Switch and Firewall Recommendation

AmitS

Hello Guys,

I’m not sure if this is the right place to ask this question. If not, please move the thread to the appropriate forum.

So, now i’m mostly finishing the setup and want to include a pfSense Firewall device to secure the network as some of them will be exposed to the internet.

I got to know that for the best security practices, its suggested to use a managed switch which supports VLAN. So, now as I’m moving to 25G and 100G, I’ve my old switch (still in use) with the old NAS device and clients. So, my questions are:

• Do i need a new managed switch? Already having Mikrotik CRS312-4C+8XG-RM. If yes, then what brand and model would you guys recommend? Looking under 16 ports for the moment. In addition, what other features should i look for in a switch that's aimed to be used with the pfSense?

• Do I need to have the SFP+ ports on the Firewall Device?

• Currently, planning to use an old Lenovo ThinkStation Tiny (Core i3-9100+32GB DDR4 RAM+i350-T4 NIC). Is the CPU sufficient or do i need to upgrade it so that it does not bottleneck when most of the devices are connected to the Firewall via a Switch?

• As the ThinkStation Tiny does have i350-T4, can i use the rest of the ports to the desired devices (such as Plex/CCTV) or i would still need them to route through the managed switch?

• Do i need a machine with ECC support for the Firewall device? I plan to use ZFS on the pfSense installation.

Any suggestions and recommendations are more than welcome!

Thanks

AmitS

@AmitS Bump

keyser

@AmitS Your post is a little confusing. You mention that you are moving to 25G and 100G - are you talking about Gbit linkspeed or? Because no pfSense can move that kind of data, and you are referring to your intended pfSense box which is only fitted with 1 Gbit NICs.

With 1Gbit NICs that Lenovo is more than capable of moving all NICs at wirespeed.

The difference between routing in switch and firewall is security. A fully L3 capable switch will only do stateless ACLs - not NEARLY as secure or full featured as a fully statefull firewall like pfsense.

So which is it? If you are going 25G or 100G on a server of some kind, you need a VASTLY more capable switch - not to mention Internet uplink and firewall.

johnpoz

I think maybe he meant 2.5ge and 10ge? Makes more sense..

AmitS

@keyser Sorry for the confusion. What i meant is, now I'm moving to 25G and 100G local network (NAS and clients) so my old 10GbE switch will be lying aside once i upgrade. So, i wanted to ask if i can utilize that particular (my old 10GbE switch) which is from Mikrotik and the model is CRS312-4C+8XG-RM.

Now, my question is whether is it a managed switch or not and whether it supports VLAN or not. If not, then what brand and model would you guys recommend? Looking under 16 ports for the moment. In addition, what other features should i look for in a switch that's aimed to be used with the pfSense?

johnpoz

@AmitS said in Switch and Firewall Recommendation:

CRS312-4C+8XG-RM

That switch has 4 sfp+ combo ports - so if they can handle 25ge or 100ge sfps you could possible leverage it in some fashion as another switch where only 10ge or lower would be connected via copper. If you can only have 10ge uplink might be fine for lower clients like 2.5ge connection.. If they are all 10ge clients and your uplink is also limted to 10ge might be a bottleneck - would depend on your networks flow patterns. Maybe devices on this switch would only be talking to the internet which is say at only 1ge or something so wouldn't matter if uplink is only 10.

But if you want to route traffic above 10ge I don't think pfsense can do that.. This is what TNSR is for.. As to if some i3 thinkstation could do it, I have no idea..

I would be curious what NAS your running that can do 25ge or 100??.. Doesn't matter if you can connect it at 25ge, but the disks you running can come close to needing that much bandwidth?.. Some enterprise level SSDs? In a raid?

Those enterprise level NVME drives that can do crazy speeds are not freaking cheap that is for sure!!!

AmitS

@johnpoz said in Switch and Firewall Recommendation:

That switch has 4 sfp+ combo ports - so if they can handle 25ge or 100ge sfps you could possible leverage it in some fashion as another switch where only 10ge or lower would be connected via copper. If you can only have 10ge uplink might be fine for lower clients like 2.5ge connection.. If they are all 10ge clients and your uplink is also limted to 10ge might be a bottleneck - would depend on your networks flow patterns.

I'm new to pfsense and planning to implement some firewall thingy to secure the networks as some of them will be exposed to the outer world. The switch i mentioned, is only 10GbE, not 25GbE or 100GbE. What i wanted to ask is whether i can use this old switch (if it supports VLAN) instead of buying a new managed switch with VLAN support as that would add some extra cost to the network setup. I hope now its clear :)

My internet speed from the ISP box is like 400Mb/s plan (40MB/s) actual speeds. So, what i want to ask is whether my Lenovo i3 9100+32GB RAM+512GB SSD paired with i350 (4x1GbE) port can do the routing, where i can connect the switches i have and some other devices like CCTV.

@johnpoz said in Switch and Firewall Recommendation:

Maybe devices on this switch would only be talking to the internet which is say at only 1ge or something so wouldn't matter if uplink is only 10.

Yes, exactly friend. The connected devices on this switch as well as the other 25GbE and 100GbE will be only talking to the internet which will be 1GbE so i think Lenovo can route the internet traffic to this 10GbE switch along with the other 25GbE and 100GbE switch, including my CCTV. Am i understanding it all correct?

@johnpoz said in Switch and Firewall Recommendation:

But if you want to route traffic above 10ge I don't think pfsense can do that..

Sorry, but i don't get this point. Can you please explain? I'm willing to try pfSense to secure my networks and i just want to know whether my Lenovo and the old 10GbE switch can do that or not. But what do you mean by routing traffic above 10GbE? I think the traffic will be routed to the main 25GbE and 100GbE switches and this pfSense box will route the internet traffic. I'm not sure if i am understanding it wrong way, but paradon me as I'm new to this pfSense thingy.

@johnpoz said in Switch and Firewall Recommendation:

I would be curious what NAS your running that can do 25ge or 100??..

Those are some custom built NAS having 16HDDs, 24 NVMes and few 2.5" drives. There are multiple NASes in the office and some are 10GbE too.

@johnpoz said in Switch and Firewall Recommendation:

Doesn't matter if you can connect it at 25ge, but the disks you running can come close to needing that much bandwidth?.. Some enterprise level SSDs? In a raid?

Yes, I'm aware of this fact. It really doesn't matter if you install a 200GbE NIC and either connect it directly NIC to NIC or with a help of a switch, unless your disks are fast enough to support that much speeds, you ain't getting that and with SMB, it will always be slow being a single threaded connection. This is why we have all the RDMA thingy, client workstations running workstation/server OS. Yes, from the HDD to NVMe, they are all enterprise drives. Currently some pools are in mirror, some in Z3.

@johnpoz said in Switch and Firewall Recommendation:

Those enterprise level NVME drives that can do crazy speeds are not freaking cheap that is for sure!!!

Indeed, these are all Gen4 NVMes and supports like 7000MB/s speeds, its a crazy adventure.

johnpoz

@AmitS said in Switch and Firewall Recommendation:

What i wanted to ask is whether i can use this old switch (if it supports VLAN)

Yeah pretty sure all mikrotik switches support vlans - I have never heard of one that doesn't. they all run their switchOS

https://help.mikrotik.com/docs/pages/viewpage.action?pageId=76415036#CRS3xxandCSS32624G2S+seriesManual-VLANandVLANs

But if you want to route traffic above 10ge I don't think pfsense can do that..

Pfsense doesn't scale above 10gig ish.. This is why they came out with their TNSR product that is designed for DCs and bigger companies that would need to route/firewall above 10gig.. Doesn't matter what hardware you put pfsense on, I don't think it can do it.. Even their beefiest box.. The 1541, which is a $3000 box only lists 18gbps total firewall, and it only has 10ge ports.. I don't think it could actually push 18gbps through a single 25ge interface..

So if that box can't do it, I highly doubt some old I3 could.. Your going to need a bigger box ;) @stephenw10 would be the guy I would go to ask such a hardware question.. Or you could contact the sales dept on netgate for what sort of box you would need to route/firewall 100g ;) Its not going to be some old I3 you had laying about that is for sure..

AmitS

@johnpoz Oh, damn. Although, i did not expect the i3 to do that. Thank you for clarifying that my old Mikrotik will work. But still, what I'm not sure of is what kind of box would i need. As you mentioned, I'll wait on @stephenw10 assistance, before i plan to contact Netgate.

Thank you

johnpoz

@AmitS He doesn't always notice even pages, he is busy guy.. But he does chime in on many a thread.. And is the resident hardware guru for sure.. If he notices it, sure he will chime in with some info.

AmitS

@johnpoz Sounds good!

BTW, i wanted to confirm something.

Am I understanding this correct that if I have a 25GbE device which I want to secure, I need a firewall device which has 25G SFP28 port right? If yes, then how are the 100GbE networks being protected? Without a firewall? Or just the internet is just what needs to be routed and in that case firewall device with 1GbE ports are sufficient?

Also, what if I bridge the ISP box for using the pfSense and install pfSense on my Lenovo which has 4x1GbE port and that goes into few of my switches and devices. Will this be secure enough? Or is this a dummy firewall, with just internet packet filtering and no traffic routing? Here’s a quick summary, what I want to explain.

ISP Box (1GbE port, 400Mbs plan)>Lenovo (via onboard 1GbE port)>Output (4x1GbE ports via i350-T4):

• TP-Link Access Point
• Mikrotik 10GbE Switch>1GbE machines, 10GbE clients
• Mikrotik 25GbE/100GbE Switch>25GbE clients, 100GbE NAS
• CCTV

Am i missing something basic here?

johnpoz

@AmitS said in Switch and Firewall Recommendation:

f I have a 25GbE device which I want to secure, I need a firewall device which has 25G SFP28 port right?

Not necessarily. Pfsense is a router/firewall between networks... If you have some devices on a switch that are 1,2.5,5,10 or even 25 pfsense nothing to do with those devices talking amongst them selves.. But if those devices want to talk to another network, be it just another vlan of yours or internet then pfsense can firewall that traffic if its actually routing it. If your switch is routing traffic between vlans on it - then pfsense would never see that traffic. This is where you need the interface on pfsense to be able to handle the traffic. If you want device on network A to talk to device on network B at 25ge then yes pfsense would need 25ge interface both on network A and B interfaces that connect pfsense to those network.

You might have 2 25ge devices on network A and they can talk to each other at 25ge.. And this switch only has 1ge uplink to pfsense, then when they talk to devices off their network and talk to some other device on a different network they would be limited to pfsense 1 gig connection.

Your pfsense device doesn't have to route even 10g if your internet is only say 1ge, and intervlan inter network traffic is fine with being say only 1ge..

Pfsense is a full feature firewall/router - yes its secure enough.. But a router/firewall has nothing to do with devices on the same network talking to each other.. If you want to control what 2 devices on the same network can do between them.. That is done at the switch, or put them on 2 different networks/vlans so pfsense controls the traffic between them.

Most vlan capable switches can do basic ACLs where you could say hey IP A cant talk to IP B or A can not talk to B on port X.. Or you switch might support private vlans where none of the devices can talk to each other unless you allow it..

But pfsense is fiewall at the router, it only can firewall traffic it actually routes.. You could setup a bridge so there is the same network but flow over pfsense.. But that is not a good idea at all, and sure to not be able to do full wire speed at levels of 10ge or 25ge, etc. And is more complex and shouldn't be done unless you have no other choice, or your doing for like media conversion fiber to copper or wifi interface on the router to wired interface on the router.. And its almost always better to just make sure your switch has fiber if you want to connect fiber into your network.. Or use an AP to bridge wifi to yoru wired network.. And if wanting to segment your network I would get a AP that can actually do vlans..

AmitS

I understand. I'm still new to it and learning as much as i can. Thank you for explaining me a few basic things.

So, today, i have some other questions. The firewall device i plan to use, has 4 ports and i plan to do the following layout

ISP box>pfSense box

Now, my main question is the pfSense box has 4 ports (1GbE) so, i can connect some switches, CCTV, and Access Point or i have to connect everything via a switch, meaning

pfSense>Main Switch
>CCTV
>Access point
>Another basic switch

or

pfSense>Main Switch:
>CCTV
>Access point
>Rest of the devices

Which layout is more practical and better in terms of security and reliability?

johnpoz

@AmitS what device are you running pfsense on, is it a netgate appliance that has switch ports or discrete interfaces? There are some models of pfsense that has switch ports.. The sg2100 is such a model, it has 4 switch ports and 1 wan port.. You can vlan the interfaces on the witch to be in different network, or you can use 2 in 1 network, and the other 2 in 2 different networks, etc.

You can daisy chain switches if you want, depending on your flow patterns that might be fine. Or you might need to do that for location reasons.

I take it you want to segment your different networks?

I have my main core switch if you will in my computer room.. This has 28 ports, then off that switch there is a 10 port switch other side of the house that has 10 ports. Then off that 10 port switch I have a another 8 port switch that is behind my TV..

I have couple of AP that connect to my core switch, and another one that is connected to my 10 port switch in the AV cabinet. The switch behind the 10 has, a nvidia shield the TV connection and a raspberry pi, etc.

How you connect your switches is up to you and what your data flow patterns would be, etc.. Are these switches vlan capable.. If they are then you can pretty much connect any device anywhere you want and put it on any network.. If they are just dumb switches then you could connect 4 different dumb switches to your 4 ports on pfsense and have 4 different networks this way.

Without understanding your flow of data and patterns, what switches your going to use - are they all smart and vlan capable or also some dumb ones?

If you have multiple 25ge devices that you want to talk to each other - I would put them on the same 25ge capable switch, I sure wouldn't want that 25ge running over multiple uplinks to talk to some other switch on the other side of the building - because you now need atleast 25 gig capable switches in the path.. And then your 2 25ge devices could suck up all the other bandwidth and leave nothing for all your other devices that just want to talk to another device on another switch or just get to the internet, etc.

In a setup for an enterprise - all switches would normally home run back to the core or distribution layer.

But in a home or smb that is sometimes not possible or cost prohibitive or skill prohibitive in running the wires, etc. So sometimes you just have to daisy chain everything, or maybe the amount of data that is going to flow over the part of network doesn't make it important.. For example in my setup it was much easier to just run a cable from the av cab to behind the tv.. And put a little switch there, vs running 3 cables all the way back to my core or to the switch in the av cab. (which would of meant getting a bigger switch for there) etc.. And the tv and pi only have 100mbps connection and while the shield does have a gig interface, it never moves any serious amount of data.. So the shared 1 gig uplink from that switch is more than adequate for the amount of data flow over that connection.

You need to understand what is going to talk to what, and what sort of data rate, how often, etc. For example - just recently setup a NVR and video cameras - while their 4k video streams are not huge amounts of data, there are 3 of them.. constantly sending traffic to the NVR.. It would be stupid to run that data over network path that other data is going to flow over. The nvr has its own poe switch, this nvr connects to my switch in the av cab, and the cameras connect to the nvr on an isolated network behind the nvr.

More than happy to discuss this sort of thing.. If you put together a drawing of where devices are going to be, and what is going to talk at what speeds we can discuss how best to connect it all to optimize the available bandwidth to everything.