We will also have a NAS server in the coming months and we’d like to setup a private WiFi access point as well. We might be adding another server to the mix in the next couple of months as well (depending on Cloud GPU availability and testing requirements).
We use Tailscale for our VPN (this is installed on each machine or instance so there’s no network-level VPN to worry about).
Originally our plan was to pick up a Ubiquiti Dream Machine Pro but it literally went out of stock right before we could make a purchase, and it looks like there won’t be more availability until October.
I’d like to isolate our network and was looking at other vendors.
(sorry can’t include more than two links)
Netgate 3100 looks like a good purchase, and so does Untangle’s Z4W (the subscription is unsavory, but not a deal breaker).
Questions:
If I add a Firewall / Router I assume I’ll have a “Double NAT” problem, is this actually a problem in office environments?
If I add a Firewall / Router would intra-office traffic go through the router, or will I just be limited by the Firewall / Router for external traffic? I assume this might be a configurable behavior.
Network Topology would be the Firewall at the top. AP plugged into the Firewall (it’s 1Gbps anyway so saves on SFP RJ45 module cost). 10GbE switch plugged into the Firewall. All laptops plugged into 10GbE switch.
No “untrusted” devices on the network but I assume I can spin off a AP w/ VLAN for any IoT devices we may eventually want to invest in.
Double NAT is not really a big issue just more work if you have a port forward or VPN configuration, it’s best to put the ISP provided device in bridge mode to avoid that. For each subnet created on the network it will route through the firewall which will limit the speed between subnets to what the firewall can route at unless you get a switch that can handle layer three routing at which you will be limited to what that switch can route at. And just because a switch has 10G ports and can do layer three routing does NOT mean it can route at that speed. Unless you need the filtering features of Untangle, you can go with a Netgate Appliance.
I have setup 4 small offices with Untangle for their return to office days and scheduled office time. I went with protectli hardware since their internet bandwidth is less that 1 Gigabit. Went with the 12 licenses per site and for a 3 year term for just under 3k. Total cost of the project was about 5k for the networking and I would say that is a good deal. The bonus is that each location is VPN’d together, has intrusion detection and a solid firewall.
What gets me is the cost they are paying for sub-gigabit speed of about 600 mbps from Comcast business is where the real expenses come from. And Comcast was pressuring them to get phones at $50 a month per station.
$300 per appliance with 4 Gig RAM and 32 Gig of Storage. Add the Untangle licenses and you get, single dashboard for all 4 devices and it includes Threat Protection and WireGuard VPN. Very simple solution to manage even with minimum technical skills.
A Netgate 3100 would have been about $440 and the support is “Lite” support.
Web Filtering is to restrict categories of sites that wouldn’t be appropriate to say the business location. Adult Content, Anonymizers, and many others. Here are the ones I use by default:
e2guardian on PFsense will do filtering, but with HTTPS and secureDNS you are going to need to trick the computers into using the pfsense certification and play man in the middle.
Well we al have to remember don’t even know if Pfsense will continue to be free… It looks like with them moving to the Pfsense plus stuff who know if a com will still be around
Some questions to consider:
-Do you have your own public IP or a shared among other offices? In case it is shared, then you will have limitations in ports that you can use.
-Do you have guaranteed internet speed?