HI folks
I am planning to revamp my network completely, rebuilding from scratch, but I have some very basic questions on networking especially on VLANs and Firewall traffic flow. So need your adivce on the same.
The network that i plan to implement is as follows:
VLAN 100 - Managemment VLAN
- Cannot be accessed from Internet
- Can only access management pages/sites of different networking devices, NAS (I am not sure if this is possible, if not possible merge this VLAN with VLAN 200)
VLAN 200 - Core LAN
- Cannot be accessed from Internet
- Cannot access management portals of different networking devices, NAS (I am not sure if this is possible, if not possible merge this VLAN with VLAN 100)
- Can access everything else
VLAN 300 - IOT devices
- Cannot be accessed from Internet
- Can access the internet
- Selective Read only access (NFS) to media library on NAS (residing in VLAN 200)
- Allow access from VLAN 200 and VLAN 400 to control/use the IOT devices
- Block all other access to LAN
VLAN 400 - Guest Family
- Cannot be accessed from Internet
- Can access the internet - Download/upload bandwidth to be restricted
- Selective Read only access (NFS) to media library on NAS (residing in VLAN 200)
- Allow access to VLAN 300 to control/use the IOT devices
- Block all other access to LAN
VLAN 500 - Guest
- Cannot be accessed from Internet
- Can access the internet - Download/upload bandwidth to be restricted
- Block all other access to LAN
The Physical elements of the network will be
- 1 Firewall (UDM Pro/pfsense/opnsense)
- 1 x Unifi 24 port switch with POE
- 1 x Unifi Flex 5 port switch for the media centre
- 3 x Unifi AC-Pro access point
My internet bandwidtch as provided by ISP is 500Mbps
My proposed NAS has four 1 Gig ports which i will be aggregating on the 24 port switch to attain higher transfer speeds
Now my questions
-
So lets say a PC in VLAN 300 is trying to connect to the NAS in VLAN 200. Both devices are physically on the same switch, but in differnet VLANs, but i am assuming that there will be some communication with the firewall to check its rules for traffic to be allowed between these 2 VLANS. Assuming traffic is to be allowed, Does all traffic now flow through the firewall or will it just be cotained in the switch between the 2 devices?. What if the 2 devices are in the same VLAN, will the trafffic still flow thru the firewall?
-
Given my use case which firewall/router should i go for (UDM Pro/pfsense/opnsense). UDM pro i like and had almost finalized it, but given the pain that i have seen the users on this forum go through on account of that device I am not confident to go with this. For me stability is the most important feature, I cannot have the Firewall/router misbehaving randomly. At the same time i find pfsense and opnsense very daunting, so many options and configuration to set and learn about. Set something the wrong way and I will make my network more insecure than using a basic tplink router.
-
IDS/IPS i assume will work only incoming Internet traffic or does it act on internal LAN traffic also ?
-
In the unifi architecture can the unifi controller access and configure UNIFI devices sitting behind a non Unifi switch ? For eg: UDM pro --> Non UNIFI Switch --> Unifi Switch -->> end points
Thanks a lot for your time and patience folks…