New hardware questions :)

[ki3den]

hi everyone,

 

I am planning a network upgrade fairly soon into the future (about 1-2 months from now). I wanted to run a parts list by someone and ask for suggestions or comments.

 

A short explanation of what I'm planning: I currently have ISP fiber coming in, into a modem/gateway that's in my garage. I want to turn off the wifi (the 5G seems to be getting rather spotty, especially via phone connections for some reason) and also turn off other services like DHCP etc. I am going to set it to pass-thru to a pfsense router, which I am planning to get a basic one from Netgate with just the WAN, LAN and one OPT port. I'll be running the WAN to the modem of course, then I want the other two to go into a switch - the LAN of course providing connectivity to everything, then the OPT port set up as a mirror for the LAN port, so I can further my knowledge with SIEM things for work/experiments etc. From the switch, I'll connect the other wired rooms - like to my office, living room etc thru my patch panel. I'll also need a couple of extra ports for WAPs that I plan to get, which I want to mount in the corner of my garage that is the most centered in my house for fuller coverage (more details on that later). In my office, I want that connection to be a trunk port, because the port that the pfsense OPT goes into needs to be remote-spanned into my office for receiving the mirrored traffic. In the office, I'll have a duplicate switch - that'll make sure the capabilities are the same; I may use a lesser-port model because I'll need less ports there than at the hub in the garage. For all other rooms, I have a couple existing unmanaged 1G switches if needed - like in the living room or game room, where more than one device might be.

 

So here's the hardware I'm looking at getting, as well as the current:

ISP fiber: white PLC box from AT&T

ISP modem/gateway: modem from AT&T. sort of required as we have a landline broken out from there.

PFSense: planning on getting pfsense+ 1100; might get one with at least one more OPT port so I can mirror the WAN port as well.

New Switches: looking at Cisco 1000 series, specifically C1000-8P-2G-L, possibly C1000-8FP-2G-L for the two SFP ports; I'm not sure if it will be worth supporting more than 1G.

Old switches: just some unmanaged switches gotten from Amazon a year or two ago, they're 5-port switches (really, 4-port, 1 is the "wan" port).

WAPs: looking at the Cisco 9000 series, but not exactly sure what to get. Ideally I'd like to get PoE powered ones, and I want to support wifi6 at least.

 

I am looking at Cisco for the switches because they run IOS so I know they support RSPAN for the mirror port to get it to my office without vlan-tagging it or modifying the stream.

 

If anyone has any suggestions or comments please let me know!

[Electronics Wizardy]

Those managed switch can do port mirroring. That would make much more sense than use the opt port for doing port mirroring. Then you won't need to connect that opt1 port at all.

 

5 minutes ago, ki3den said:

possibly C1000-8FP-2G-L for the two SFP ports; I'm not sure if it will be worth supporting more than 1G.

Those sfp ports are 1gbe so they won't be any faster than the rj45 ports on the switch.

 

Id probably go with the unifi or tp link omada access points as they much cheaper for similar levels of performance, but those will work fine.

 

 

 

[ki3den]

Just now, Electronics Wizardy said:

Those managed switch can do port mirroring. That would make much more sense than use the opt port for doing port mirroring. Then you won't need to connect that opt1 port at all.

 

Those sfp ports are 1gbe so they won't be any faster than the rj45 ports on the switch.

 

Id probably go with the unifi or tp link omada access points as they much cheaper for similar levels of performance, but those will work fine.

 

 

 

Thanks, I'll take a look at the omada's!

[Donut417]

5 hours ago, ki3den said:

SP modem/gateway: modem from AT&T. sort of required as we have a landline broken out from there.

its not sorta required its absolutely required because that box is what authorizes you on the AT&T Network. While there are some round about ways to get rid of their gateway, its coming to an end. I know people generally put that gateway in IP passthru mode and that will turn off the router part of it for the most part and allow you to use your PFsense box. 

[ki3den]

1 hour ago, Donut417 said:

its not sorta required its absolutely required because that box is what authorizes you on the AT&T Network. While there are some round about ways to get rid of their gateway, its coming to an end. I know people generally put that gateway in IP passthru mode and that will turn off the router part of it for the most part and allow you to use your PFsense box. 

true, i was harkening back to the old days of cable modems lmao, used to have a linksys one i think, with a separate linksys wireless router as well.

 

 

Quote

Those managed switch can do port mirroring. That would make much more sense than use the opt port for doing port mirroring. Then you won't need to connect that opt1 port at all.

@Electronics Wizardy - (didn't see this part of your post at first) - I hadn't thought of that, not sure why. definitely makes more sense to just mirror the LAN port on the switch to the rspan, rather than mirroring the port on the OPT/pfsense side. I think my line of thinking had to do with using "smart" switches in place of the managed ones - hence the comment on the vlan tagging.
Although - that would leave OPT open to allow mirroring from the WAN port, if i end up deciding on that!

Edited January 28, 2023 by ki3den
clarification

[Donut417]

Just now, ki3den said:

true, i was harkening back to the old days of cable modems lmao, used to have a linksys one i think, with a separate linksys wireless router as well.

Well with Cable modems its still that way. Cable companies are required to allow customer owned modems. I have a CM1000v2 for example. Fiber Providers dont have the same rules. I do hope in the future the rules are changed so you can buy your own ONT and use what router you want.