Is Cisco SG300-20 (SRW2016-K9-NA) a good choice for this application?

guardian · Jan 12, 2017, 1:44 AM

I've been playing with pfSense for a little while now but I'm relatively new to complex networking (currently using dd-wrt & a dumb switch) and don't have the isolation and security that I want, so I'm fighting my way though the task of building a better network.

I'm hoping to put together a home network that will allow me to:

Run several Virtual Machines (Virtual Box), and have each machine go out through a different VPS. I want to make sure that the VM's can't get at my private network.
Provide internet access (and enhanced firewalling) for a VOIP adapter, will keeping it isolated from most of the network except for limited access for administration.
Network my printers and scanner, so that the PC's can get to them, but that they are kept off the Internet and away from the media server, VOIP and IOT stuff.
Route a small wireless IOT network out to the Internet, but have separation from the main network.
Give Internet access to a media player, but isolate from most of the network.

My plan is to use a separate VLAN for each VM, VOIP adapter, IOT ;network, and Media Network, and then connect each VLAN to it's own Virtual Interface on pfSense. If I understand things correctly, virtual interfaces can have their own firewall rules and/or VPN tunnel, and can be isolated from each other easily. Correct?

My question is would a Cisco SG300-20 (SRW2016-K9-NA) be a decent choice for this type of setup?

I'm still a long way from having everything figured out, but I'm hoping one of the gurus here knows that box and can tell me if that would be a good base to work with. I have a chance to get one on sale for the next week or so, so I was thinking about getting it and starting to learn what I need to learn.

Currently have a 250/20 pipe to the net, but may upgrade if the price of the 1000 service drops (which it likely will in the next 2 or 3 years.)

If I understand things correctly the Cisco SG300-20 (SRW2016-K9-NA) should be more than up to the job, (but I still have a lot to learn before I can implement this setup).
Any advice would be much appreciated.

Derelict · Jan 12, 2017, 2:15 AM

If you properly tag pfSense VLAN interfaces to a switch, they are treated as separate interfaces by pfSense. They have separate firewall rules, etc. Extend those tags to vSwitches and you can isolate your VMs that way.

The usual way to get traffic from one VLAN to another is through a router. That can be a Layer 3 interface on the switch or the firewall with interfaces on each VLAN, another router, or pretty much any combination thereof that you want.

Make sure you can't get an SG350 instead of an SG300. The SG300 will do everything you need but I would go with the current series unless the older ones are to be had at a significant discount.

dennypage · Jan 12, 2017, 4:01 AM

I have an SG300-20 that I would sell at a good price if you are Interested.

guardian · Jan 12, 2017, 4:25 AM

Thanks for the reply Derelict

I figure that I need about 16 ports (using 11 on my current switch, and I will likely need to add some things) SG300-20 is a good size (Cost $370CDN), based on what I can see, the SG350 is either a 10 or a 28 (about $670-700CDN) which is way over budget, and bigger than I need.

That makes it the SG-300 or a consumer item from Netgear, TP-Link, TrendNET or similar.

If I understand things correctly, it sounds like it should do the job and given the type of money that I can justify spending it's about the best I can hope for.
I'm guessing that based on your comments, and the sale mean that ongoing support may be an issue.

Comments/suggestions/anything i am missing?

guardian · Jan 12, 2017, 4:22 AM

Hi dennypage

Possibly…. PM me with the details.... I assume you are in the US... getting it across the boarder/shipping may or may not make it feasable

dennypage · Jan 12, 2017, 5:25 AM

Sorry guardian, I didn't realize you were outside the US. Probably not cost effective to ship internationally.

dreamslacker · Jan 12, 2017, 7:37 AM

@guardian:

My plan is to use a separate VLAN for each VM, VOIP adapter, IOT ;network, and Media Network, and then connect each VLAN to it's own Virtual Interface on pfSense. If I understand things correctly, virtual interfaces can have their own firewall rules and/or VPN tunnel, and can be isolated from each other easily. Correct?

Effectively, yes. Don't forget to have another VLAN for your printer/ scanner so you get to isolate that.

Also, you do not need to use individual VLANs per VM, you can put them in a single production VLAN and use individual firewall rules to do policy based routing to the correct gateway. Obviously, you will still need to create more VLANs for the production partition if you need isolation between the VLANs.

Additionally, you can change your Outbound NAT to manual mode and disable NAT for the printer or scanner VLAN. This is optional as you can basically use the firewall rules on the VLAN tab to achieve this.

Guest · Jan 13, 2017, 4:51 PM

That makes it the SG-300 or a consumer item from Netgear, TP-Link, TrendNET or similar.

The perhaps you go better with the SG300, it is ways better then the others. Another switch what can be
nice to hit this case here is the D-Link DGS1510-20, also Layer3 with 20 GB Ports but on top of this sorted
with 2 SFP+ Ports! You can now chose to connect over a 10 GbE interface to your server and then you
will be having a gain on throughput.