Network Setup Questions

First, thank you so much for the videos on youtube. They’ve been so helpful as I’ve headed down the rabbit hole of network admin.

TLDR: networking novice working in remote east central africa needs advice before buying lots of equipment.

A bit of background, I’m a surgeon working for a non-profit at a hospital in rural Burundi (East Central Africa). I’d consider myself a tech enthusiast and a quick study, but I have no formal training in networking. Due to limitations in staffing I’m the de facto IT guy for the team right now. For context I setup a Linux VM on my computer to host Ubiquiti’s UNMT for our airMax equipment and Jitsi-meet to allow us to have locally hosted video conferencing during the early days of covid because of our limited internet connection.

We have two (currently separate) networks, one up at the hospital and one on the housing side each with their own separate internet connections. Though for an eye popping price, we are fortunate enough to have a fiber optic connection (Hospital 5 MBps symmetric, Housing 20 MBps symmetric).

For the hospital network we are currently using Synology equipment, but have been having lots of issues with our guest network. For now it’s only used for internet for staff and guests (about 50 active devices at any time), none of our health records etc. are digital. In the next few years we plan to start that transition. In anticipation of adding tons of computers and at least a couple servers to host our medical record, billing, digital xray etc. I’m hoping to build out our network to meet our future needs.

My plan is to buy into the Ubiquiti ecosystem (UDM pro, 24 port POE switch, RPS, Unifi protect NVR, lots UAP-Pro’s, a few Mesh AP for gap coverage, and some Flex switches for distribution at key points). The backbone will for the most part be hardwired. I plan to separate our network into three vlans.
Vlan 1 - work computers + servers
Vlan 2 - guest network
Vlan 3 - medical devices
I need to be able to control bandwidth allocation and block certain sites, from your videos I understand the ubiquiti gear isn’t great for that so I was planning to also get a Netgate 2100 firewall to take care of the content and bandwidth control.

For the housing side I’m planning a similar setup with the added factor that we’re already using airMAX equipment for wirelessly distributing our network to the various homes and duplexes. I was thinking Netgate for content/bandwidth control, UDM pro, UAP-pros, and a few Mesh AP for gap coverage, and some Flex switches for distribution at key points.

So my questions are this:

  1. Does it seem like I’m on the right track for this setup?
  2. Can the Netgate running Pfsense provide content filtering (using something like PFblocker)?
  3. Can the Netgate or UDM pro limit bandwidth to a VLAN segment?
  4. Once the network is well configured, have these devices proved stable?

My considerations are this:

  1. I need reliable equipment, replacements are really hard to get.
  2. I need something relatively easy to use on a surface level, but that also allows someone with the right knowledge to dig in and have solid control over network traffic.
  3. Secure remote access to troubleshoot the network is a must. I’m probably the most tech literate person on our team, but when I’m not around I need a way for me or someone else to remotely login and troubleshoot connection issues.
  4. Low maintenance. I have plenty of other jobs from doing surgery to maintaining our surgical equipment and teaching medical students, so I’d rather not have the network consuming all my time.

I can go into more detail of the planned setup if its helpful, but my post is already pretty long. Thank you all so much for your input.

The UniFi routing equipment does not work very well and I would recommend not using the UDM pro or any of their USG line. Netgate/pfsense can handle all the other request except they do not have veyr robust filtering outside of what pfblocker offers.

Tom, is this a typo?? Your reviews always speak highly of UniFi switches…

Yes, I corrected it to say routing equipment.

Thanks for your reply! I’m not looking to created impenetrable web filtering, just something to keep our limited bandwidth from being overloaded with bittorrent and youtube while it’s supposed to be used for educational and clinical purposes.

pfsense does not do a great job at filtering out protocols such torrent traffic.