Moving from a single /24 to a divided /22; address space is running out and I want to compartmentalise. (E.g. move phones to their own subnet and VLAN). For inter-VLAN routing, what equipment should I use? A L3 switch? A NGFW?

First of all I consider myself a novice, so just bear that in mind.

It's a small business (40 ish users) but we're slowly expanding, the original /24 network with everything on it is running out of addresses. Rather than just move to a /23, I want to compartmentalise and introduce some security. So I was thinking something like:

10.0.0.0/24 VLAN 10 (servers, switches, APs etc) 10.0.1.0/24 VLAN 20 (workstations, laptops, printers) 10.0.2.0/25 VLAN 30 (phones) 10.0.2.128/25 VLAN 40 (DMZ) 10.0.3.128/25 VLAN 50 (guest wifi) 

I have thought about the address space here, and I am certain it's conservative enough. We're never going to become a huge company or acquired by another bigger one, we're just way too niche.

At the moment we have a Sonicwall TZ300 as our edge router/gateway. I was thinking it makes sense to let this just handle internet traffic, and not also use it in a router-on-a-stick config and have inter-vlan routing handled by something else.

We run a couple of DL380 G10s (Both have 4x 1Gb NIC and 2x 10Gb) with ESXi on them for AD, WSUS, File Server, 3CX etc. I'm wondering what the implications might be of running pfsense or vyos on one of these servers? Bandwidth is sufficient but I'd assuming I'd need two instances of PFsense running for redundancy.

• I'm not a network professional but very much a jack-of-all-trades sysadmin, so (cost aside) would a dedicated bit of kit be more practical? I've not really used pfsense much.

• The 3CX (phone) system potentially wants to be accessed from the outside so I am assuming that just a L3 switch would not be sufficient, and it really wants to be in the DMZ and firewalled from the rest of the LAN.

• Should I opt for a L3 switch instead of routing with pfsense, and put 3CX behind a single virtualised pfsense instance? Do you think it's OK to use the TZ300 to isolate 3CX or does it want to be a seperate (different brand?) firewall?

• I want 10Gb between the servers - at the moment backups are throttled by 1Gb speed and not the disks, which are all SSD. (In case you're wondering, it's a small company with quite a lot of money, hence the overspec.) The 10Gb NICs are not used at all. All the networking equipment is 1Gb, at the moment.

Backups are on a seperate on-site DL 380 G8 server with a 10Gb NIC, then replicated to the cloud.

• I'm assuming I can connect the servers together using a small 10Gb switch, and basically put these 10GB NICs in their own little "backup network" so any veeam backups or vmotion'ing that may take place is super fast. The other 4x 1Gb ports bonded on each G10 are more than sufficient for serving users.

I'm not entirely sure how I'd actually go about implementing what I just mentioned however. I'm guessing I'd just have static IP addresses on the 10Gb NIC and put them in a /29 or something? I'm not sure how I'd tell veeam/vmotion to work over the 10Gb link and not over the 1Gb link.

I may be asking the wrong questions, so feel free to point out any holes in anything I've said.

Thanks for your help.