Managed Network Switch Upgrade Suggestions?

[SplatMan_DK]

You have many excellent answers here.

I don't agree with everything, but that's probably because we're all a bunch of geeks/experts. You'll get as many different answers as we are posters

I decided cost was "not a factor" because I wanted to prioritize IT security. So it was legitimate to spend hundreds of dollars on above-average network gear to achieve that.

I settled on Unifi. I also manage a team of network engineers at work, and boy is Ubiquity a brand that will... get a discussion going... :-D To some, it's utter crap. They work with datacenter-grade Cisco ACI gear, and obviously prosumer UniFi devices are nowhere near that. There is a lot of "very pro" stuff that UniFi just can't do. But trust me: you'll never need it. Like ... ever.

For me, it's been a very good solution. Using an UDM Pro as a controller has been a breeze, and learning how to configure things even as a non-network-engineer has been perfectly doable.

The end result is a relatively robust home network. We are 5 people, lots of gaming-PCs, two gaming consoles, TV sets with Ethernet/internet capability, and so forth.

I run four separate network segments: Server, Trusted, Guest and IoT. There is a bunch of lab-stuff and a NAS on the server segment, the Trusted network is our normal devices, and the IoT network is all the crap that I can't trust - like televisions, wifi bulbs, and Google devices.

Managing the segments and ensuring traffic is blocked or allowed between them is pretty straight forward in the UniFi UI. And managing individual ports is easy - including for the scenarios where (for one reason or another) I have added a small 5 port switch to the mix. They're like 30 dollars and will quickly allow you to separate traffic on different physical ports even if there is only a single uplink cable.

In total I am using the UDM, three APs, one "core" switch with PoE connected to the UDM, and three small 5-port units.

More expensive than just getting an 8 port switch? Sure. But you'll stop worrying about having that connected TV on the same net as your work laptop, or stop suffering from not having it connected at all because TV vendors can't be trusted.

I guess it's a matter of finally reaching the point where spending money on your local IT infrastructure is a priority. Many people happily spend lots of money on a sofa, a car, kitchen appliances, or a fancy lawnmower (connected to the 'net off course). Prioritizing your network is something you should allow yourself to do.

 

[Andrewcw]

Turns out there is a current flaw: https://thehackernews.com/2025/03/ballista-botnet-exploits-unpatched-tp.html

Sure. But then you have to list every router under the sun if you want to include unpatched. It's not like TP-Link Ignored the issue. They addressed it here. https://community.tp-link.com/us/home/forum/topic/607966

More than a year ago. Ample time for someone to patch a router.

And this OP was more talking about updating his Switches. I just brought up the point to figure out his reasoning behind not wanting to use TP-Link when almost every brand has some issue.

 

[804solutions]

There is this too: https://cyberinsider.com/u-s-lawmak...ink-over-potential-national-security-threats/

 

[Struxxffs]

There are lot of replies in length, and need to be read before replying.

I was thinking even if the network switch has a vulnerability, the routers firewall should protect the network switch?

 

[Mental Gear Reduction]

I was thinking even if the network switch has a vulnerability, the routers firewall should protect the network switch?

To some degree, yes. But browsers have been exploited in the past to attack internal network infrastructure like that; you're browsing some web page, a malicious ad loads, and suddenly your browser invisibly attacks the management ports on your switches and/or firewalls.

Browser authors try hard to stop this kind of nonsense, but there's always one more bug.

 

[Miwa]

re: VLAN stuff. I like this video for an example for configuring VLANs on Ubiquti switches. You can watch the video and decide if the level of effort is appropriate for what you think your skill level is. There are lots of ways to do things, but this shows step by step the sorts of things you have to do (configure ports, firewall rules, etc)

 

[Struxxffs]

Mikrotik stuff is really good, but much more complex. I'm using an 8-port SFP+ switch from them and like it very much, but it's got a full CLI and a really intricate set of web pages for management. Again, excellent quality, ideal if you have a clue, confusing as hell if you don't.

SFP+ is for using fiber connections correct?

L3 VLANs let you mostly separate two machines, but allow specific traffic through. It more resembles internal firewalling. But firewalling is complex.

How would you allow devices on separate vlans to talk to one another? A example is when setting up IOT devices on a separate vlan, but they still need to be used from your cellphone. Would you use floating firewall?

Most cheap unmanaged switches are about the same, in my experience. It's when you get into managed switches that you need to think about software quality and updates.

Thank you.

But you'd be paying quite a bit more than a simple unmanaged 2.5G switch, and using a bit more power as well.

Thank you for the serve the home link!

To some degree, yes. But browsers have been exploited in the past to attack internal network infrastructure like that; you're browsing some web page, a malicious ad loads, and suddenly your browser invisibly attacks the management ports on your switches and/or firewalls.

Browser authors try hard to stop this kind of nonsense, but there's always one more bug.

Using a browser with a malicious ad to exploit a network switch is not something I would though of.

re: VLAN stuff. I like this video for an example for configuring VLANs on Ubiquti switches. You can watch the video and decide if the level of effort is appropriate for what you think your skill level is. There are lots of ways to do things, but this shows step by step the sorts of things you have to do (configure ports, firewall rules, etc)

Thank you, I will check it out.

 

[Mental Gear Reduction]

SFP+ is for using fiber connections correct?

Primarily, yes. There are also copper SFP+ modules, which plug into the same slots and work just the same way, but 10G copper runs very hot compared to 10G fiber, and I don't generally recommend it. You can get fiber SFP+ ports and modules really cheap by buying used enterprise gear, and that's my current recommendation in many cases if you want to go to 10G.

Only a thing you need to think about past 2.5G. Copper is still acceptable at 2.5G.

How would you allow devices on separate vlans to talk to one another? A example is when setting up IOT devices on a separate vlan, but they still need to be used from your cellphone. Would you use floating firewall?

On an L2 VLAN, it's on or off; you allow everything or you don't. Any given port can be on multiple VLANs, so if you have a device you want to share, you can stick it into all the VLANs that you want to talk to it. (assuming that all your VLANs are on the same IP network segment, eg they're all in 192.168.1.0/24.) But then you get no protection to and from that device.

If the VLANs are on separate IP network segments (eg, 192.168.1.0 and 192.168.2.0), then you generally do routing and firewalling on your edge router between the two networks. Multi-segment networks can get really hairy. When my network was five segments, it took more than fifty rules to define what should pass and what should be blocked. Logic errors are exceptionally easy. I found problems for months after my initial design attempt, all those years ago.

With an L3 VLAN, you can open up specific ports to and from specific IPs, so you can expose only some services, not all of them. If everything's on the same network segment, this is usually less hairy than a multi-segment firewall.

I haven't done much with L3 VLANs, so I'm not sure if they do stateful firewalling or not. This is where the firewall engine tracks connection state and automatically allows related packets through without explicit rules; for some protocols, this makes rulesets enormously simpler. This is much better than stateless firewalling. I'm not sure whether L3 VLANs are stateful or stateless.

You may be gathering, by now, that network segmentation is complex, confusing, and easy to get wrong. This would be precisely the correct takeaway. It is absolutely doable, but it will take a lot of focus to understand things, define what you want, and do it correctly. L2 in a single IP network segment is the easiest method to reason about.

Using a browser with a malicious ad to exploit a network switch is not something I would though of.

It was pretty common a few years ago. Usually they were attacking the external firewall, using well-known management pages and exploiting the fact that your browser might be already logged in, or that the firewall might use a default password.

I think they've plugged most of the related browser holes, and many consumer router/firewall/APs have switched to using unique passwords with a sticker on the back telling you what it is, but changing to your own strong password and not doing auto-logins both remain good ideas.

 

[steelghost]

You can also use DAC (Direct Attach Copper) cables to connect SFTP+ ports. I have two Mikrotik switches in my little network rack, both with x2 10GBit SFP+ ports. They're connected together with a really short DAC. On one switch I then have a Mikrotik S+RJ10 so my server gets a 10Gbit link to everything else - the board has dual Intel X550-T NICs onboard and all the PCIe connectivity is otherwise occupied. If I had a machine with no onboard fast connectivity and a spare PCIe slot, I'd put in an SFP+ NIC and run a DAC from that to the switch.

The other spare SFP+ port contains an fs.com copy of a Mikrotik S+85DLC03D optic, waiting for me to run fibre to my office, so my main PC can also connect to the LAN at 10GBit.

MGR isn't wrong about the heat from the 10GBaseT SFP+ adaptors, I had to add a fan to my "big" (24 port) switch to ensure there's airflow across the SFP+ cages.

Spoiler: image spoilered because OMG!hueg

Even so, the module reports a temperature in the 62-65C range. But that's a damn sight better than the high 80s C you'd be seeing otherwise.

(I've ended up with managed switches because the facilities I wanted otherwise came along with a management interface. I have a handful of IP cameras here and my intention is to put them on a separate VLAN and only allow the container that runs my NVR to talk to them, mainly as a learning exercise. If I can get that working, I might also looking at separating off my other IOT bits and bobs, more for their safety than anything else.)

TL;DR - In short, SFP+ ports are a great thing to have on any switch, since they are so flexible. But switches that come with them tend to cost more, and use more power. Up to you how you play that tradeoff, depending on your present and anticipated future requirements. In your position, I'd be looking at getting the cheapest unmanaged 2.5GbE switch I could find. An unmanaged switch has no management interface to form an attack surface, so unless you need the management facilities, you're arguably better off without it.

Make sure your client devices are well secured, and enjoy your quicker file transfers

 

[Mental Gear Reduction]

You can also use DAC (Direct Attach Copper) cables to connect SFTP+ ports.

You can get used Brocade SFP+ SR modules for about $8 on EBay, so my preference for switch-to-switch is a pair of those and a $5 3-foot LC duplex multimode cable. (I'm being extra verbose there on purpose, because this comment is aimed at novices.)

If you buy a six-pack of the modules ($50), that'll cover a switch-to-switch and two computer-to-switch connections. And longer cables barely cost more; 10-footers are still about $5.

I prefer armored cable for longer runs; you can usually step on those without damaging them. They're more expensive, though. I'm using an outdoor-rated, 100 foot armored cable to connect two rooms, and the specific one I bought is currently $42.

An unarmored fiber patch cable will be a little fragile in comparison to the DAC, but will be fine as long as you're reasonably careful and don't kink it. And if you do break it, well, it's only about $5.

 

[steelghost]

Didn't know you could get armoured fibre, I'll have to look into that for my loft run, I can tack it straight onto the roof timbers rather than having to run conduit up there.

 

[Mental Gear Reduction]

Didn't know you could get armoured fibre, I'll have to look into that for my loft run, I can tack it straight onto the roof timbers rather than having to run conduit up there.

This is the one that I ordered:

https://www.amazon.com/dp/B07YWJPBF7

It's been working fine. I have no point of comparison, so I don't know how good it is compared to other options, other than it hasn't been damaged yet.

edit: make sure that suits your modules. That's a multimode fiber.

 

[Paladin]

I was going to say, 'that's not armored' but it is, they just put the armor under the outer skin. Smart for anticorrosion and snagging.

 

[KD5MDK]

Here's a direct burial (TPU instead of LZSH) equivalent https://www.amazon.com/dp/B0C9Y7SPGC/ if you're using it outdoor. Higher friction if you're pulling it through conduit than LZSH, but more rugged. Price is quite similar.
I use a lot of singlemode from the same vendor and they've been fine.

For outdoors use I have a slight preference for these: https://www.fs.com/products/106591.html
because they have separated cables at the ends which go well into my waterproof couplers: https://www.amazon.com/PNGKNYOCN-Waterproof-Optical-Connector-Extension/dp/B0C5R82DY4

 

[Struxxffs]

On an L2 VLAN, it's on or off; you allow everything or you don't. Any given port can be on multiple VLANs, so if you have a device you want to share, you can stick it into all the VLANs that you want to talk to it. (assuming that all your VLANs are on the same IP network segment, eg they're all in 192.168.1.0/24.) But then you get no protection to and from that device.

To ensure I understand correctly, the layer 2 vlan allows isolation of computers by using mac addresses, it does not use port isolation.

MGR isn't wrong about the heat from the 10GBaseT SFP+ adaptors, I had to add a fan to my "big" (24 port) switch to ensure there's airflow across the SFP+ cages.

Spoiler: image spoilered because OMG!hueg

View attachment 105828

TL;DR - In short, SFP+ ports are a great thing to have on any switch, since they are so flexible. But switches that come with them tend to cost more, and use more power. Up to you how you play that tradeoff, depending on your present and anticipated future requirements. In your position, I'd be looking at getting the cheapest unmanaged 2.5GbE switch I could find. An unmanaged switch has no management interface to form an attack surface, so unless you need the management facilities, you're arguably better off without it.

Make sure your client devices are well secured, and enjoy your quicker file transfers

Thank you for the heads up about the heat. Also, thats a pretty cool switch, thanks for sharing the picture!

A unmanaged switch seems like what is the best thing currently.

Trying to find a small 2.5gbps switch with 8 ports that is light enough and to fit under the desk is more difficult then I thought it would be.

 

[Mental Gear Reduction]

To ensure I understand correctly, the layer 2 vlan allows isolation of computers by using mac addresses, it does not use port isolation.

I've never seen a VLAN that worked on MAC addresses. Those can be spoofed. Instead, it's always been by port. Say, port 1 is in all VLANs, but then 2,3,4 are in VLAN 100, and then 5,6,7 are in VLAN 101. If you move a computer from port 4 to port 5, it instantly changes from VLAN 100 to VLAN 101, no matter what its MAC address is.

If you want to chain switches and share VLANs, that can be done with VLAN tagging, where you set the port to add a tag to incoming packets, and (usually) to strip it off on outgoing packets. That will let you daisy-chain multiple switches, carrying multiple VLANs. However, that gets complex when you're trying to route multiple VLANs through one outgoing port, like on a router to the Internet. With a port that's in multiple VLANs, what VLAN do you tag with for incoming packets? Either you need VLAN support on the edge router itself, so it tags its own packets before they even hit the switch, or the router needs multiple interfaces, each connecting to a port in each VLAN that needs outbound access.

I suppose it's possible that there might be a VLAN switch that switches by MAC instead of by port, but I've never seen one.

Trying to find a small 2.5gbps switch with 8 ports that is light enough and to fit under the desk is more difficult then I thought it would be.

Watch servethehome.com for reviews; something will be along eventually.

 

[gfunkdave]

This is the one that I ordered:

https://www.amazon.com/dp/B07YWJPBF7

It's been working fine. I have no point of comparison, so I don't know how good it is compared to other options, other than it hasn't been damaged yet.

edit: make sure that suits your modules. That's a multimode fiber.

Can also get cut-to-order cable from fs.com with whatever connectors you want on it.

 

[continuum]

D-LINK DMS-108 is $110 at Amazon right now and should work?

https://shop.us.dlink.com/products/...multi-gigabit-2-5gb-unmanaged-ethernet-switch

 

[steelghost]

Fro $92 you can get a TRENDnet TEG-S5091, which has 8 2.5GBaseT ports and an SFP+ port. Their TEG-S380 (8x2.5G) is $90, so in effect you're getting an SFP+ port for $2.

Both are unmanaged.

 

[Struxxffs]

I've never seen a VLAN that worked on MAC addresses. Those can be spoofed. Instead, it's always been by port. Say, port 1 is in all VLANs, but then 2,3,4 are in VLAN 100, and then 5,6,7 are in VLAN 101. If you move a computer from port 4 to port 5, it instantly changes from VLAN 100 to VLAN 101, no matter what its MAC address is.

If you want to chain switches and share VLANs, that can be done with VLAN tagging, where you set the port to add a tag to incoming packets, and (usually) to strip it off on outgoing packets. That will let you daisy-chain multiple switches, carrying multiple VLANs. However, that gets complex when you're trying to route multiple VLANs through one outgoing port, like on a router to the Internet. With a port that's in multiple VLANs, what VLAN do you tag with for incoming packets? Either you need VLAN support on the edge router itself, so it tags its own packets before they even hit the switch, or the router needs multiple interfaces, each connecting to a port in each VLAN that needs outbound access.

I suppose it's possible that there might be a VLAN switch that switches by MAC instead of by port, but I've never seen one.


Watch servethehome.com for reviews; something will be along eventually.

Thank you.

D-LINK DMS-108 is $110 at Amazon right now and should work?

https://shop.us.dlink.com/products/...multi-gigabit-2-5gb-unmanaged-ethernet-switch

D-Link now that's a name I have not herd of in a long time! Honestly it looks perfect.

Fro $92 you can get a TRENDnet TEG-S5091, which has 8 2.5GBaseT ports and an SFP+ port. Their TEG-S380 (8x2.5G) is $90, so in effect you're getting an SFP+ port for $2.

Both are unmanaged.

The switch is 2.5 Gbp/s but it features a 10G fiber SFP+ port. I'm sorry if this a stupid question, but if the ports on the switch are 2.5 Gbp/s, what would the 10G fiber SFP+ port be able to be used for?

If its relevant, media files in a large file format would be transferred over lan with this switch.

Main reason to finding a small switch is for mounting it underneath the desk. Easy to plug into, and easy to use.

 

[steelghost]

The switch is 2.5 Gbp/s but it features a 10G fiber SFP+ port. I'm sorry if this a stupid question, but if the ports on the switch are 2.5 Gbp/s, what would the 10G fiber SFP+ port be able to be used for?

Any of the kinds of connections I wrote about. For instance, being able to link this switch to another switch, or a server, with a very fast connection.

If it's not something you think you'll want, you can save yourself $2

All of these switches being suggested are about as small as it's possible for an 8-port switch to be, to be honest.

 

[Struxxffs]

Any of the kinds of connections I wrote about. For instance, being able to link this switch to another switch, or a server, with a very fast connection.

If it's not something you think you'll want, you can save yourself $2

All of these switches being suggested are about as small as it's possible for an 8-port switch to be, to be honest.

Basically, while all the other devices can only achieve the 2.5Gbp/s speed, the 10Gbp/s SFP+ port that is connected removes the bottle neck of the server and all other computers on the network that are connected to the switch, are able to use the full 2.5gbp/s at the same time.

 

[steelghost]

Yes - if your server can keep up, multiple devices can access it at speeds of up to 2.5Gbit.

In a server with NVME storage, this is a plausible scenario. Whether it's needed in a home network is a whole other discussion.

 

[Mental Gear Reduction]

I'm sorry if this a stupid question, but if the ports on the switch are 2.5 Gbp/s, what would the 10G fiber SFP+ port be able to be used for?

That's for daisy-chaining to another switch. By connecting the switches at 10GBps, that means you can run up to four 2.5Gb ports across the two switches at full capacity. If you uplink with a 2.5Gb cable, then the total aggregate bandwidth between the switches can only be 2.5 gigabits. If you have more than one on each side trying to send data, they'll have to share the single link.

It's better to have two SFP+ ports; that lets you either daisy-chain switches, or allows for one uplink and one 10Gb client. If you have only one, realistically the only thing you can use it for is as a switch uplink. I guess you could plug a server in there, which would allow up to four 2.5Gb clients to be served full speed, but home networks don't usually need that.

 

[steelghost]

This is where the design and cost considerations for a home network vs a production network come into play. Unless you are transferring files all day long and the rate at which the file transfers go matters to your business, having a 2.5Gb vs 10Gb uplink to some switch you may at some point buy, probably doesn't matter

That's not to say it isn't nice to move files between PC A and PC B twice as fast because you upgraded your switch from 1Gb to 2.5Gb. But it's debateable how much future requirements you want to spend money on. That was what I was getting at when mentioning that in effect, that SFP+ port is costing you $2. If you never use it, it's not cost you much of anything. Maybe one day, it might come in handy. Or, maybe not.

 

[Struxxffs]

Yes - if your server can keep up, multiple devices can access it at speeds of up to 2.5Gbit.

In a server with NVME storage, this is a plausible scenario. Whether it's needed in a home network is a whole other discussion.

That's for daisy-chaining to another switch. By connecting the switches at 10GBps, that means you can run up to four 2.5Gb ports across the two switches at full capacity. If you uplink with a 2.5Gb cable, then the total aggregate bandwidth between the switches can only be 2.5 gigabits. If you have more than one on each side trying to send data, they'll have to share the single link.

It's better to have two SFP+ ports; that lets you either daisy-chain switches, or allows for one uplink and one 10Gb client. If you have only one, realistically the only thing you can use it for is as a switch uplink. I guess you could plug a server in there, which would allow up to four 2.5Gb clients to be served full speed, but home networks don't usually need that.

This is where the design and cost considerations for a home network vs a production network come into play. Unless you are transferring files all day long and the rate at which the file transfers go matters to your business, having a 2.5Gb vs 10Gb uplink to some switch you may at some point buy, probably doesn't matter

That's not to say it isn't nice to move files between PC A and PC B twice as fast because you upgraded your switch from 1Gb to 2.5Gb. But it's debateable how much future requirements you want to spend money on. That was what I was getting at when mentioning that in effect, that SFP+ port is costing you $2. If you never use it, it's not cost you much of anything. Maybe one day, it might come in handy. Or, maybe not.

A switch with a SFP+ port may be beneficial down the line. They do seem to quiet bigger then a normal switch. They would both need to have a sfp+ port for both switches to work?

 

[ERIFNOMI]

A switch with a SFP+ port may be beneficial down the line. They do seem to quiet bigger then a normal switch. They would both need to have a sfp+ port for both switches to work?

Not necessarily. You can get copper SFP+ modules and go plain ol' Cat6. The whole point of the SFP-family is you can swap whatever module you need for the job. I have DAC and multi-mode fiber modules in my switch. I have a copper 10Gbps RJ45 module as I used to have a system with a 10Gbps copper NIC on board, but I don't use that system anymore so that module has been swapped for fiber for something else.

Less useful in a home scenario where everyone uses copper Ethernet (well, actually everyone just uses WiFi, but whatever). But you can see how it would be much more useful in an enterprise setting. You might have a rack with a few servers that are close enough for DAC, or you might be feeding a few local machines "classic" BASE-T. That switch might also connect to another main switch clear across the huge building and twisted pair might not cut it for that run as the spec calls for a max of 100m, so you have some relatively short range fiber. Or maybe it's the core switch for that building and it connects to another switch on the campus and needs an optic that can push out over ~1km of fiber. Or maybe it's gotta go a lot further than that so you switch to a module that can go out to 10km.

 

[Mental Gear Reduction]

A switch with a SFP+ port may be beneficial down the line. They do seem to quiet bigger then a normal switch. They would both need to have a sfp+ port for both switches to work?

Yes, you need an SFP+ module for each side, both of the same type (SR or LR, short or long range), normally the same connector on both ends (usually LC duplex), and then a compatible fiber patch cable. (multimode for SR, singlemode for LR.)

If you only have one SFP+ port on the switch, that means it can only realistically be a peripheral of another switch with an SFP+ port. Ideally, you want at least two ports on each switch, allowing you to either daisy-chain or have a 10G local client.

My setup here is an 8-port SFP+ only switch, and a secondary switch with two SFP+ ports, like four 2.5G ports, and I think eight gigabit ports. (I'd have to look at it to be sure, and it's in an awkward spot.) They're all managed and VLAN-capable, but I don't bother with that. Instead, I do segmentation with my firewall, actual physical separation instead of VLANs, and use little cheapass gigabit switches for the other networks. The systems I don't trust are fine on a gigabit.

 

[Struxxffs]

Not necessarily. You can get copper SFP+ modules and go plain ol' Cat6. The whole point of the SFP-family is you can swap whatever module you need for the job. I have DAC and multi-mode fiber modules in my switch. I have a copper 10Gbps RJ45 module as I used to have a system with a 10Gbps copper NIC on board, but I don't use that system anymore so that module has been swapped for fiber for something else.

Less useful in a home scenario where everyone uses copper Ethernet (well, actually everyone just uses WiFi, but whatever). But you can see how it would be much more useful in an enterprise setting. You might have a rack with a few servers that are close enough for DAC, or you might be feeding a few local machines "classic" BASE-T. That switch might also connect to another main switch clear across the huge building and twisted pair might not cut it for that run as the spec calls for a max of 100m, so you have some relatively short range fiber. Or maybe it's the core switch for that building and it connects to another switch on the campus and needs an optic that can push out over ~1km of fiber. Or maybe it's gotta go a lot further than that so you switch to a module that can go out to 10km.

One of the switches, having a SFP+ module that is connected to the second switch which is connected a using cat 6 cable and has no SFP+ module will work?

Yes, you need an SFP+ module for each side, both of the same type (SR or LR, short or long range), normally the same connector on both ends (usually LC duplex), and then a compatible fiber patch cable. (multimode for SR, singlemode for LR.)

If you only have one SFP+ port on the switch, that means it can only realistically be a peripheral of another switch with an SFP+ port. Ideally, you want at least two ports on each switch, allowing you to either daisy-chain or have a 10G local client.

My setup here is an 8-port SFP+ only switch, and a secondary switch with two SFP+ ports, like four 2.5G ports, and I think eight gigabit ports. (I'd have to look at it to be sure, and it's in an awkward spot.) They're all managed and VLAN-capable, but I don't bother with that. Instead, I do segmentation with my firewall, actual physical separation instead of VLANs, and use little cheapass gigabit switches for the other networks. The systems I don't trust are fine on a gigabit.

I was hoping it would be possible to run a network switch with a SFP+ port to a switch that has no SFP+ port mounted under a desk using a cat 6 ethernet cable and be will able to use the SFP+ port for its benefits.


How would you do network segmentation with a firewall?

 

[steelghost]

One of the switches, having a SFP+ module that is connected to the second switch which is connected a using cat 6 cable and has no SFP+ module will work?

Yep, this is exactly what I (and others) have described in this thread.

On one switch I then have a Mikrotik S+RJ10 so my server gets a 10Gbit link to everything else

SFP+ is a standard for adapters; the S+RJ10 is a multi-gig module which can run at a variety of ethernet speeds: 10 or 100Mbit, or 1, 2.5, 5, or 10Gbit. It's not cheap though, I paid about £55 for mine You can also get (fairly inexpensively) SFP+ adapters that will adapt to 1Gbit.

But SFP+ can also adapt to fibre and all its many variations, or DAC (and probably some other stuff I don't know about!)

How would you do network segmentation with a firewall?

You need a firewall with multiple ports (and software that can support this) - then you connect your different ports to different switches, and the devices that need to be on different networks, to the different switches.

(As an aside, VLANs were developed to avoid the need to have completely separate physical networks for everything, and to allow greater flexibility and sophistication in how this could be done).

 

[ERIFNOMI]

One of the switches, having a SFP+ module that is connected to the second switch which is connected a using cat 6 cable and has no SFP+ module will work?



I was hoping it would be possible to run a network switch with a SFP+ port to a switch that has no SFP+ port mounted under a desk using a cat 6 ethernet cable and be will able to use the SFP+ port for its benefits.


How would you do network segmentation with a firewall?

Absolutely it'll work. The modules convert to whatever medium.

A firewall, and a router, sits between each network. You make rules to allow only the traffic you want to allow from network to network. Want your "lan" network to be able to access your printer on your "no internet" network, but don't want your guests printing? Youll probably have explicit rules on the "guest" firewall to block traffic to any of your other subnets but to otherwise allow traffic so they can access the internet (otherwise what's the point). Then, make a rule on the "lan" firewall to allow traffic to the "no internet" subnet so your PC can reach the printer. You can make rules per subnet if you want to allow things in general (you probably want your "lan" or trusted subnet to be able to access most or all other subnets). You can also make rules per host, or even drill down to port and protocol. Your guest network shouldn't have access to your router/firewall via http/https/ssh/etc., but you might be running DNS or NTP or something that you do want guests to be able to access. So you can allow from guest to the firewall host on ports 53, 123, 853, etc. but otherwise block everything. Or maybe you're running a DNS server or something in your protected LAN subnet but you want hosts in another subnet to access it. You get the idea.

Usually you'll do this with VLANs because running multiple switches for each subnet and multiple NICs on the router or firewall for each subnet is a pain in the ass.

 

[Mental Gear Reduction]

I was hoping it would be possible to run a network switch with a SFP+ port to a switch that has no SFP+ port mounted under a desk using a cat 6 ethernet cable and be will able to use the SFP+ port for its benefits.

I'm confused by your wording. SFP+ itself is just an interface standard that lets you choose the connecting tech you want for each port. You can run fiber in some, copper Ethernet in others, and copper DAC connections in yet others. (dedicated, very short range switch-to-switch copper modules.) If you want fiber for one port, you buy a fiber module for it. If you want copper in another, you buy a copper module.

Then the other end needs to provide that same tech. It doesn't matter if it's SFP+ or not. Once you've got the 10GE cable plugged in to the SFP+ port on one end, you need a 10GE connection on the other end, no matter how it's provided. Native to the switch, SFP+ adapter module, whatever. If you have 10 gig copper Ethernet on both ends, however it's provided, it should work.

That said, you probably wouldn't want to waste your SFP+ port to talk to a switch port that was slower than 10gigs. Normally, you connect SFP+ ports to other SFP+ ports through your chosen fabric, copper or fiber, because their speeds should match. If you go from an SFP+ port to a 2.5G port on the other end, then the whole link is at least 3/4 wasted. Worse, apparently lots of copper SFP+ modules work only at either 10G or at 1G, so if you connect an SFP+ copper port to a 2.5G port on the other end, very frequently it will only run at 1Gbit. You'd be better off going between two gigabit ports instead, so you didn't waste the SFP+ module.

My advice: don't do copper Ethernet with SFP+. It runs too hot and has too many problems. Stick with fiber. If you don't want to do fiber, then just leave the ports unused for now.

How would you do network segmentation with a firewall?

You need a firewall with multiple, separately addressable Ethernet ports, which means almost none of the cheap consumer AP/router/firewall units. I'm using a mini-PC with four physical network ports, running Linux, and I'm doing physical segmentation. Eth0 is trusted, eth1 is untrusted and wireless, eth2 is DMZ (and inactive right now, I'm not using it), eth3 is the external Internet connection.

This is roughly comparable to Layer 3 switching, albeit slower than the hardware-accelerated switches. The complexity in doing this is very high. You need to understand TCP/IP quite well, and understand how both routing and firewalling work. I do it this way because I already know how, and it's the official, proper way to do network segmentation with cheapish home-style gear. Layer 3 VLANs at first didn't exist, and then were insanely expensive when I was building early versions of this stuff, back twenty or twenty-five years ago, so a multi-segmented router/firewall was effectively the only way to do it.

I still think it's better, but it's least ten times harder than the stuff you're already kinda struggling with. I probably shouldn't have mentioned it.

 

[Struxxffs]

SFP+ is a standard for adapters; the S+RJ10 is a multi-gig module which can run at a variety of ethernet speeds: 10 or 100Mbit, or 1, 2.5, 5, or 10Gbit. It's not cheap though, I paid about £55 for mine You can also get (fairly inexpensively) SFP+ adapters that will adapt to 1Gbit.

But SFP+ can also adapt to fibre and all its many variations, or DAC (and probably some other stuff I don't know about!)

I misunderstood SFP+ adapters. Thank you.

Absolutely it'll work. The modules convert to whatever medium.

A firewall, and a router, sits between each network. You make rules to allow only the traffic you want to allow from network to network. Want your "lan" network to be able to access your printer on your "no internet" network, but don't want your guests printing? Youll probably have explicit rules on the "guest" firewall to block traffic to any of your other subnets but to otherwise allow traffic so they can access the internet (otherwise what's the point). Then, make a rule on the "lan" firewall to allow traffic to the "no internet" subnet so your PC can reach the printer. You can make rules per subnet if you want to allow things in general (you probably want your "lan" or trusted subnet to be able to access most or all other subnets). You can also make rules per host, or even drill down to port and protocol. Your guest network shouldn't have access to your router/firewall via http/https/ssh/etc., but you might be running DNS or NTP or something that you do want guests to be able to access. So you can allow from guest to the firewall host on ports 53, 123, 853, etc. but otherwise block everything. Or maybe you're running a DNS server or something in your protected LAN subnet but you want hosts in another subnet to access it. You get the idea.

Usually you'll do this with VLANs because running multiple switches for each subnet and multiple NICs on the router or firewall for each subnet is a pain in the ass.

It seems like VLANS would easier then. These firewall rules are being placed in the router, instead of individual devices on the network?

That said, you probably wouldn't want to waste your SFP+ port to talk to a switch port that was slower than 10gigs. Normally, you connect SFP+ ports to other SFP+ ports through your chosen fabric, copper or fiber, because their speeds should match. If you go from an SFP+ port to a 2.5G port on the other end, then the whole link is at least 3/4 wasted. Worse, apparently lots of copper SFP+ modules work only at either 10G or at 1G, so if you connect an SFP+ copper port to a 2.5G port on the other end, very frequently it will only run at 1Gbit. You'd be better off going between two gigabit ports instead, so you didn't waste the SFP+ module.

My advice: don't do copper Ethernet with SFP+. It runs too hot and has too many problems. Stick with fiber. If you don't want to do fiber, then just leave the ports unused for now.

Thank you for the warning.

You need a firewall with multiple, separately addressable Ethernet ports, which means almost none of the cheap consumer AP/router/firewall units. I'm using a mini-PC with four physical network ports, running Linux, and I'm doing physical segmentation.

I'm currently running a Flint 2 router which is running openwrt.

It has 1 2.5G wan port, 1 2.5G wan/lan port, 4 lan ports.

I still think it's better, but it's least ten times harder than the stuff you're already kinda struggling with. I probably shouldn't have mentioned it.

Don't apologize, that just gives more to learn about!

 

[Mental Gear Reduction]

It has 1 2.5G wan port, 1 2.5G wan/lan port, 4 lan ports.

Typically, consumer APs really only have two ports, LAN and WAN. What they do is use an onboard switch fabric, just like in a bigger switch, to gang up all the LAN ports into one agglomerated one. They all function at once and talk back and forth freely, without CPU involvement, while the router has a virtual port into that switch that looks like a single Ethernet port.

Some APs can break their switch fabric up and address each port individually, but that's unusual. If they can, they either need a multi-interface capable firewall management system (which is super complex and I've never seen one on consumer gear), or else they need to let you log in with SSH, upload custom iptables (firewall) rules, and run them automatically at boot. Then you can either write the iptables rules yourself (very difficult, as iptables and the newer nftables are both very verbose and super picky), or use a program like firewalld or fwbuilder to manage them.

I use fwbuilder, which generates scripts that contain all the necessary iptables rules. But even with the relatively nice GUI, figuring that shit out is hard.

 

[Struxxffs]

Typically, consumer APs really only have two ports, LAN and WAN. What they do is use an onboard switch fabric, just like in a bigger switch, to gang up all the LAN ports into one agglomerated one. They all function at once and talk back and forth freely, without CPU involvement, while the router has a virtual port into that switch that looks like a single Ethernet port.

Some APs can break their switch fabric up and address each port individually, but that's unusual. If they can, they either need a multi-interface capable firewall management system (which is super complex and I've never seen one on consumer gear), or else they need to let you log in with SSH, upload custom iptables (firewall) rules, and run them automatically at boot. Then you can either write the iptables rules yourself (very difficult, as iptables and the newer nftables are both very verbose and super picky), or use a program like firewalld or fwbuilder to manage them.

I use fwbuilder, which generates scripts that contain all the necessary iptables rules. But even with the relatively nice GUI, figuring that shit out is hard.

I could not find any information from the manufacturer website GLinet for the flint 2 router that specifies if it uses switch fabric, according to googles AI search it does use "switch fabric". This router does run openwrt to be accurate it uses a proprietary version of openwrt.

Would you consider the flint 2 to be a consumer router?

There is also no documentation on the website that provides any type of information on what firewall it uses.

 

[Mental Gear Reduction]

Would you consider the flint 2 to be a consumer router?

You probably don't want to go that way anyway. You're having enough trouble that just sticking with a single IP network range, and using Layer 2 segmenting to break a single switch into multiple pieces, with the firewall in all the segments, will do nearly all of what you want with only a tiny fraction of the complexity.

Or go back to the Guest WiFi idea. That's even easier, and should cover most of what you'd care about, screening away untrusted devices from your trusted machines. You probably don't care if untrusted machines attack each other.

 

[Struxxffs]

You probably don't want to go that way anyway. You're having enough trouble that just sticking with a single IP network range, and using Layer 2 segmenting to break a single switch into multiple pieces, with the firewall in all the segments, will do nearly all of what you want with only a tiny fraction of the complexity.

Or go back to the Guest WiFi idea. That's even easier, and should cover most of what you'd care about, screening away untrusted devices from your trusted machines. You probably don't care if untrusted machines attack each other.

I agree, the flint 2 router is the one that is currently in use and was just curious what it falls under.

The reason why using the Guest WiFi is not preferred is most of the devices use a Ethernet connection.

Might have miss read this, learning layer 2 segmentation and how to define rules to allow or block traffic using the firewall is the suggested way.

 

[continuum]

Would you consider the flint 2 to be a consumer router?

100,000,000% yes.

 

[Mental Gear Reduction]

Might have miss read this, learning layer 2 segmentation and how to define rules to allow or block traffic using the firewall is the suggested way.

If you're doing L2 VLANs, you're doing nothing with firewall rules. The easiest approach is this: set up a single internal network range, like normal with any consumer AP. Say it's 192.168.0.0/24, or from 192.168.0.1 to .255. Plug the LAN port from the firewall into port 1 of the network switch. Plug all your other devices into the switch (this needs to be JUST ONE SWITCH for super easy mode), and verify that they can all get to the Internet correctly.

Then you create your VLANs. You can use any numbers you want. VLAN 100 for trusted and 101 for untrusted could work. Then figure out the machines that are untrusted and plug them into a range of ports you like, say 8-12. Put Port 1 and 8-12 in VLAN 101. Then put all the other ports (presumably your trusted stuff), including port 1 into VLAN 100, your trusted network.

Voila, you're segmented. Your firewall, DNS, and DHCP server are all on the consumer AP on Port 1, so it can talk to all the other devices, because it's on both VLANs. All the devices on VLAN 101 can see each other but can't reach anything on 100, and vice versa. But because the firewall is in both VLANs, both VLANs still get normal DHCP/DNS/Internet access.

You can make it finer-grained if you want, right down to using a separate VLAN for each untrusted device. (102, 103, or whatever you like.) Just make sure the firewall on Port 1 is in all the VLANs as you add more.

This only works in simple mode if all your untrusted devices are on the first switch. You can add more switches connected to the trusted network by just plugging one into a cable connected to a VLAN 100 port. But if you want untrusted devices on more than one switch, you normally have to get into port tagging, which adds extra info to Ethernet frames describing the VLAN they're on. This lets frames transit between switches and stay in the correct VLANs. But then in turn, this means you end up having to do a ton of thinking about every single port and how it handles tagging. You want to avoid that if you can.

Seriously, this is the simplest way to do it. But remember that it's all or nothing. Devices can only talk to other devices in the same VLAN. There's no way to give partial access. But it is so very, very much easier than any other approach that this is probably fine. If you're really desperate, you can put devices other than your firewall into more than one VLAN, but that gives full access. Again: all or nothing.

Oh, and then if your router is also your access point, connect untrusted devices to the guest wifi, like before. If you use an external AP, you'd connect it to a secure VLAN port. And then don't plug wired devices into that unit, stick with wireless only.

 

[Struxxffs]

100,000,000% yes.

Thank you. Since the router was designed to run openwrt, which to my knowledge is not a consumer embedded operating systems and is more for hobbyist's, I was not sure which category it goes under.

If you're doing L2 VLANs, you're doing nothing with firewall rules. The easiest approach is this: set up a single internal network range, like normal with any consumer AP. Say it's 192.168.0.0/24, or from 192.168.0.1 to .255. Plug the LAN port from the firewall into port 1 of the network switch. Plug all your other devices into the switch (this needs to be JUST ONE SWITCH for super easy mode), and verify that they can all get to the Internet correctly.

Then you create your VLANs. You can use any numbers you want. VLAN 100 for trusted and 101 for untrusted could work. Then figure out the machines that are untrusted and plug them into a range of ports you like, say 8-12. Put Port 1 and 8-12 in VLAN 101. Then put all the other ports (presumably your trusted stuff), including port 1 into VLAN 100, your trusted network.

Voila, you're segmented. Your firewall, DNS, and DHCP server are all on the consumer AP on Port 1, so it can talk to all the other devices, because it's on both VLANs. All the devices on VLAN 101 can see each other but can't reach anything on 100, and vice versa. But because the firewall is in both VLANs, both VLANs still get normal DHCP/DNS/Internet access.

You can make it finer-grained if you want, right down to using a separate VLAN for each untrusted device. (102, 103, or whatever you like.) Just make sure the firewall on Port 1 is in all the VLANs as you add more.

This only works in simple mode if all your untrusted devices are on the first switch. You can add more switches connected to the trusted network by just plugging one into a cable connected to a VLAN 100 port. But if you want untrusted devices on more than one switch, you normally have to get into port tagging, which adds extra info to Ethernet frames describing the VLAN they're on. This lets frames transit between switches and stay in the correct VLANs. But then in turn, this means you end up having to do a ton of thinking about every single port and how it handles tagging. You want to avoid that if you can.

Seriously, this is the simplest way to do it. But remember that it's all or nothing. Devices can only talk to other devices in the same VLAN. There's no way to give partial access. But it is so very, very much easier than any other approach that this is probably fine. If you're really desperate, you can put devices other than your firewall into more than one VLAN, but that gives full access. Again: all or nothing.

Thank you.

I would like to be able to use each port as a individual vlan for each device and occasionally allow file transfer between two devices on the network but that is not possible when using a layer 2 vlan.

It sounds like firewall rules would not be able to achieve this?

Obviously first I need to learn how to implement vlans with openwrt.

Oh, and then if your router is also your access point, connect untrusted devices to the guest wifi, like before. If you use an external AP, you'd connect it to a secure VLAN port. And then don't plug wired devices into that unit, stick with wireless only.

The router is also the wireless access point. The flint 2 that runs the openwrt OS.