Help on Networking basics and build from scratch (UDMP/pfsense/opnsense)

HI folks
I am planning to revamp my network completely, rebuilding from scratch, but I have some very basic questions on networking especially on VLANs and Firewall traffic flow. So need your adivce on the same.

The network that i plan to implement is as follows:

VLAN 100 - Managemment VLAN

• Cannot be accessed from Internet
• Can only access management pages/sites of different networking devices, NAS (I am not sure if this is possible, if not possible merge this VLAN with VLAN 200)

VLAN 200 - Core LAN

• Cannot be accessed from Internet
• Cannot access management portals of different networking devices, NAS (I am not sure if this is possible, if not possible merge this VLAN with VLAN 100)
• Can access everything else

VLAN 300 - IOT devices

• Cannot be accessed from Internet
• Can access the internet
• Selective Read only access (NFS) to media library on NAS (residing in VLAN 200)
• Allow access from VLAN 200 and VLAN 400 to control/use the IOT devices
• Block all other access to LAN

VLAN 400 - Guest Family

• Cannot be accessed from Internet
• Can access the internet - Download/upload bandwidth to be restricted
• Selective Read only access (NFS) to media library on NAS (residing in VLAN 200)
• Allow access to VLAN 300 to control/use the IOT devices
• Block all other access to LAN

VLAN 500 - Guest

• Cannot be accessed from Internet
• Can access the internet - Download/upload bandwidth to be restricted
• Block all other access to LAN

The Physical elements of the network will be

• 1 Firewall (UDM Pro/pfsense/opnsense)
• 1 x Unifi 24 port switch with POE
• 1 x Unifi Flex 5 port switch for the media centre
• 3 x Unifi AC-Pro access point

My internet bandwidtch as provided by ISP is 500Mbps
My proposed NAS has four 1 Gig ports which i will be aggregating on the 24 port switch to attain higher transfer speeds

Now my questions

1. So lets say a PC in VLAN 300 is trying to connect to the NAS in VLAN 200. Both devices are physically on the same switch, but in differnet VLANs, but i am assuming that there will be some communication with the firewall to check its rules for traffic to be allowed between these 2 VLANS. Assuming traffic is to be allowed, Does all traffic now flow through the firewall or will it just be cotained in the switch between the 2 devices?. What if the 2 devices are in the same VLAN, will the trafffic still flow thru the firewall?

2. Given my use case which firewall/router should i go for (UDM Pro/pfsense/opnsense). UDM pro i like and had almost finalized it, but given the pain that i have seen the users on this forum go through on account of that device I am not confident to go with this. For me stability is the most important feature, I cannot have the Firewall/router misbehaving randomly. At the same time i find pfsense and opnsense very daunting, so many options and configuration to set and learn about. Set something the wrong way and I will make my network more insecure than using a basic tplink router.

3. IDS/IPS i assume will work only incoming Internet traffic or does it act on internal LAN traffic also ?

4. In the unifi architecture can the unifi controller access and configure UNIFI devices sitting behind a non Unifi switch ? For eg: UDM pro --> Non UNIFI Switch --> Unifi Switch -->> end points

Thanks a lot for your time and patience folks…

While I do not have any unifi kit I do have pfsense running several vlans with NAS, IP cameras, VPNs etc.

Having not used pfsense it took me about 3 months to get it configured so that it would be my main router, then a further 6 months of tweaking with odds and sods until it’s basically no longer touched.

So you’re right it’s an effort to work out what is going on if you are starting from scratch but it’s possible.

I’d say most routers are stable, so pick any, it depends on what you want it to do, if you know your requirements then pick what fits. However, I’d say you will know what you want when you see it

You can easily setup pfsense and connect it to a switch and decide if you want to invest the time or not. For sure it will be easier to get going with Unifi but I don’t think it’s as or more feature rich than pfsense. Pays your money takes your pick.

To answer the questions:

1. It will all route back through the firewall unless you have switches that support intervlan routing I have a video discussing that here https://youtu.be/WqAqeS4tDL8
2. You have a lot of work to do setting up all the rules for the separate networks, I would go with pfsense
3. IDS/IPS and be applied to internal and or external traffic
4. As long as the UnIFi switches and AP’s can reach the controller they don’t care what switches they traverse in between. On the topic of mixing switches, VLANs work on switches that are designed to handle them, unmanaged switches may drop the traffic and some brands of managed switches require the VLANs to be defined in order to allow them to pass.

Thanks Tom, Neogrid.

So pfsense it is, i can run the Unifi on a docker from the NAS.

But one question if all the traffic is going to be routed through the firewall, is a gigabit connection sufficient as i feel the traffic to and from the NAS and internet combined could choke it. Can i boost the firewall ports using link aggregation or will have to put a 10G card in it ? … or am i overthinking the whole thing?

Another question is it possible to set rules in pfsense to allow management related sites off network devices and controllers and NAS to be allowed in one lan and disallowed in all other Lans. I am assuming this should be possible by writing very custom port level rules in pfsense?

Simple rule, don’t route storage. Routing NFS, SMB or iSCSI traffic is not a great idea and can cause issues. Many NAS devices come with multiple network interfaces and it would be best practice to have each interface in each subnet that require routing.

I think you are overthinking it at this stage
Link aggregation doesn’t increase speed, it will give you more bandwidth which is helpful with many users.

If your NAS has four ports, you can stick them on 3 vlans with one in LACP say, this will give you options.

If you can reduce your internet latency your browsing experience becomes noticeably “faster”.

I’d suggest constructing your vlans around your needs, apply rules to those vlans as required. Otherwise you end up with too many rules which makes troubleshooting almost impossible. Personally I use alias’s to group ports and subnets, then apply rules to the alias. There are only a few exceptions so my rules are easy to troubleshoot.

Good luck

Thanks a lot guys. Routing individual port from the NAS to different VLAN is a brilliant suggestion.