TP-Link Omada and pfSense Setup for 2023 (Updated for July 2024)

Anebula is reader-supported. When you buy through links on our site, we may earn an affiliate commission.

It’s been two years and firve months since I upgraded to TP-LInk Omada and pfSense. During that time, I expanded the network with an additional switch and added many more clients. Outside of regular maintenance, I have not made major changes since the original setup. Also, there has not been a single outage, bug, or anything unexpected with the system during this time, which is not something I could have said about the old R7000 router. The pfSense firewall, Omada switches, and Omada access points run on a UPS and are online 24/7 for months at a time. I try to go in every two months to power cycle all the components and run updates, but I’m sure even if I didn’t do that, the network would stay online.

Timeline

January 2022 – Purchased and set up the TP-Link Omada and pfSense system. Also, set up some VLANS and basic firewall rules.

July 2022 – Purchase an additional Omada switch (TL-SG2008P) and also purchased a 4MP camera (EmpireTech Dahua IPC-T5442T-ZE)

September 2022 – Added an outdoor 4K camera (REOLINK RLC-811A).

October 2022—Set up network-wide ad blocking with pfBlockerNG. This package is available within pfSense and can be enabled with a few clicks.

November 2022 – Added a 4MP indoor camera (EmpireTech Dahua IPC-K42A).

August 2023 – I’m thinking of upgrading to a TP-Link Omada 24-port PoE with SFP+ switch (TL-SG3428XMP)

July 2024 – No hardware updates, only regular software updates since last year

How do pfSense and TP-Link Omada work together?

I had this question myself, and the short answer is “harmoniously” because both pfSense and Omada follow the same standards. Think of it as how USB has become a standard, so you could take one of the million USB devices out there and connect it to a PC, and the PC knows how to communicate with it—this is exactly what pfSense and Omada are doing. Omada and pfSense are just following the same standards at the protocol level.

What you do is you set up pfSense then you set up TP-link Omada separately, then you connect them and they talk to each other!

pfSense’s role

• Communicate with the modem via WAN or “upstream port”
• Block unwanted WAN traffic from entering your LAN or “private network”
• Assign IP addresses to clients in your network – this is known as the “DHCP Server” in pfSense
• Let you manage your interfaces with firewall rules. i.e., LAN can talk to camera VLAN, but camera VLAN cannot initiate communication

TP-Link Omada’s role

Think of Omada switches, wireless access points, and the controller as extensions of pfSense. For example, if you need WiFi, get wireless access points. Or if you need more ports, get a switch.

• The switches give you more ports so that you can physically connect via CAT6 and even power PoE cameras
• The switches also let you tag traffic with VLANs. For example, anything that gets plugged into port 1 will be tagged as VLAN 50.
• The wireless access points provide WiFi. This means that you can easily upgrade to WiFi 6 just by swapping APs
• The controller gives you a single interface so that you can make your changes once and have them propagate to all devices. For example, with the controller, you can change your WiFi guest network password once, and it will propagate to all your access points (AP), while without a controller, you would have to go into each AP and update the WiFi password there.
• The controller also helps with AP roaming so that as you walk through your house or office, your device can switch to the closest AP.

What happens between pfSense and Omada is all standardized. This means that you could even swap pfSense for OPNsense or swap Omada with Unify/Ruckus, and everything would still work fine. This separation means that they can both do their jobs and not worry about how the other component is making things happen. For example, pfSense doesn’t care or even needs to know if a client is wired in or on WiFi because the Omada access point takes care of the WiFi and authentication and then passes only the info that is required to pfSense (MAC address, hostname, etc).

On the flip side, the Omada access points and switches just pass traffic through to pfSense and let pfSense decide what is valid or invalid. Based on its rules, pfSense decides whether traffic is allowed to travel between VLANS or to the Internet.

Why pfSense over a TP-Link Omada router?

For me, it came down to the following areas:

• VPN Support: I really wanted to use WireGuard over OpenVPN because the speed is greatly improved. Speed is particularly important for streaming all my camera feeds to multiple devices outside the network.
• Ad Blocking: I wanted a firewall/router with built-in ad-blocking capabilities. In the past, I have used Pi-hole in a VM, but I really wanted to consolidate this feature into the firewall for easier maintenance.
• Hardware Performance: I wanted a firewall with enough CPU/RAM power for ad-blocking and packed inspection (I didn’t end up using this), and the pfSense firewall appealed more here since you can use any processor and RAM combination that suits your needs.
• NTP Server: pfSense makes it easy to be the “central clock” for your entire network. Having all devices on the same NTP server means easier log tracing.

Experience Level Required

Before this setup, I used a Netgear R7000 Nighthawk router and had never set up anything with independent components like you have with an Omada + pfSense network. Most of my knowledge of setting up Omada and pfSense came from YouTube videos like this. While it’s not as easy as setting up a consumer-grade router, much of the setup is pretty intuitive. Also, there are friendly communities such as the r/pfsense or r/homelab on Reddit where you can post your questions.

As a side note, I do not work in IT. I’m simply a curious individual who likes to explore rabbit holes and try out cool tech.

Blueiris + Omada + pfSense

The Omada and pfSense network supports 9 cameras, some of which record 24/7. The camera bandwidth load is 3.8 MB/s at any given time but can spike up to about 5.0 MB/s. All cameras are wired in via CAT6 to Omada switches on PoE ports.

The cameras run on VLAN 50, which means that their traffic is completely isolated. They can’t go out to the internet or “phone home” because they don’t get internet access in their VLAN—I block all traffic via pfSense firewall rules. The only things that the cameras can communicate with are pfSense for DHCP assignment and the pfSense NTP server so that their time is in sync with my network.

Separately, the Unraid Windows 11 VM has two network interfaces: one interface is tagged with VLAN 50 for camera access, and the other interface is tagged with VLAN 40 for Blue Iris admin access and for accessing the UI3 web interface.

pfSense Interfaces

Interfaces are how pfSense defines network traffic segments. These can be physical interfaces or virtual interfaces. Here is how I have mine set up:

Interface	Type	Description
WAN	Physical (mapped directly to a port)	pfSense creates this by default. This is the upstream port and is where you connect your modem.
LAN	Physical (mapped directly to a port)	This is a custom virtual LAN, or “VLAN,” where I put my trusted devices, such as my laptop and desktop.
VL20TRUSTED	Virtual, connected to LAN interface	This is a custom virtual LAN, or “VLAN,” where I put my untrusted devices, such as IoT devices.
VL30IOT	Virtual, connected to LAN interface	This is a custom virtual LAN or “VLAN” and is where I put my untrusted devices like IoT devices.
VL40SERVER	Virtual, connected to LAN interface	This is a custom virtual LAN or “VLAN” and is where I put my servers.
VL50CAMERA	Virtual, connected to LAN interface	This is a custom virtual LAN or “VLAN” and is where I put my IP cameras and Blue Iris Windows 11 machine.
WIREGUARD_VPN	Virtual, connected to LAN interface	This is created and managed by the WireGuard built-in VPN in pfSense. Here’s a video on how to set up WireGuard.

Please note that while the pfSense firewall has 4 ports, I’m only using 2, which are WAN and LAN—this is a typical setup. You could use one of the other ports as a backup WAN, say, for example, if you had two internet connections and wanted to set one up as a backup. You can also use a port to create a separate subnet if you want even more separation.

pfSense and Omada Hardware Recommendation

If you want to set up a pfSense and Omada network, here is what I would recommend.

pfSense Firewall Options

Product	Budget	Highlights
Protectli Vault FW4C	High	2.4G, Intel J3710, 8GB RAM, reputable brand, no OS preinstalled (install video)
HUNSN RS34g	Medium	2.4G, Intel J4125, 8GB RAM, Comes with OPNsense preinstalled so you’ll need to install pfSense OS (install video)
Anyrevo J4125	Low	2.4G, Intel J4125, 8GB RAM, comes direct from China, I have this one at it took about 9 business days to receive, Comes with pfSense preinstalled.

Omada PoE Switches

I recommend planning how many ports you need and then doubling or tripling your figure because clients multiply like rabbits.

Product	Budget	Highlights
TL-SG3428XMP	High	24-Port PoE+, 4-Port SFP+
TL-SG3428MP V2	Medium	24-Port PoE+, 4-Port SFP
TL-SG2210MP V3	Low	8-Port PoE+, 2-Port SFP

Omada Wireless Access Points

Product	Budget	Highlights
EAP660 HD	High	WiFi 6 AX5400 2.5G
EAP650 Ultra-Slim	Medium	WiFi 6 AX3000 1G
EAP613 Ultra Slim	Low	WiFi 6 AX1800 1G

Omada Controller

The difference between the two controller options is the devices that they can support. A device is considered something like a switch or access point.

Product	Devices Supported
OC200	Up to 100
OC300	Up to 500

CAT6 Cables

For data only, you can pretty much take any quality CAT6 and be fine. However, for PoE, look for “pure bare copper” when you buy CAT6, as this will handle PoE and, of course, non-PoE. My go-to choice is the Monoprice Flexboot Cat6 Ethernet Patch Cable. Please note: there is no official “PoE cable” or standard. The factor in determining PoE support is the wire inside; hence, look for “pure bare copper.”

Thank you for making it to the end! Any questions?