Model decisions, is the Netgate 2100 the right choice?

CreationGuy

I'm coming from a network as follows:

• 100Mb from ISP to a router that handles wireless (I don't see that changing)
• From the router I have a 24 port unmanaged switch with about 15~ clients on it. They are not all active at once.
• There's probably 5 wireless clients
• Off of the 24 port switch is a 8 port PoE switch for security cameras and security computer

I want to set up VLANing:

• VLAN1 - Internal Users, access to everything
• VLAN2 - Internet Only / Guest Wifi
• VLAN3 - Security devices, these devices would have no internet access, cannot access other VLANS but can communicate with each other. VLAN1 should have access to these units (but those units can't see/communicate with VLAN1)

I plan on running or playing with the following packages:

• DHCP
• pfblocker
• MAYBE Application blocking, but that's just experimental
• Wireguard or OpenVPN for just one client
• Possibly SquidGuard but we have PiHole system running
• I'd like to play with Suricata but may not keep it

SteveITS

@prtonguy77 You're probably fine there. The 2100 ARM CPU isn't exactly fast but we run Snort/Suricata on those.

Per the Netgate store:

IPsec VPN
(AES-GCM-128 / AES-NI)
IPERF3 Traffic: 118 Mbps
IMIX Traffic: 68 Mbps

There's a doc page on VLANs.

stephenw10

Yeah at 100Mbps that's no problem. Internal VLAN routing would be dependent on the 2100 throughput. So, for example, if clients on VLAN1 are pulling data from devices in VLAN3 that is routed and filtered through the 2100. You would not see full Gigabit for that. Which may not matter for your use.

Steve

CreationGuy

@stephenw10
When you say pulling data, do you mean any kind such as video files or streaming of a video feed? And if so, is that because of certain packages I listed or just due to the switch?

edit:
Also, what about traffic on the same VLAN? 1Gb?

stephenw10

Any traffic between VLANs has to be routed through pfSense and that means you can filter it. But it also means you have to route and filter it. The 2100 will not pass that at Gigabit line rate. I would expect to see at least 500Mbps though depending on the traffic type. If you are regularly moving huge files between those VLANs that might present an issue for you.
Traffic between devices in the same VLAN does not go through the firewall so never sees that restriction.

Steve

CreationGuy

@stephenw10 said in Model decisions, is the Netgate 2100 the right choice?:

Any traffic between VLANs has to be routed through pfSense and that means you can filter it. But it also means you have to route and filter it. The 2100 will not pass that at Gigabit line rate. I would expect to see at least 500Mbps though depending on the traffic type. If you are regularly moving huge files between those VLANs that might present an issue for you.
Traffic between devices in the same VLAN does not go through the firewall so never sees that restriction.

Steve

OK, that's because of the routing rules? The VLANs would be on the same switch as would the devices.

Couple of questions as I'm learning:

1. If devices on VLAN3 are on same switch sending data back and forth does the data stay on that switch or does it go through the netgate as well? If so, that port is going to be busy! I think that you answered that but wanted to confirm. :)
2. Does that 881Mbps limit occur if I only have 50~ ACLs? I saw that it said 10k ACLs. If so, assuming that the 3100 would be a better fit. Is that model soon to be replaced?

stephenw10

VLANs exist to separate devices. All the hosts and VLANs can exist on the same switch but, unless that's a layer 3 switch, traffic will not be able to go between different VLANs without going via a router. pfSense in that case. Traffic between different hosts on the same VLAN (same subnet) does not have to be routed so just goes directly between the hosts via the switch.

CreationGuy

@stephenw10
The Switch is EnGenius EWS7928P which has Layer 2 support. I'm also looking at the Unify USW-Pro-24 which supports Layer 3 for $20 more.

Would the EnGenius be enough as it is layer 2 and VLAN support? If not, the USW-Pro-24 would work. Would the 2100 be sufficient for 1Gb routing since the switch would handle that via Layer 3?

I'm sorry for all of the questions, just want to buy the right products.

stephenw10

The SG-2100 will not route and filter at 1Gbps. If you have a layer 3 switch you can route between the VLANs using that so the SG-2100 doesn't have to. But that also means any filtering of traffic between the VLANs has to be done in the switch and it's often a lot less flexible there.
That does leave the SG-2100 routing only the WAN traffic which at 100Mbps is no problem.

Do you actually need 1Gbps between different VLANs?

Steve

CreationGuy

@stephenw10 I'm not sure... I would be transferring exported video clips from VLAN3 to VLAN1 from time to time.

stephenw10

Ok, so unless those are 100s of Gigabytes you probably don't actually need it.

If you were moving files that large regularly you'd probably be looking at 10GbE.

But really only you can answer that.

CreationGuy

@stephenw10 For my set up, I would not be transferring large quantities of large exported videos. They range from 100MB to 1GB and I export 5-10 a month. Those would be in the future, crossing VLANs.

As long as the data on the standard VLAN stays on the switch and is transferring at 1Gb I am fine with that.

In your opinion, with all of that said, would the 2100 or 3100 be best considering the hardware, age, etc.

whosmatt

@prtonguy77 My vote would be size your pfSense for the WAN connection and then if you need faster internal routing spend the money on L3 switches. From everything you've posted the 2100 should be fine.

stephenw10

Yes, I would go with the 2100 given that WAN bandwidth.

Steve