Feedback requested: Network design, moving away from pfSense

[steefy]

Hi all. I've been running pfSense 2.5.2 on a PC Engines APU2 for a few years now. Instead of upgrading it to the latest, I decided to move to a new box and install OPNsense. Looking much better so far!

My new firewall:

Qotom-Q750G5
Intel Celeron J4125
8GB RAM
128GB SSD
5x 2.5 Gbit Intel I225-V

Port 1: WAN
Port 2: Management network
Port 3: Unused. maybe add it to LAGG?
Port 4: LAGG
Port 5: LAGG

Server
Asrock Rack X470D4U
AMD Ryzen 7 3700X
4x 32GB ECC memory
2x LSI SAS 9211-8i
6x Toshiba MG09 18TB in zfs-raid2 (data)
6x Crucial MX500 2,5" 500GB in zfs-raid2 (os + containers)

This is an Ubuntu 24.04 host, running LXD 5.21 with about 15 containers. Most I/O stays on this host, and if it leaves my host it is going to either my desktop or some of the mediaplayers.

2x MikroTik Cloud Smart Switch 326-24G-2S+RM

I have around 70 WiFi devices, mainly IoT, connected to 3x Unify AP-AC-PRO's


My physical network setup:



My logical design:



Inbound connections
I have a Mail-in-a-Box server in the cloud, which does rsync backups to home.
IPsec clients (Protocol can be changed, probably to Wireguard.
Nextcloud

I did some reading on https://homenetworkguy.com/ and come up with this design.

LAN Devices

    VLAN ID: 10
    IP Range: 10.10.0.0/24
   
Trusted Mobile Devices

    VLAN ID: 20
    IP Range: 10.20.0.0/24

Guest Network

    VLAN ID: 30
    IP Range: 10.30.0.0/24   

Local Services

    VLAN ID: 40
    IP Range: 10.40.0.0/24

Public Services

    VLAN ID: 50
    IP Range: 10.50.0.0/24
   
Reverse Proxy (Caddy)

    VLAN ID: 60
    IP Range: 10.60.0.0/24
   
VPN Services

    VLAN ID: 70
    IP Range: 10.30.0.0/24

IoT Devices

    VLAN ID: 80
    IP Range: 10.80.0.0/24

Management Network

    VLAN ID: 99
    IP Range: 10.99.0.0/24

/24 can be changed to /16, but I don't expect it to be necessary in the near future.

I've been using Linux (and to some extent BSD) for over 20 years and have learned a few tricks along the way. However, network design is new to me. Any feedback would be appreciated!

[fastboot]

Hi.


Seems you took some time to think about it. I would say you take the things serious ;)

Either way the topology looks quite fine for me.

I am a little unsure what Domotica is. A search revealed it's some kind of home automation. I have a similar setup, but smaller. Like for instance with the UPS. I just want to protect the server. Because if the lights go out on the streets, either way internet is not working anymore.
What I don't understand is, why you want a physical connection for this device to anywhere? Maybe I am just misinterpreting the layout?

Edit: I've also searched for the Qotom-Q750G5. From the Specs and putting this together with your Topology, I would assume its to low sized for your environment. I had a similar CPU before, in a way smaller setup. With some Services enabled like IPS, it was already maxed out under heavy load.

Maybe the others have more experience with this specfic device as I don't. But I would check for something more reliable with more power and even better support. I have a Protectli 6630. What I can say so far, the device is amazing and the support (EU) superb.
Additionaly I would try to get rid of the modem. I'm also waiting for the fibre link, that I can get rid of the DSL Modem to connect the internet directly to the FW.