For a long time I had been planning to capitalise on the free cable broadband, albeit a slow one that barely qualifies as broadband speed these days, to provide a failover uplink for my home network. My primary network access now comes through fibre broadband. Recently, thanks to a sponsorship, I’ve got a second fibre broadband access. Pulling all of these together officially qualifies my home network as “complex”.
The first thing that I’ll need is a broadband router that connects to multiple WANs (i.e. network uplinks). This is not something the typical broadband router can do, since they usually have four LAN ports but just one LAN port. I was going to say these multi-WAN boxes don’t exist in the consumer product category, or are just not available in Singapore, but I did a quick web research and proved myself wrong. The Linksys RV042 router is available in Singapore for just under S$200. There could be other products as well.
The Linksys RV042′s two WAN ports are insufficient for my three WAN links. Of course, I could consider giving up one of my WAN links. But I also had other concerns with the Linksys RV042. I have been considering going with a pfSense firewall for some time too, and decided this was the time to go ahead with it.
I won’t be building a physical pfSense box. Instead, I’ll turn to virtualisation on my Ubuntu system. Setting up a virtualised pfSense in Ubuntu will be the topic of a post I’ll write up another day. For now, let’s just look at the physical aspects of the setup.
The PC that will run the virtualised pfSense will need a minimum of 4 network ports: 3x for the WAN links and 1x for the LAN link. The LAN link is still needed outside of the PC because of another desktop PC at home, wireless access points, and other stuffs. Most consumer PCs typically come with just one network port. I needed a way to get multiple LAN connections out. There are two ways to do it:
- Go with a VLAN-capable switch, connect it to the PC with a 802.1q trunk, and then “split” out the different networks from the switch. VLAN-capable switches will have to be managed switches, and managed switches are not cheap at all.
- A somewhat cheaper solution would be to go with a quad-port network card. They are not easy to come by locally.
I decided to pick up a quad-port Intel PRO/1000 Gigabit Ethernet network card from Ebay. It’s a second-hand item, but it was in perfect condition and very cheap. I am surprised that it was even used at all. There are other multi-port network cards from brands like Realtek, but for server applications, it’s probably best to stick with Intel.
There’s something about the fibre optic cable that may be interesting to know if you are thinking about relocating your ONT box. The fibre optic cable is single-mode cable with “SC” connector. As I work in the networking line, I’m familiar with fibre optic cables in general, although I haven’t specifically worked with metro optical networking technologies like the GPON used on Singapore’s NGNBN infrastructure. I’ve tested and confirmed the usual fibre optic cables you’d use for Gigabit Ethernet or 10GE fibre connections will work here too. These cables are usually duplex types (i.e. comes in a pair), and you just need to use one side of it.
So, if you want to relocate your ONT further away than your existing cable will allow, you need to get single-mode fibre optic cable with SC connecters on both ends. I don’t know where to get them locally, but they’re easy to find online.
I don’t have a logical network diagram to show at this point, but here’s a description of the network topology:
- OpenNet fibre from FTP feeds to ONT, from which 2x RJ45 cables connect to the PC. Cable broadband connects to a Linksys WRT54G wireless broadband router, and then one of its LAN ports connects via HomePlug AV powerline adapters with RJ45 cable to the same PC. This is the WAN side of the setup. (The Linksys WRT54G also serves as a backup wireless access point for wireless clients in case the PC or pfSense firewall should become unavailable.)
- PC will run a virtualised pfSense firewall. Host OS on the PC connects to the LAN behind the firewall through internal virtual bridge.
- RJ45 cable from PC connects to a wireless bridge (Linksys E3200). This is the LAN side of the setup. Other things will connect here.
Another bit of useful information is about how StarHub provisions its fibre broadband service. The ethernet frames from StarHub carry 802.1q tags. The “Internet” service is tagged with VID 1071, and a 802.1p priority of 1. For the layman, this makes things complicated enough that you’d have to stick with the lousy StarHub D-Link router.
There you have it, the non-standard configuration of my home network. Stick around this blog to find out about my pfSense setup.