Looking for someone to review my thought on this. The client has new building with 100/100 internet connection with a /29 subnet. They want to split this traffic to 50% for the main office and then 25% for Office B and 25% for Office C, each office would have its own public IP. None of the offices need to interact with each others network, they are only sharing the internet connection. Each office also needs AP’s.
My question is about the hardware necessary to accomplish this…
My thought is a security gateway for the /29, 24port POE unifi switch with Office A, B, C VLAN’s, AP’s setup on the same office A, B, C VLAN. Then setup traffic shaping on the VLAN’s for bandwidth control.
UniFi firewalls can’t do multiple WAN IP addresses, use pfsenese as the firewall instead.
ok so a firewall to handle the multiple WAN, what about the switch and AP’s with VLAN and traffic shaping within Uniti? Is that a suggested approach?
I suggest handling that at the firewall level.
Hi,
I agree with tom and would like to privde some details.
The QOS / traffic shaping should be done on the firewall. You can get a system with pfsense or you should be able to do it with and edgerouter. USG would not work.
I would suggest some more stuff here:
- make a management VLAN. In this vlan you put the pfSense GUI, the nativ interface of all accesspoints and the switch. Also the unifi controller.
- you can think about getting a little pc or intel nuc and place pfsense and the unifi controller als vm on it. (base could be proxmox).
- each office should have a vlan id for there wired network a = 10, b=20, c=30
- each wlan for company a b c should have it’s own vlan wlana=11, wlanb=21, wlanc=31, wlanguest=66
whis this setup the wireless devices do not have straight access to the network. You can control and monitor the access from wlan to ethernet. I suggest hier setting up 3 openvpn for each client and let them have internet via wlan and if they would access devices in the lan the open the vpn connection via the wlan to pfsense.
With this setup you overcome the problems with wpa2 not been secure any more.
Another bonus is that every tennant a b c can connect to which accesspoint they want and have ther network. You need lees accesspoint to cover the area and also less accesspoint give you more airtime and less makes the channel design easier.