Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
Feedback requested: Network design, moving away from pfSense
« previous
next »
Print
Pages: [
1
]
Author
Topic: Feedback requested: Network design, moving away from pfSense (Read 150 times)
steefy
Newbie
Posts: 1
Karma: 0
Feedback requested: Network design, moving away from pfSense
«
on:
November 12, 2024, 07:04:52 pm »
Hi all. I've been running pfSense 2.5.2 on a PC Engines APU2 for a few years now. Instead of upgrading it to the latest, I decided to move to a new box and install OPNsense. Looking much better so far!
My new firewall:
Qotom-Q750G5
Intel Celeron J4125
8GB RAM
128GB SSD
5x 2.5 Gbit Intel I225-V
Port 1: WAN
Port 2: Management network
Port 3: Unused. maybe add it to LAGG?
Port 4: LAGG
Port 5: LAGG
Server
Asrock Rack X470D4U
AMD Ryzen 7 3700X
4x 32GB ECC memory
2x LSI SAS 9211-8i
6x Toshiba MG09 18TB in zfs-raid2 (data)
6x Crucial MX500 2,5" 500GB in zfs-raid2 (os + containers)
This is an Ubuntu 24.04 host, running LXD 5.21 with about 15 containers. Most I/O stays on this host, and if it leaves my host it is going to either my desktop or some of the mediaplayers.
2x MikroTik Cloud Smart Switch 326-24G-2S+RM
I have around 70 WiFi devices, mainly IoT, connected to 3x Unify AP-AC-PRO's
My physical network setup:
My logical design:
Inbound connections
I have a Mail-in-a-Box server in the cloud, which does rsync backups to home.
IPsec clients (Protocol can be changed, probably to Wireguard.
Nextcloud
I did some reading on
https://homenetworkguy.com/
and come up with this design.
LAN Devices
VLAN ID: 10
IP Range: 10.10.0.0/24
Trusted Mobile Devices
VLAN ID: 20
IP Range: 10.20.0.0/24
Guest Network
VLAN ID: 30
IP Range: 10.30.0.0/24
Local Services
VLAN ID: 40
IP Range: 10.40.0.0/24
Public Services
VLAN ID: 50
IP Range: 10.50.0.0/24
Reverse Proxy (Caddy)
VLAN ID: 60
IP Range: 10.60.0.0/24
VPN Services
VLAN ID: 70
IP Range: 10.30.0.0/24
IoT Devices
VLAN ID: 80
IP Range: 10.80.0.0/24
Management Network
VLAN ID: 99
IP Range: 10.99.0.0/24
/24 can be changed to /16, but I don't expect it to be necessary in the near future.
I've been using Linux (and to some extent BSD) for over 20 years and have learned a few tricks along the way. However, network design is new to me. Any feedback would be appreciated!
Logged
fastboot
Newbie
Posts: 44
Karma: 3
Re: Feedback requested: Network design, moving away from pfSense
«
Reply #1 on:
November 13, 2024, 01:29:57 pm »
Hi.
Seems you took some time to think about it. I would say you take the things serious
Either way the topology looks quite fine for me.
I am a little unsure what Domotica is. A search revealed it's some kind of home automation. I have a similar setup, but smaller. Like for instance with the UPS. I just want to protect the server. Because if the lights go out on the streets, either way internet is not working anymore.
What I don't understand is, why you want a physical connection for this device to anywhere? Maybe I am just misinterpreting the layout?
Edit: I've also searched for the Qotom-Q750G5. From the Specs and putting this together with your Topology, I would assume its to low sized for your environment. I had a similar CPU before, in a way smaller setup. With some Services enabled like IPS, it was already maxed out under heavy load.
Maybe the others have more experience with this specfic device as I don't. But I would check for something more reliable with more power and even better support. I have a Protectli 6630. What I can say so far, the device is amazing and the support (EU) superb.
Additionaly I would try to get rid of the modem. I'm also waiting for the fibre link, that I can get rid of the DSL Modem to connect the internet directly to the FW.
«
Last Edit: November 13, 2024, 01:44:00 pm by fastboot
»
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
Feedback requested: Network design, moving away from pfSense