Does my idea of home network make sense?

I want to setup a home network that fulfills the following:

  • Puts mi IOT devices (at least the ones I don't control the firmware) on a separate VLAN
  • My IOT devices and my home assistant VM can communicate
  • Home assistant is also reachable from the LAN network
  • Allows me deep packet inspection and network statistics
  • Uses my pihole instance as DHCP and DNS on my local LAN

So with that in mind I think about using my archer C7 openwrt as router and managed switch for VLANs, a VM on my main NAS running pfsense for deep packet inspection and nice network dashboards and use my ISP router as upstream of everything.

Here is the network diagram I drawn:

Not sure if the wiring makes any sense.
The first time I tried to setup pfsense I was not sure what to use each interface for, and how to define the third one.
First time I activated pfsense my local DNS (pihole) stopped resolving. It was working for local queries, but any upstream query was failing, and I had to reboot the VM and turn off pfsense to make it work again.

I don't know how to setup pfsense and openwrt to fulfill my requirements, any guidance will be very appreciated.

I don't quite get the intention behind that diagram, respectively what you expect the individual devices to do.

"ISP" with "4x LAN" suggests that you're dealing with an ISP modem-router, terminating your external WAN IPv4 address - while sometimes unavoidable, this is not an ideal setup, as you either need to do dual-NAT behind the ISP router (or static routes/ and NAT-less routing) or make your other devices part of the ISP-LAN network. In either way NAT/ routing/ firewalling would be handled by the ISP device, which one shouldn't consider to be 'trusted', nor as full-featured as either OpenWrt or pfsense (you'd lose a lot of features from the dumbed down ISP device).

The next aspect seems to be that you connect both the OpenWrt device and the pfsense box to your ISP router's LAN ports - and then interconnect the OpenWrt router and the pfsense box again, which doesn't really make sense. Unless you have a rather sophisticated VLAN- and segmented subnet setup (which the ISP router probably won't allow) or a LAG setting, you should only have one connection between devices - adding loops is just a recipe for pain.

Then I don't really understand the roles each of those devices is supposed to play. As it appears from the diagram, the pfsense box appears to only work as transparent bridge, to connect your switch with the ISP router, which wouldn't really make sense - the OpenWrt router appears to have more of a purpose. by acting as AP (but why do you have a WAN link there) and potentially spanning up multiple VLANs, but it's not really structured either.

It would be ideal if you would decide about the basic network structure first and what purpose each of these devices is supposed to play Basically there should only be one router (yes, that one might have to be behind the ISP router, if you can't get rid of that or degrade it to a mere bridged modem), which is the central decision maker in your network (external WAN IP terminated there, so it can do meaningful firewalling and port-forwardings as needed, inter-VLAN routing and firewalling, etc.), all other devices then play a strictly serving role for it (e.g. using the OpenWrt device merely as managed switch + AP, with all the VLANs defined on the pfsense - or doing away with the pfsense box alltogether and letting the OpenWrt router do everything).

Yes, in a corporate setting with hundreds of clients working on the clock and a need for multiple failovers it might make sense to put the individual roles on different devices (modem, router, firewall, DHCP+DNS server, backend switching, etc.), but at home that quickly shoots yourself into the foot (because everything has to work from the first second, just to read further documentation on the web, but that isn't going to be the case. You'd basically distribute your single point failure over several different -barely integrated- devices, with failure of any of those breaking the whole lot - thereby multiplying your failure potential.



100% agree. I will try to connect my OpenWRT router directly to the fiber router and see if I can get a DHCP assignation

Nope, not the case

I have not idea what that is

Completely true

My weird network setup was built based on the following (probably wrong) assumptions:

  • VLAN traffic can go through a normal unmanaged switch and it will just let it pass, which is not true
  • OpenWRT on my archer-C7 is not powerful enough to give me enough insights about my network (how many broadcasts, how much traffic each device generates, etc)

The objective was to use pfsense as vlan-router, managing both traffic from the non vlan wifi SSID and the VLAN one, dispatching it as needed. However, this was a big pain in the ass and nothing of what I tried worked at all.

Now that I look at the topology I see how ridiculous it is, creating unnecessary lops (albeit they were on two different subnets/VLANs)
For now, I will buy a small managed switch to route traffic from the AP and the first floor to the openWRT with proper VLAN tags and forget about PFSense.

What I can not get my head around is VLANs on openwrt. Seems that tagging an interface with a VLAN makes it only take traffic that is tagged like that and drop the rest, so I can not use that to allow IOT + LAN traffic entering on a single port, but the untagged option can only be added to one VLAN, so I will have to tag that interface for VLAN1, and I'm not sure what that means.

Link aggregation, combining two (or more) 1 GBit/s ethernet ports into one (there are some caveats, it mostly works to speed up serving multiple devices behind that LAG group).

Correct, what unmanaged switches do with tagged packets is undefined. Some may pass them through unchanged, some will drop them, some will do even stranger things.

That is possible, just for completeness' sake, OpenWrt runs on x86_64 hardware just as well (it is easier to stick to one OS, not necessary, just less different GUIs/ configuration ways to learn).

A managed switch is always a nice addition to your network (I'd just avoid the the TP-LINK TL-SG108E, as it can't isolate the management VLAN on VID 1).

Yes, but you can transport multiple tagged VLANs over a single port, be it a trunk port configuration (all VLANs) or just selected ones - combining untagged- and tagged packets over the same port is recommended against (but possible, not on all hardware though).

1 Like

Consider running OpenWrt on your x86 box and using it as your router... Then put your Archer C7 as an access point on the LAN network.

That is something that didn’t even crossed my mind... what a fool