No, you are not. Presuming all the high-speed devices are on the same network, your firewall only needs to be fast enough to pass data to and from your WAN link at the speed of that link.
That depends entirely on how you configure the pfSense box. As you describe it, all your traffic will pass through it, so it will control what happens with that traffic.
Via a switch. WAN port on your firewall (i.e., your pfSense box) goes to your ISP’s modem, LAN port on your firewall goes to a switch, everything else connects to that switch.
So, that means a capable device (pfSense box) with X amount of ports (minimum two, one for ISP box and the other for switches) that can filter the internet to the firewall and from the firewall to the other devices and switches right? If that’s the case, why are there 25GbE OpenSense firewalls? Sorry, I’m not asking this in a rude manner but asking in general as i want to understand the basic
Oh i see. And how would i know how much powerful CPU/RAM would i need for the firewall device. Yesterday, i got to know about some CPU instructions set which are important for pfSense. Also, I’m confused about whether i need the ECC RAM on the firewall side or not.
Yes, i totally get that. But this Lenovo ThinkStation has 1x1GbE onboard, which will go into my ISP modem and then it has i350-T4 installed which has 4x1GbE ports. So, will the following pattern work?
ISP Box (1GbE) to my Onboard (I219-V, 1GbE) pfSense box. Then, this pfSense box has also (i350-T4 NIC) which has 4x1GbE ports and i plan to hook the following:
Mikrotik 25G/100GbE Switch (25GbE and 100GbE systems)
CCTV
Lastly, having an existing Mikrotik CRS312-4C+8XG-RM. Is this a managed switch and supports VLAN? Moreover, is this a good choice for me (will be lying after i upgrade to the 25GbE switch) or you guys have some other more robust suggestion with some other good features which i might need or not aware of?
Because some businesses have very fast WAN links, and/or need inter-VLAN routing at very high speeds.
That’s really a question better asked of the folks providing the software in question. The major factors are going to be how fast it needs to move data, and what it needs to do with that data as it’s moving it. Simple packet-filtering on a 200 Mbps WAN link is going to take a lot less than trying to run a VPN at multi-gigabit speeds. For most home purposes, up to and including a Gigabit WAN link, the CPU requirements are pretty modest.
That would likely be AES-NI, and while they’ve long since dropped it as a requirement, they’re a good idea for any application involving encryption. You’d be looking at very old CPUs to not have that.
Always a good idea if possible, but not especially important–TCP/IP data is checksumed, so it should detect if not correct errors.
I wouldn’t–I’d designate one as the LAN port, feed that into a gigabit switch, and connect the other devices to that. Unless you’re going to designate them as separate networks–maybe one network for CCTV, another for WiFi, to isolate traffic. Of course, that’s getting to be a more complicated network design.
I assume you could just bridge all those ports together, assign that bridge a single IP, and go from there–but I don’t think I would.
I’d assume so, but checking their docs would give you a better answer.
Bingo! This was a very simple question i wanted to know and no one answered me yet, except you
You’re my man. Seems like i have to invite you for the dinner
Will research more into it. I think you already gave me a turbo charge by answering me the basic questions friend. Very very happy for this. Cannot Thank you enough!
Hmm. What do you think about the i3-9100? That’s what i have at the moment and 32GB RAM.
I think this was it. Sounds good!
Hmm. So mark it as an optional requirement?
Yes, but for some days, i want my devices down, let’s say for regular maintenance work or on holiday. Then, during the maintenance time, i would just need the WiFi so if i connect my Access Point directly to the pfSense box, i would not need to have my Switch always on. I can power down all the devices (including the switches) and only my ISP box, pfSense box, and Access Point are powered. Do you think am i doing it right?
I think i would want to do that, if not for the rest, for the CCTV for sure.
The ports on i350? If so, i don’t think i would do it either. I would run individual devices from there.
Sounds good!
For the Access Point, I’m looking at TL-WA3001. Is that a good choice? Having a few WiFi 6 capable devices and have owned TP-Link products for so long, a reason to go for them, as their products have been reliable. Not sure about in recent years. Any advice on this would be beneficial and highly appreciated
Should be more than enough, as should the 32 GB of RAM (I have 16 GB in my router and it’s rarely more than 25% used, even with ZFS caching). It does support AES-NI, but doesn’t seem to support QAT–though pfSense CE doesn’t do QAT anyway.
I’d call ECC “nice-to-have” for a router, but not essential.
No idea on that; I’ve been Unifi gear for the last several years. But TP-Link’s Omada ecosystem sounds pretty nice.
It’s a Supermicro 5018D-FN8T running OPNsense. Xeon D-1518 CPU, 16 GB of RAM (which, again, is overkill, even when running a couple of VPN links, the Caddy reverse proxy, and the Zenarmor firewall software), 240 GB SSD (also gross overkill).
It appears that it does.
I like OPNsense better; others have other preferences. There’s a thread here, linking to another thread on the old forum, discussing differences between the two:
I know QAT is a form of crypto acceleration; I presume it’d help out things like VPNs. Beyond that, I haven’t really looked into what it would do. Neither my current nor previous hardware supports it, so it wasn’t really a big deal for me.
Yeah, that’s a nice excuse. But I’m not a pro, and my Aliexpress special wasn’t really bottlenecking me in any way. What it didn’t have, though, was IPMI, and I was getting tired of not being able to see the console when I had to reboot the router. This system does have IPMI, so I can watch the router console from anywhere on my network. Don’t need it that often, but it’s nice to have when you need to do an update and reboot it.
Yes, but that one port connected to the managed switch, will it will have same rules or for the rules, i do need a managed switch?
What i mean to say is, the managed switch is connected to pfSense box and all the ports have firewall rules so, connecting any unmanaged switch to a port on the managed switch will be protected (have rules) or i would need a managed switch to achieve it?
pfSense doesn’t, AFAIK, have the ability to assign firewall rules to particular switch ports. The switch itself may be able to, but I haven’t seen any such functionality in either pfSense or OPNsense. So in that context, I’m afraid your question doesn’t make much sense.
I understand. What I wanted to convey is if my managed switch is secured using pfSense, then connecting an unmanaged switch to this secure managed switch, will it work? Secondly will it be still protected?
I don’t know what you mean by “secured” or “protected,” and I’m not sure you do either. There isn’t a meaningful sense in which a firewall “protects” a switch, other than perhaps a management interface for that switch (which an unmanaged switch wouldn’t have)–switches are generally transparent network devices. The firewall protects devices, specifically devices on networks. I think you need to spend some serious time learning network basics, because you’re proposing a fairly complicated network design that I don’t think you quite understand, much less understanding how to implement and secure it. You’re (apparently) someone who barely understands how to ride a bicycle, asking about the finer points of space flight.
But the short answer to the questions is that yes, an unmanaged switch will likely work if you plug it into a port of a managed switch, and the devices connected to that unmanaged switch would be protected by your firewall in the same way as devices connected directly to the managed switch.
Just the last thing to ask regarding this is can i connect the Access Point directly to the pfSense box or i would need it to connect it to the managed switch?
Ya, when I move to my new house will be revising, but I do like all of the control via pfsense vs cli on the brocade and having that insight into traffic and handling dhcp and everything else, vs the pfsense just becoming a gateway, and my pfsense will be moving to a beefier system anyways so even pushing through 10Gbps would be easily handled for the once in a blue moon I may need to do that between VLANs.
It all comes down to how you want to manage your environment and if you want to use VLANs vs physical ports.
You can either
PfSense
— LAN ----> Managed switch
— Optional interface 1—> Wifi Access point
Then you can create firewall rules in PFSense to block LAN and Wifi from talking to each other, and only allow what you want, if device across your LAN or Wifi need to communicate.
Or
PfSense
---->VLANs —> LAN ----> Managed Switch:
→ Assign VLAN to port(s) for LAN devices
→ Assign VLAN to port(s) to connect to Wifi Access point.
Both end with the same result, one you do not need to create VLANs in pfsense and your managed switch, the other you do need VLANs.
As for connecting an unmanged switch to your managed switch - you can do this fine, but, if you are using VLANs to isolate networks, your unmanaged switch will be on what ever VLAN you plug it into from your managed switch.
You noted you wanted to be able to power down your switch when not in use, is this because power is expensive for you? If not, just leave it running.
Personally for me:
PFSENSE: 4 x 1Gb ports
1 Interface for WAN from ISP
2 x ports bonded / LACP going to my Managed switch, giving me redundancy and 2Gb of total throughput (still only be a max of 1Gbps per session)
VLANs as needed - Default VLAN can be your LAN , a new VLAN for your Wifi network, and then you can always add other VLANs for things like IoT devices, like security camera’s or other stuff.
Then you get even fanicer, and eventually get a wifi access point that can do multiple SSID’s per VLAN!
Now you can have an isolate guest VLAN, isolated IoT VLAN, all about control and segmentation
What’s the best in terms of security practice? Second one right?
Yes, wanted to confirm as there are only 16 ports on this switch i have and i might need 24 probably, so other systems are not that important and is connected via 8 port unmanaged switch so wanted to know if i could use that.
No, the thing is except for the firewall and NAS and the Access Points, everything will be shut, including the second switch (25G/100G).
The other 1 port is empty?
Yes, its a nice adventure. Trying to learn as much as i can!
