Beginners Questing coming from Mikrotik
I just bough my first PFsense Netgate XG7100-1U - after using Mikrotik for several years.
Now I'm in my planning on how I want to setup a new network from scratch with several thoughts:
- I want a administration Interface for all Special devices (Switchs,AP, Servers IPMI - not That many :-) )
- I want seperate zones = LAN / ADMIN / DMZ
- I want to have several VPN users having acces to only specific parts of the network. - But thats is based on groups i guess
LAN - 172.16.250.1/24 - Normal Users (port1-24)
ADMIN - 172.16.10.1/24 - Switch, IPMI Interface, AP and other Units (port25-36)
DMZ - 172.16.20.1/24 - ServerDMZ - Mailservers, Webserver, SpamGW etc. (port37-48)
Then I have som questions regarding this.
Since I have SPF+ Interfaces on both Netgate and HPE V1910-48G - I'll properly try using those - if there's any point of using these. But is it possible to use both SPF+ ports to 2 SPF+ ports on the V1910-48G - as a uplink and gain some speed of it ? SInce Then I can avoid 2 switches and created it all in the V1910-48G.
or if I can send all traffic through the SPF interface instead of - several physical cables between router and switch.
Since the difference between a superMicro and the Netgate is the builtin switch in Netgate. So i Properly have to use VLAN instead of specific Interfaces as on our development Router (Work=Supermicro). But that depends on the above question.
Since I have a /29 public Network - I want to use it all - but I want to base the different DMZ on different hosts instead of sourcenat a whole /24 network - But then I should just set it /32 - Correct?
Finally I love the setup we have created ( My Boss and I ) on work using PFsense ( he build it - after discussing the usecase etc with me) and well am pretty impressed over how efficient the firewall we ended up with, is in realtime.
You can lagg the two SFP ports and connect them to your switch. That will hive you some redundancy but won't improve the speed since they are each 10Gb anyway.
Using the SFP ports connected to an external switch does make it easier if you want to bring in a number of VLANs for example. You would have to tag those through the internal switch otherwise.
You can use outbound NAT rules and port forwards for individual IPs in the DMZ if you wish. Or 1:1 NAT rules to achieve the same.
If the /29 is routed to you via another IP you could just use it on the DMZ interface directly. You do lose an IP as the interface address though if you do that.