Hi guys, long time lurker and first-time poster. I will note that I'm somewhat familiar with the concepts I'm about to ask about but in no way an expert which is why I'm asking for advice. Please correct me where needed. I apologize for the length of the post.
I have been asked to overhaul the network for my church of about 200 people. I have a very limited budget to work within ($1000) and I am replacing existing (aging) hardware. I am at least fortunate that most of the wiring was recently redone with quality CAT5e during a recent renovation.
Existing Network: (note that all wireless routers mentioned are operating in AP mode, no DHCP, no routing)
- WAN/DSL modem --> cheap wireless router someone donated --> 10/100 Netgear Unmanaged 24-Port Switch.
- The 10/100 Netgear Unmanaged 24-Port Switch is located in the church office and has runs to several rooms within the church side including several cheap wireless routers (we're talking WRT54G's still in service). There's also about a 100 ft run to a detached building next to the church where another cheap wireless router is setup.
From this switch in the church office is a run to the school office which has a
- 10/100 Netgear Unmanaged 16-Port Switch with runs to two more cheap wireless routers and about 2 runs per school room.
Issues: If you couldn't guess already, throughput on the network is awful. I did not design the network and the person before me did a good job of managing the network but many people in the church "lent a hand" in helping and, as a result, the wireless situation is horrible as every SSID on the network is different. Most of the church has the password to access the network which drags down our Windstream 6mbps DSL connection to a crawl and users get kicked off because those residential WAPs were not designed for 100 people connecting to them on a Sunday morning. Also, the church wants to add WAPs across the network and we can't afford two PoE switches, so we would have to buy PoE injectors/adapters to connect WAPs to the network. Last, but not least, my budget is $1000.00 and that includes buying extra cable (non-CCA) to install the new WAPs.
Goals:
- Unified network system so that pastors/staff as well as guests can roam around the building on the same network.
- Separate the WiFi network for guest (internet only) & staff (complete network) access
- Upgrade the current network to gigabit
- Remove old hardware bogging down network
- Add features such as a better firewall, internet filter, NAT, VPN and move DHCP to a separate process that doesn't require access to the main church server that's currently setting DHCP.
- Upgrade internet access to 50/5 TWC Business Class & change phone provider to TWC (phone system I've taken care of already)
Plans:
- $200 EdgeSwitch Lite 24-Port L2/L3 Managed Switch from Ubiquiti for church office
- ~$150 ZyXEL 16-Port L2 Managed Switch for school office
- $400 5 Pack of Unifi AC-Lite AP's (originally I had quoted 3 x AP-LR Wireless N units but I see that Ubiquiti just came out with these new Wireless AC AP's)
- $75-$100 5 .5A 12W Gigabit PoE Injectors (see note above -- since 1 AC-Lite would be added to a detached building, 2 AC-Lites would be installed in one end of the building and 2 AC-Lites would be installed in the other end of the building plugged into the 16-port switch and we cannot afford 2-3 PoE switches, we would have to use the adapters from Ubiquiti. Not ideal but affordable at this point)
- Current ESXi vm currently runs Windows Server 2012. Will be adding pfsense as Router, VPN, VLAN setup, DHCP and Firewall to virtual switch that connects to untangle (free) for internet filter and then out to the gigabit switch.
My current plan is to install the TWC modem and run it into eth0 on the ESXi server, to a virtualized instance of pfsense operating as a router, firewall, VPN server, DHCP server and VLAN controller with a private vlan tagged 10 and a public plan tagged 20. A virtual switch would then run to Untangle (free) to operate as internet filter. From there would run out of eth1 to the EdgeSwitch Lite. Many ports would be untagged 10 so the wired network to the offices could work as they currently do. 3 of the ports on the switch would be tagged 10 and 20 for VLAN trunking to the Unifi AP's. One of the ports would be tagged 10 and 20 for the run to the school office.
Here is where I have the issue and this presents my issue that I can't seem to find an answer for: Does the school office need a L3 compatible switch or can I use a cheaper L2 managed switch? The school office needs to be able to accept the trunked run from the EdgeSwitch Lite (tags 10 and 20) and send the trunked lines back out to two more Unifi AP's. The rest of the wired network would be untagged 10 as they need access to the private network at the school.
Questions:
- Can I get away with an L2 switch in the school office connected to the L3 switch in the church office and still have the trunked VLAN's? I would have the eventual goal of splitting the school and church networks into their own VLAN but allowing access between the VLANs to specific IP's like network printers, etc.
- Will the Unifi AC-Lites be enough to handle 100 clients across 5 WAPs in a 600' long building?
- What am I missing in my network plan?
- Should pfsense be controlling the VLAN tagging?
Thanks for your help. I really appreciate it.
- Nate
Edited by t3hn4t3, 22 December 2015 - 12:40 AM.