I have been lurking here and watching Tom’s videos for quite a while now. Thanks Tom for the inspiration.
There are many examples of UniFi and PFsense networks with separate VLANS. I have a Juniper SRX Gateway and an HP Enterprise switch that I’m trying to setup with VLANS to segregate my network.
Should I have all of the VLAN networks running from the gateway or the HP switch? To be honest I have had one heck of a time configuring the SRX320 gateway. Making the gateway “flat” would be easier. The switch can be divided for each VLAN so I can add DHCP servers for each. I’m not sure where I’d place the Access Points (x2 Linksys AC5400), I thought they would be attached to the Management VLAN but…
Your advice is greatly appreciated.
-Chaz
*Currently the network is flat on the same subnet. My ISP privides me with a fiber to RJ45 converter and a static IP address (104.134.x.x). I have been using an old DSL modem for DHCP (192.168.x.x). Needless to say it’s not the best way to network.
Which device on your network controls routing? VLANs usually need a router for inter-VLAN communication unless you have a Level3 switch. I thought DHCP service was exclusive to routers, but what do I know.
In general terms of segmenting your network – you’re going to have to evaluate “why” your particular network needs this. Flat networks are very easy to manage. VLANs aren’t really that difficult either although initially they usually put a strain on the budget since some additional hardware needs to be purchased and an initial strain on time
@kevdog So the HP Aruba Switch will do switching and routing along with VLANS and DHCP services for VLANS. The SRX320 Gateway Appliance (Firewall/Router/VPN, etc) will do it.
The real problem is that I’m still very much a NOOB with both devices but the SRX has been kicking my butt. The Juniper learning curve is steep and my time has been limited. Not that I can’t learn it, it just takes time.
The reason to segment is easy, Security. I have a network of cameras, IoT devices, hosted services for time, Ad-Blocking, NAS, TV’s, Plex, etc. I want to keep my private LAN devices separate and secure as possible.
@chaz, I would route all your traffic through the Juniper since most switches don’t offer stateful firewall services. It’s much easier to manage, IMO. Also, I would probably upgrade to something newer than a SRX. Those things are probably as old as the PIX. Everything else looks good.
@chaz, I agree that Fortinets are much easier! So why spend time learning something that is irreverent? I would recommend investing time in a technology that will benefit you financially in the future. Fortigates are pretty cheap anyway so why not spend $100-$200 for your own learning? Maybe even buy something that is different than what you use at work, but is in use today. pfSense is also a good free option similar to Fortinet.
