What upgrade? No upgrade? Futureproofing?

[CMetaphor]

Yes, this is a second thread by me in the same section of the forum. Wholly different topics though, so I think it's OK .

Anyways. In the past few months I've slowly bought bits to improve my network.

Starting with the current setup:
Pfsense -> 16port Linksys unmanaged gigabit PoE switch. Switch clients are a PoE-powered AP (meh -quality) and the non-PoE ports branch out to small unmanaged switch boxes in a few different rooms.
This setup works well enough, save for the wireless AP. Soooo....

What I've already purchased:
To solve my wifi problems, I got 2x TP link wireless AX APs (with many bells and whistles) *and* and TP link Omada management box (which is required in the TP link ecosystem for things like combining my two APs seamlessly). The intent here is to use my existing linksys PoE switch to power the two APs and the management box.

Also recently purchased:
I grabbed some mellanox 10gbe pcie cards and, coincidentally, a managed TP link 8-port SFP 10gbe switch. These together were meant to be a cheap(ish) way to get 10gbps transfers between multiple PCs in my computer room, including between my file server and a totally-secret you-guys-have-no-idea-yet PC.
It doesn't sound "cheap" per se, but it actually was compared all alternatives (ex: getting USB 3.2 10gbps pcie cards for each PC and using an nvme drive to mule my big files all over).

I'm sure some of you can see where this is going already....

What I'm considering, possibly / probably, and likely stupidly:
Option 1) Leave everything as-is.
Option 2) Replace the unmanaged gigabit linksys PoE switch with a managed TP link gigabit poe switch, which would give me things like VLANs (very nice to have), LAGG, and management via the Omada box mentioned above. Also, using whatever method (cat7? Fiber?) link the new switch to the 10gbe switch. Which, AFAIK, will allow the Omada management box to "see" and control the 10Gbe switch.
Option 3) Replace the linksys with a Tp Link gigabit PoE switch.. that has a couple 10gbe SFP ports. Somehow stretch a 10gbe connection between one of those SFP ports and an SFP port on the 10gbe switch, and then magic happens like my file server being able to stream everything I could ever think of, all over my home network, for years and years to come. And also management box connectivity like Option 2, the same nice-to-haves, etc.

Ya... I'm silly and overthink these projects far too often. But what do you think HWC? Is Option 3 total overkill? Is it not future-proof enough and I need to get a 2.5gbe PoE switch + 10gbe SFP instead of gigabit + 10gbe sfp in order to be ready for the day (many years from now) when the majority of my network gets to 2.5gbe speeds? Or should I forget the whole inter-connected TP-Link + Omada stuff, and use what I already have (Option 1)?

As always, I've made the ideas in my head into a wall of text. I wonder if that doesn't bode well for my YT channel... or not?

I'll just shut up now. Tell me your thoughts HWC. Tell me I'm crazy, I type too much, have a good point, spend too much on uncompleted projects... whatever.

Discuss.

 

[sswilson]

Is the intention to keep everything in-line with the Pfsense firewall?

If that's the case, would you need managed switches downstream of it for VLans, or could that be done within Pfsense?

As far as Pfsense goes.... I'm very much a novice, and have very little networking experience, but for the most part I've seen a lot of recommendations that opnsense is essentially the same functionality but with a newb-friendly interface that's much more intuitive.

 

[CMetaphor]

@sswilson To be blunt, I'm just as much of a pfsense novice as you, maybe moreso. But this thread isn't about Pfsense in any way (I think). Any VLANs I might make in Pfsense would likely be WAN -sided. Or with a managed (TP Link?) switch, I'd put my devices and PCs that need internet access on one VLAN on the switch, and connect only that VLAN to pfsense. Does pfsense even care about the switches VLAN in that case? I don't think so, but I'm not certain.

Pretty much all of this thread is about my intranet. Speeds, futueproofing, management, VLANs to segregate things from other things, 10gbe, LAGG, etc.

 

[sswilson]

My point was that I don't believe you need managed switches to do VLan separation. As long as all of the internal network is "inside"/inline with your Pfsense box I'm fairly certain you can create VLans from the Pfsense box itself and then assign what mac addresses will belong to that group. I'm assuming you can also control whether a Vlan group is just internal LAN or also requires Wan connection.

I could be wrong, but I believe using managed switches is just adding an extra layer of control complexity which isn't required since it can all be done from the PFsense interface.

 

[JD]

Generally speaking, if you want to do VLANs, I would go with managed switches so that you can tag each port with the VLAN. Otherwise, each client device, you need to set the VLAN on it which is just very cumbersome. I think most umanaged switches will passthrough VLAN tags.

As it sounds like you've made an investment in Omada already, I would be inclined to "buy into" that ecosystem as a whole and have your end goal being that the whole network is Omada hardware. To me it looks very similar to UniFi, so it's obviously much "cooler" when your dashboard shows everything, and that's only possible if all network components are Omada in your case.

I think I had suggested basically the same when you bought those APs, instead of buying the controller, you could have bought the integrated gateway: https://www.tp-link.com/ca/business-networking/omada-router-integrated-router/er7212pc/

But since you're headed down the 10G path, and since you have the separate Omada controller, maybe look at their 10G router? https://www.tp-link.com/ca/business-networking/omada-router-wired-router/er8411/. You'd still need a PoE switch though, I'd probably pair it with this if 8 ports is enough: https://www.tp-link.com/ca/business-networking/omada-switch-poe/tl-sg3210xhp-m2/. WiFi 7 AP's should be 2.5G ports I believe, so might as well future proof a bit.

 

[CMetaphor]

@JD Some good points. At the time, the gateway wasn't really necessary as the only TP link devices I was going to have was the two APs. Time certainly has changed things haha.

Regardless, I've already got the standalone Omada management box (which I think is still the fastest non-cloud management box, as it doesn't need to also handle as much as the gateway box does) so I might as well use it. The router switch is also unnecessary since no matter how fast it is, it wouldn't be as fast as Pfsense PC (quad core decently modern itx). ***Coming back to this at the end of this reply***

Also, If possible I'd like to limit how many "switch to switch" hops I have going on. I think I remember a real network guy telling me, a non-network guy, that too many hops will start to cause problems. That's why I tried to find a "main" switch that covers gigabit, PoE and management features.

Therefore, the "worst" potential traffic paths / most hops would be:
A) WAN wired: Pfsense -> Main managed poe switch -> sub, unmanaged switches where necessary -> Clients
B) WAN wireless: Pfsense -> main managed poe switch -> Wireless AP
C) Lan gigabit: main managed poe switch -> unmanaged sub switches
D) Lan 10gbe: main managed switches 10gb sfp port -> 10gig sfp unmanaged switch .
(Note: the above possibilities are all either Option 2 or 3 from the OP)

The last switch you linked us one I'm considering, but 8x total ports just isn't quite enough (especially considering that 3x ports will be used by the 2x APs and 1x by the omada management box). In general it will be many, many years before 2.5g is supported by all my HTPCs (hell I only Just got gig fiber internet a couple weeks ago). On the flip side however, I think a 10gig connection from my file server to the main managed poe gigabit switch *Might* be noticeable in the near future. Not certain though, hence Options 2 or 3 in the OP.

*** You've actually made me consider a TpLink Router, as a possible replacement for my Pfsense box... I'll have to look into that seriously and start weighing pros/cons.

Obviously the Pfsense box has a lot going for it (pros): future proofing (pcie slots), much faster (quad core server-grade itx, and I've even got an octa -core one I could use too, but the quad is wayyy plenty for the moment), more features than I could ever learn or fully take advantage of, hardware encryption, pfsense ecosystem, and a bunch more pros. Cons: Pfsense is Really complicated, and my not being a networking guy means I'm likely missing out on many things it can do.

But with a TP link router box Id gain simplicity, Omada management of pretty much everything on my network (although security might be a concern if TP link doesn't keep Omada supported after a few more years), a hardware warranty, and likely a few other things I can't think of right now.

I'll have to research what other pros/cons an Omada router would give me, but I'm kinda leaning towards keeping the Pfsense box for now.

... another wall of text. Sorry guys n gals. I've just got so much spinning around in my head hahah

 

[JD]

I wouldn't worry too much about multiple switches, I don't think you'll ever exceed any "limit" in your home. Assuming you are able to run cabling, I would say centralise to a single larger switch.

If you're going the 10G path along with VLANs (and not Layer 3 switching), then you'll want your router to be 10G too. If you want to stick to pfSense, then toss in a 10G NIC there. Traffic will need to go back to the router if crossing VLANs, so you wouldn't want it bottlenecked at 1G.

Arguably, TP-Link's 10G router spec sheet is better than Ubiquiti's UDM Pro. The only real benefit I see to your pfSense box is if you're running a VPN server, you can probably get a lot closer to full gigabit (or whatever your internet upload speed is).

 

[CMetaphor]

Unfortunately centralizing, aka individual cables from every single client to one huge switch... well that's a huge amount of physical work for someone with a muscle disease like mine. I've got more than enough Cat6 to do it though... Just don't want that much literal pain for the days of work it would take me to do it.

I was hoping to pull a max of two Cat6 cables to each room: one for my intranet (file server access) and one for internet (everything that needs to have access to the net), hence why two VLANs on one main switch would be nice to have (and pfsense would obviously only control the internet VLAN, the other can be all static IPs probably). So two cables per room and small 5-port unmanaged switches in rooms that need more than one internet connection.

I've only just got gigabit fiber (1gb up and 1gb down), so 10gbe on the pfsense box is waayyyy too soon haha. And there will probably be almost zero crossover between vlans as well btw.

Still can't decide on option 2 or 3. How many 4k high quality streams can I get out of my file server, on top of normal traffic and a dozen or so internet clients, if I got with "only " one gigabit connection between the file server and the main switch. Arguably an Option 2 switch with LAGG might be a tiny bit better, but probably not noticeable.

Still really wondering which option I should go with. All of them are still on the table.

 

[CMetaphor]

Maybe I should add a Poll... but then again, options 2 and 3 are only about 200$ apart. Hmm

 

[JD]

Links/Model numbers of things you're thinking of along with perhaps a diagram of what you think the overall topology will look like would help.

If you are already planning to pull 2 cables to each room, to me it seems like you could bundle additional cables without exerting too much extra energy?

Not too sure why you are splitting 10G and 1G networks? I'm doubtful you'd be saturating 10G on a normal day. Let's assume 1Gbps for Internet running full tilt and another 1Gbps for your 4K streams across like 10 clients, you still have 8Gbps left (1000MB/s).

LAGG/LACP is generally not worthwhile, most things are single-stream, so I would say it's a waste of a port.