Is this methode ok? Or i need a better Firewall

Hello

First i have to excuse. English isn´t my motherlanguage. So sorry for some mistakes.

Question:
I start to plan a new Network. Now i am running in a little problem.
For better undersanding of the structur plesase see the picture.

If i understand it right, the Netgear Firewall do the routing of the hole structure?
Or take the Switch most of the job?

E.g.:
If a PC needs Data from the Server. Goes the Routing?
a) PC → Switch → Server and retour or
b) PC → Switch → Firewall → Switch → Server and retour.

So it is better to take use all Ports from the Firewall and install direcly most of the Hardware (for more Bandwith) or is the example on the pictur better (in therms of speed)?
Do i need a Firewall with 10G for my case?

By the way: Which Switch fits the case (there are 3 i have mentiond)

I hope you understand me.

With Geetings

Sund.

structur871×788 118 KB

For what it is worth, I would connect all the ports from the firewall to the 1st switch in a LAGG, in the unlikely event the cable fails you won’t lose connection.

I assume you are looking at Netgear switches, you need to double check they have LACP not all models have it. Then use that to link your various switches. Netgear do have some vlan defaults for phones so you might also want to take a look at it, I don’t use it myself just noticed it.

Your setup looks fine, though have a look on Netgates site they have performance data for their routers.

First, thank you for the diagram, it’s very helpful.

Just correcting your typo, you wrote Netgear, but I’m assuming you meant Netgate SG3100. The SG3100 only supports 1Gbps interfaces, though it looks like you can combine 4 of the switch-ports into a 2.5Gbps link (that’s assuming the connected switch supports the same).

I have a question about connectivity to the NAS, which appears to be on a unique network, 192.168.50.10/24? It appears that network is sitting behind a server that is dual homed. Will any of your clients need to connect to that NAS?

Based on your VLAN assignment, I’m going to assume that your pfSense config knows about each of the VLANs, and in that case the SG3100 is performing all the routing between network segments and is responsible for any of the firewall rules between those segments. I couldn’t find on Netgate’s website the actual performance of the SG3100. It’s possible you could start bottlenecking if you saturate those links (might be an edge use case)

E.g.:
If a PC needs Data from the Server. Goes the Routing?
a) PC → Switch → Server and retour or
b) PC → Switch → Firewall → Switch → Server and retour.

If you need data from the server that is hosted on the NAS, it really depends on where the data is being hosted. What I mean is, are clients pulling data directly from the NAS or is there some application layer hosting data on the server.

If you’re looking to support 10GBit links between those switches, then you’d need to go with the XS512EM switches as the others don’t support enough 10GBit interfaces to chain between.

IMO, I’d probably put the NAS on a dedicated 10Gbit port on the switch and (this would require testing) setup VLANs and some routing (Specific to the NAS) on the switch itself. That would keep the traffic out of the SG3100. Check out this article: Netgear VLAN Routing

I’d keep the SG3100 routing your public facing network traffic and any true zone to zone traffic. But for NAS traffic, it’s easy enough to let the switches route that traffic on it’s own (if it’s not a security concern). Remember, while the switch will let you route the traffic, it won’t perform any filtering (firewall) for that traffic. You would need to rely on the security of the NAS.

From your picture it looks like your PCs and your Server are on the same subnet and vlan, this means that data from the server to a PC will not go to the Router
PC06 -> Switch3 -> Switch2 -> Switch1 -> Server

To get from the freepbx to the server (on different subnets and vlans) you would go
freePBX -> Switch2 -> Switch1 -> router -> switch1 -> server

I assume that the NAS is just providing storage to the server.

So, the traffic going through the router should only be small, if your internet connection is bigger than 1gb then you may have a problem.

As @neogrid and @baldpope said, you could use more than one cable from Switch1 to the Router and use LACP to provide redundancy and additional inter-vlan routing capability

If you can get a switch with 4x10gig ports then you could do as @baldpope suggested and connect the NAS directly to the switch, this may not be useful though.

I would try and link switch3 straight to switch1 if that is possible as it will provide more bandwidth but if you have 10gb you may not need it.

Thank you all for the answers. I’ll try to answer as soon as possible. Unfortunately, I can’t do that until the weekend.
Again thx.

Correction:
Netgate SG3100 not Netgear
Netgear Switch not Netgate

@neogrid @garethw
Connecting Firewall via LACP is a nice feature. Thx for the advice. Really good idea.

Now the (long) answer.
The Data from the Server are located on mapped drives (Windows Server 12R2 / and Windows Client 10 / therefore is must be SMB 3.01). If I am right it is technical a pulling and no application layer on the Sever?
The Data are on SSD on the Server not on the NAS.
The NAS is only for Backup (Server).

I have now read the technical Papers and I understand that your choice (Netgear XS512EM) is the right one. Thx.

BUT:
Two of the Switch must be installed under the desk of employees.
Is the switch to loud? Netgear say NO (in the commercials) - but some testing in the i-net say YES. Do you have some experience?
If you know a different Switch what fits better … why not. Maybe Zyxel xs1930-10?

What I need is:
Switch ONE (in the Server Room)
Installation Rack or Desktop … doesn’t matter.
Loudness no problem
2 Ports 10 Gbit (Coax)
8 Ports 2.5 , 5 , 10 Gbit (Multi-Gigabyte)

Switch TWO and THREE:
Installation wall mounted or directly under a Desk. (It’s a problem to rotate the mounting brackets 90 degrees an screw it directly under the Table? Sorry if this is a stupid question.)
Loudness IS a big problem.
Ports see Switch ONE.

And now the routing problem:
If I understand it correctly, everything will run through the Netgate SG3100 router when I declare the vlans there.
When I create the Vlan on the switch level, does it all run through the switch and no longer through the Netgate? Is this right?
But then I cannot set rules for individual PCs in the Vlan, only for the switch. Is this right?

Unfortunately, this is not possible. Because I must create rules for individual PC (e.g. server WSUS etc.)

So again, the question of performance. Is the router a bottleneck? Traffic and Bandwidth from Internet is verry low.

You can normally rotate the mounting brackets on switches and mount them to a desk / wall, I would not say always but I don’t think I have see one that you can not (not a normal 1u switch at least).

I can’t really comment about the specific versions of switches as I’ve no experience with 10g but to make things quiet you would normally look for a switch which does not need cooling fans. You may struggle to find one without fans that has the other features you need though.

I think you might be trying to use vlans to do something that they are not designed for and might be misunderstanding how they work.
If you have three vlans (Computers, Phones, NAS) you must configure vlans on the swithes or the switch will only be “on” one vlan.
If two devices are in the same vlan then they will be able to talk to eachother directly without going through the router.
If two devices are on different vlans then they must go through the router.

Some switches will allow you to do access control lists (rules) but I don’t think that is normally required.

The only way your routers is likely to become a bottleneck is if you put lots of traffic across different vlans. If you put your PC’s in 1 vlan and your server in another then it MIGHT be a problem but it also might be fine.

Up now, nothing found so far. Obviously I have to live with the fans of the switch.

It seems so. But now i think i have understand.
Now i try the config in real.

thx

With Netgear, they state the noise levels either on their site or in their manuals. It will give you an idea of how loud they are, but I think it’s too loud for a small office.
I will say I have a Netgear GS116 it is passive, does not have LACP only LAG and is small.

Good luck, hope it works out as you want it to.