi access should I get a separate AP for their unit (if it needs resetting while I'm away)?
8. Do you have recommendation for a coax cable switch, if that's what they're called?
9. Should I be thinking about using a cabinet instead of a structured wire panel?
10. Anything else I should be thinking about?
You're very kind. Thank you so much for your time and patience!

 

[nigelivey]

Thank you so much for your help. I’m not an IT person so I’d like to ask you to spell some of this out more specifically if you have the inclination. Is this how your idea would work? Comcast coax from to street to modem; Ethernet from modem to pfSense switch (something like the SG-3100, which will need programming to create the 3 networks); pfSense switch to three PoE switches (one for each network (brand/model recommendations appreciated)); Ethernet cables from the PoE switches out to the rooms; each of the 3 networks will have its own wifi router in one of the rooms (plugged into one of the Ethernet runs and powered by the switch (again, brand/model recommendations appreciated)). I don’t think this is the most economical approach but I gather you like it for the firewall service. Thanks again.

You will need one interface for the WAN and at least one other on the LAN, if you have a managed switch you can just create the required Vlans on the Pfsense box as virtual interfaces on the 1 physical LAN NIC basically creating a trunk, you can then assign access ports for each vlan on the L3 switch. It depends which route you wish to go down. If you are using dumb switches you are going to need a physical interface for each network as you suggested above. Bare in mind that out the box some configuration will be required even for basic connectivity (DHCP scope for each vlan, firewall rules and assigning gateways) but there are lots of tutorials on Pfsense.
Do not use wireless routers use access points (layer 2 devices) no routing.

MODEM------PFSENSE ROUTER---------MANAGED SWITCH-----------WIFI AP / HOSTS

You for example can create 4 vlans. (100/200/300/400)

These can all be assigned to the physical NIC (192.168.100.0/192.168.200.0/192.168.300.0/192.168.400.0)

DHCP range on a /24 192.168.100.20 - 192.168.100.254 vlan100 192.168.200.20 - 192.168.200.254 vlan200
192.168.300.20 - 192.168.300.254 vlan300 192.168.400.20 - 192.168.400.254 vlan400

The default gateway will be the same for all, the single WAN.

1 port on the managed switch will be assigned as a trunk port with allowed vlans 100/200/300/400 this attaches to the LAN port on the Pfsense box.

The other ports on the managed switch can then be assigned as access ports for any of the vlans ports 2-5 vlan100 ports6-9 vlan200 etc etc

You can allow routing between vlans or not, by default no hosts on any vlans can talk across the vlans.

Your APs powered off the switch can be given a fixed IP for management purposes below xxx.xxx.xxx.20 (below the DHCP scopes) and then attached to the access port for the required vlan.

I hope that makes sense

Impressive. I think I understand some of this. I hope I'll be able to make sense of it all once I get the hardware and find the tutorials. I do have a few follow up questions.
1. By LAN NIC and L3 are you referring to the managed switch?
2. By "Hosts" do you mean the PCs and TVs plugged into the Ethernet outlets?
Regarding hardware....
3. Should I stay with my surfboard modem for Comcast?
4. What PFSense routers can you recommend?
5. What managed switches can you recommend?
6. Can I use 1 AP for all VLANS? What APs can you recommend?
7. The guest network may be renters. If I want them to be able to access their own wifi access should I get a separate AP for their unit (if it needs resetting while I'm away)?
8. Do you have recommendation for a coax cable switch, if that's what they're called?
9. Should I be thinking about using a cabinet instead of a structured wire panel?
10. Anything else I should be thinking about?
You're very kind. Thank you so much for your time and patience!

1. LAN NIC is the interface on the Pfsense bow used on the LAN side of the network, you can assign the interfaces to LAN or WAN when you set it up, this is normally done at first boot and is a simple process, it will ask you to define a network and netmask, turn on DHCP and give you the address so that you can use its web interface for further config. Layer3 just means your switch has IP functionality (managed) dumb switches are Layer2 (MAC addresses no IP) - slightly simplified here but there is only so much I can explain in a post.
2. Yes, Hosts are just end devices.
3. If it is only a modem with no routing ability then yes, as long as the performance is adequate for your line speed.
4. I would build my own! re-tasking an old pc is a good choice, as long as you have two NICS (I would recommend intel cards) the spec can be quite low, 4Gb RAM is ample, HDD will depend on what features you wish to use but the install for basic tasks is tiny. The CPU will have to be AES-NI compliant for it's 2.5 release. Most CPUs from the last 3 years will support this. The CPU to use will depend heavily on what you will be doing and the amount of traffic passing through the router and between vlans and whether you will use any kind of VPN on the box.
5. I use cisco but they are not for everyone, I find the command line quicker to use than the web gui but you need to know what you are doing. If you are just running vlans they are all pretty much of a muchness, consider how many AP you want to run, if they are using PoE and budget.
6. Some APs allow you to tag vlans per SSID if that makes sense, I use Ruckus which are consumer grade and obviously you pay top dollar for the newest models with AC. Older ones can be found on Ebay that are just 2.4/5Ghz. It may be easier and more effective to use Ubiquiti APs, you would buy a 5 for the same price as 1 Ruckus! I believe the Ubiquiti kit has vlan tagging but you would need to add another vlan to allow the administration of the AP. (This is why I suggested 4 vlans not 3 as the fourth could be your management vlan where the management IPs for any equipment sit, router/switches/Aps.
7. Depends on the coverage you get within the building/space. If the "Guest network" has its own SSID and sits on its own vlan AND you don't need extra kit for coverage there is no point. Depending on how you set up the network remote administration is possible.
8. Do you have a MoCA network or ethernet? I'm from Europe, we very rarely use MoCA, somebody else will be able to advise you on that.
9. Depends on budget and preference. I like to rack mount because its more secure and looks neater but way well be overkill!!
10. For now you're good, you could spend a life time learning all the features of Pfsense, start with the basics, a flat network, find you way around the system before you start looking at vlans etc. You are bound to lock yourself out a few times but learning why is the key, resetting to default on boot is quick and painless!! keep config files at hand and back them up at stages through getting the system to work the way you want it!!!!!
Good luck!

 

[kanewolf]

The Ubiquiti UniFI access points support multiple SSIDs which can each be mapped to a VLAN. If you look at the datasheet --https://dl.ubnt.com/datasheets/unifi/UniFi_AC_APs_DS.pdf You see that they can broadcast 8 SSIDs. You can map those SSIDs to different VLANs. If you have VLAN aware switch and router, you can keep the traffic from the VLANs separate.

 

[striving4]

Thank you very much for your help too Kanewolf. I think your idea is similar to the other but I’d like to ask if this is it (sorry for redundancy if you’ve seen my other response): Ethernet from modem to Ubiquiti non-wifi router (something like the Edgerouter PoE (ERPOE-5), which will need programming to create the 3 networks (I’m not familiar with DHCP and VLAN tagging and so am wondering how to tag our 3 networks)); this doesn’t have enough ports for the Ethernet outlets so I would link this to three switches (one for each network (brand/model recommendations appreciated, PoE?)); Ethernet cables from the switches out to the rooms; each of the 3 networks will have its own access point or wifi router in one of the rooms (plugged into the wall and powered by the switch (again, brand/model recommendations appreciated)). A couple questions: can I configure or program the edgerouter to priorities the networks? Also, is there a benefit to access points vs. routers? Thanks again.

You do not need to have an access point for each network with VLANs. A single access point can support multiple SSIDs with independent passwords. Each SSID would map to a VLAN and be independent of the other two. You have to have network hardware that understands VLANs and will keep them separated.

The edgerouter would have a single input and then multiple independent outputs. One for each wired subnetwork you want to create and one for your WIFI (IMO). You could run independent switches for your wired networks or use VLAN tagging and a single managed switch.

Kanewolf,
Sorry for navigation issue I was having on this site. Can you help me find products that can achieve what you've described?

1. please recommend one or more APs.
2. You said, "You have to have network hardware that understands VLANs and will keep them separated." By this network hardware do you mean the edgerouter?
3. Please recommend 1 or more edgerouter I can pair with independent switches, and switches I can use.
4. Please also recommend products for a single managed switch in the second scenario.
5. Would the managed switch allow me to prioritize or simply keep the VLANs separate?
6. Where could I manage parental controls? in AP, edgerouter, or both?
7. Besides my 3 VLANS are there other reasons to have independent outputs on the edgerouter, e.g., voip or...?
8. Will I be able to find tutorials on the set up and assignment of VLANS?
Thank you!

 

[kanewolf]

Sorry, I am not going to pick your parts. Someone else may choose to do so, but if we do then you haven't learned anything about why you choose them and probably won't understand how to use them and money will be wasted.

Basic questions like you are asking shows that your knowledge is not up to what you want to do. You either need to start simpler and work up to what you eventually want or bring in a network knowledgeable "consultant" to help you.

 

[kanewolf]

Sorry, I am not going to pick your parts. Someone else may choose to do so, but if we do then you haven't learned anything about why you choose them and probably won't understand how to use them and money will be wasted.

Basic questions like you are asking shows that your knowledge is not up to what you want to do. You either need to start simpler and work up to what you eventually want or bring in a network knowledgeable "consultant" to help you.