Firewall for Small Office?

Context: I’m a Software Engineer and I have very limited IT / Networking experience.

My company is moving into an office (used to be remote until now) and I’m trying to figure out what the best setup for our network / firewall is.

Our building has a 1Gbps link but no VLAN setup for each individual tenant. We have the following hardware ready / planned:

We will also have a NAS server in the coming months and we’d like to setup a private WiFi access point as well. We might be adding another server to the mix in the next couple of months as well (depending on Cloud GPU availability and testing requirements).

We use Tailscale for our VPN (this is installed on each machine or instance so there’s no network-level VPN to worry about).

Originally our plan was to pick up a Ubiquiti Dream Machine Pro but it literally went out of stock right before we could make a purchase, and it looks like there won’t be more availability until October.

I’d like to isolate our network and was looking at other vendors.

(sorry can’t include more than two links)

Netgate 3100 looks like a good purchase, and so does Untangle’s Z4W (the subscription is unsavory, but not a deal breaker).


  • If I add a Firewall / Router I assume I’ll have a “Double NAT” problem, is this actually a problem in office environments?
  • If I add a Firewall / Router would intra-office traffic go through the router, or will I just be limited by the Firewall / Router for external traffic? I assume this might be a configurable behavior.

Network Topology would be the Firewall at the top. AP plugged into the Firewall (it’s 1Gbps anyway so saves on SFP RJ45 module cost). 10GbE switch plugged into the Firewall. All laptops plugged into 10GbE switch.

No “untrusted” devices on the network but I assume I can spin off a AP w/ VLAN for any IoT devices we may eventually want to invest in.

1 Like

Double NAT is not really a big issue just more work if you have a port forward or VPN configuration, it’s best to put the ISP provided device in bridge mode to avoid that. For each subnet created on the network it will route through the firewall which will limit the speed between subnets to what the firewall can route at unless you get a switch that can handle layer three routing at which you will be limited to what that switch can route at. And just because a switch has 10G ports and can do layer three routing does NOT mean it can route at that speed. Unless you need the filtering features of Untangle, you can go with a Netgate Appliance.


I have setup 4 small offices with Untangle for their return to office days and scheduled office time. I went with protectli hardware since their internet bandwidth is less that 1 Gigabit. Went with the 12 licenses per site and for a 3 year term for just under 3k. Total cost of the project was about 5k for the networking and I would say that is a good deal. The bonus is that each location is VPN’d together, has intrusion detection and a solid firewall.

What gets me is the cost they are paying for sub-gigabit speed of about 600 mbps from Comcast business is where the real expenses come from. And Comcast was pressuring them to get phones at $50 a month per station.

1 Like

Pf-Sense hardware would have been less expensive? Now if the filtering was required I can see the justification of the 5K. Curious as to your choice.

1 Like

$300 per appliance with 4 Gig RAM and 32 Gig of Storage. Add the Untangle licenses and you get, single dashboard for all 4 devices and it includes Threat Protection and WireGuard VPN. Very simple solution to manage even with minimum technical skills.

A Netgate 3100 would have been about $440 and the support is “Lite” support.

1 Like

Ok I do wish Netgate would add a SPG dash for management.

1 Like

Ooh thanks for all the answers, a few clarifying things:

  • No ISP directly, the building has internet come in and they provide a few Ethernet jacks in our office.
  • Only one office (we’re 99% certain at this point we won’t need site-to-site VPN setups)

By filtering do you mean Web Filtering? Does something like that significantly improve security?

I’m okay with paying a premium for better “out of the box” security.

1 Like

Web Filtering is to restrict categories of sites that wouldn’t be appropriate to say the business location. Adult Content, Anonymizers, and many others. Here are the ones I use by default:

1 Like

e2guardian on PFsense will do filtering, but with HTTPS and secureDNS you are going to need to trick the computers into using the pfsense certification and play man in the middle.

Forget the 3100; too many problems. 5100 minimum.


Well we al have to remember don’t even know if Pfsense will continue to be free… It looks like with them moving to the Pfsense plus stuff who know if a com will still be around

Some questions to consider:
-Do you have your own public IP or a shared among other offices? In case it is shared, then you will have limitations in ports that you can use.
-Do you have guaranteed internet speed?