I have a small business network (192.168.10.x/24) with a pfSense firewall (about 20 hosts: mix of Windows, Macs and Linux machines and printers…). The ISP modem from the WWW connects to the firewall which connects to a 16-port switch, and all the workstations/servers/printers connect to other switches downstream. All the switches (except for the hidden, because I'm not sure) are Netgear ProSafe (5-, 8- and 16-port) gigabit switches (unmanaged).
What I'm trying to accomplish are two things:
First, if someone is streaming video or up/down-loading a large file through the Internet, this bogs down the entire network, so I'd like to set it up so this doesn't affect others on the network.
Second, if someone transfers a large file to/from a file server on the LAN (not through the Internet), this also bogs down the network, so I'd also like to set it up so this doesn't affect others on the network.
A common use case is like this: I have one user uploading files to a file share service on the web (via HTTP/HTTPS) and another user accessing an Apache web server on the subnet (on 192.168.10.x) and the user on the subnet accessing the web server sees really slow responses for the web app (to the extent that sometimes it times out). When the file is done, accessing the web server is normal again.
One additional side-question that has been bothering me… If I have a layer-2 unmanaged switch and it stands in the way of two workstations or servers that communicate with one another, am I correct in my understanding that the switch will log the MAC addresses and route traffic without contacting the firewall?
I should note as well that the speeds I usually see with a speed test are:
60 Mbps down (+/- 5 Mbps)
12 Mbps up (+/- 3 Mbps)
Here is a diagram of the network in question:
In this case, the hidden switch doesn't come into play. I'm running tests now and the loop is from a host on the left side of the diagram to the right side.
Thanks for the feedback on this question. I was hoping to get some more concrete feedback, but I suppose since this is a tricky question, more troubleshooting is in need.
Regarding gear… I've been considering a managed switch. I see that Cisco has some 10-port gigabit managed switches for under $200, which seems reasonable to me.
My question is would it help to replace the 16-port unmanaged switch with a 10-port managed switch? I know that this would allow for better troubleshooting in the future, but would it also help me bottleneck issues?
Best Answer
Not all together happy with how this post turned out, but I've learned things that I didn't know before, so that's good.
For example, normally if two nodes (A and B) are connected to a switch which is on the downstream side of another device like your firewall, the switch will route packets from A -> B and vise versa without contacting anything upstream (from @Tedwin).
I decided to post my own answer with the good parts from the comments with @Panther Modern.
Use higher quality hardware. Since I'm using Netgear ProSafe unmanaged switches, I'm considering upgrading to something like Cisco. @Mike Pennington suggested the SG300 series, which I have researched before and found on Amazon for less than $200. @Panther Modern suggests Arista, Cisco, Juniper and Brocade switches.
Troubleshoot each piece independently and isolate the problem. I've done some of this, to the extent that I have isolated the general path, but in an environment where 100% uptime makes people happy and allows them to get work done, this can be tricky. But point taken...
Consider topology and where you have access to and how many users you have. These factors can influence your choices for gear and how you go about answering your questions.
Find good networking tools and use those to help troubleshoot your issue. pfSense helped a lot concerning traffic that passed through the firewall. I also learned about Robocopy for limiting traffic on the client. This tool works pretty well.