Hello all,
I've been tasked to redesign a cost-aware small branch (They call it branch but its more a SOHO) network while adding in a firewall and some dedicated wired connections. Goal is improved security & visibility & speed.
I would like to run the setup I have in mind with you experts, as to double check if everything makes sense and that there are no bottlenecks or completely useless and convoluted contraptions..
Below a diagram, the first block being the firewall (thinking of getting a pfsense box, specifically the SG-3100) and the second block is a managed switch.
Few points I've been pondering over:
- The big heavy loads will happen on the switch on VLAN_Y (multiple PCs talking to NAS).
- I want to manage centrally the L2 firewalling and to strictly control what VLAN_XYZ do in relation to each other and towards WAN
- I want to protect and gather visibility on the WAN so I was thinking to run Suricata and/or pfBlockerNG on the WAN port (so IDS/IPS). I don't think (questionable) I need to run any of those on the other interfaces?
- The reason for the LAG between Switch and Router is to allow VLAN_X to fully talk to VLAN_Y without pestering VLAN_Y trying to talk to WAN
- Bottlenecks... If I should fully utilize the 1Gbps from the WIFI and go to the VLAN_Y (like accessing the NAS), and the VLAN_Y should send at full speed to WAN..(it has nowhere else to go) it would still be 1Gbps+100Mbps .. so there should be no issues ?
- For clarity, I'm assuming that the firewall will be the gateway for VLAN_X, _Y and _Z, no static routing will happen in the switch. And I assume that when I need to go from VLAN_X to VLAN_Y, i'm actually sending traffic to the SOC? This bit I'm not sure.. Still if that happens I have 2.5Gbps to the SOC and those could be 1Gbps VLAN_X in + 1Gbpe VLAN_X out + 100Mbps VLAN_Y to WAN .. 2.1Gbps.
- The firewall is not super-beefed .. however I'm starting to think it's more than enough for the setup (and I would hate spending twice as much and not utilize the investment). Although I'd run Gb speeds to it for L2 routing, the heavy stuffs should run only for the WAN (?) which is low speed.. (100Mbps is even an exaggeration, they currently have a 10/1 connection, but I'm considering room for improvement).
So what do you think? Any conceptual mistake here? Anything different you would make?
On a different note do you think the SG-3100 is enough for this task and leaves some room for adding complexity for the future?
______________________ | ##### | SOC #-----------------|- 1Gbe PORT <-> WAN comulative up/down 100Mbps #####-----------------|- 1Gbe PORT <-> OPT for non-traffic-generating-stuff, isolated ##### | #####- 2.5Gbe PORTSW -# ##### #- 1Gbe PORTSW <-> 1Gbe PORT WIFI AP (2.4-5GHz) VLAN_X #- 1Gbe PORTSW <-¬ # --> 2Gbe LAG to Managed Switch VLAN_Y,VLAN_Z #- 1Gbe PORTSW <-' ______________________| __ | |- 1Gbe to Router (LAG) VLAN_Y,VLAN_Z |- 1Gbe to Router (LAG) VLAN_Y,VLAN_Z | |- 1Gbe to NAS VLAN_Y |- 1Gbe to NAS VLAN_Y | |- 1Gbe to PC1 VLAN_Y |- 1Gbe ...... VLAN_Y |- 1Gbe to PCn VLAN_Y | |- 10Mb to non-traffic-generating-stuff VLAN_Z __|
Thanks a lot for your invaluable feedback!
No comments:
Post a Comment