:: Re: [DNG] networking thinking
Top Page
Delete this message
Reply to this message
Author: Rod Rodolico
Date:  
To: dng
Subject: Re: [DNG] networking thinking
We use OPNSense for almost everything that does not require untrained
users to manage things. For the latter, we use IPFire.

OPNSense works for small offices that just want VPN, up to our NOC where
we have two routers (active/failover), DMZ and multiple backend LAN's.
But, it does require some networking knowledge (though not as much as
"roll your own"). Don't know what part of the world you're in, but we
use Protectli (https://protectli.com/) hardware from the US. Pricey, but
I've not had a hardware failure in the 5+ years I've been using their
stuff. They have an option for Coreboot, a video port and a serial port,
so I feel I'm covered.

OPNSense also sells hardware specific to the appliance.

We also purchase used enterprise grade network switches (mainly HP) and
have had good results with them since we can monitor and configure at
will. The smaller clients are running little 16 port, 15 year old
switches, and at the NOC we're using two 96 port switches in and HA
configuration. As mentioned, the webUI on the switches doesn't work most
of the time, but I'm mainly a CLI type of tech anyway, so it doesn't
bother me.

Reply to questions:

1. Less hardware is better from a maintenance point of view. OPNSense
has an excellent firewall, so I do not have a separate firewall device.
My reason is pure laziness; I go to one interface I'm comfortable with
and configure there. Most of my firewalling is just allowing traffic
from one VLAN to another anyway, which is more of a routing thing.

2. No good training on networking that I know of except going back to
school.

If you decide to go with OPNSense, they have some decent documentation,
and the pfSense site has more. Feel free to visit my notes site at
http://kb.unixservertech.com for some recipes on OPNSense, but be warned
these are my personal notes and I'm not a good writer. I mainly stick
things out there so I don't have to remember them next time, but
occasionally, the OPNSense people will do an upgrade that negates all or
part of my notes.

Rod

On 11/29/21 3:38 PM, Adrian Zaugg wrote:
> Hi TIA
>
> In der Nachricht vom Sunday, 28 November 2021 14:20:14 CET steht:
>
>> 1. is my splitting the network system into the three parts a good idea or
>> should I truncate parts 1 and 2 into the router? If you would please give
>> reasons - - - please?
> Less devices, less to setup and maintain and less to break: I would go with 1
> Firewall and 1 Switch.
>
> Get a box with an SFP Port for your firewall and install OPNSense on it. Stick
> your fiber directly in your firewall, if your provider lets you chose and does
> not insist on some plastic box. If he does, then try to use it in bridge mode.
> Upon request, the providers over here tell what one has to do, when using a
> media converter (e.g. VLAN tag or PPPoE).
>
> OPNSense and pfSense are excellent firewall distributions and IPv6 is well
> integrated with both of them. They are almost identical, coming the same way.
> OPNSense is more community oriented where as pfSense drifted away to be more
> commercial now, but Documentation is better.
>
> PCEngines is a stable, bullet-proof hardware, it's industrial grade, lasts for
> ever and has a core boot BIOS. There soon will be a version with an SFP port
> available. You won't get Gigabit-Speed through an APU with OPNSense (around
> 800Mbit/s), get something with a CPU on par with a Intel N4100, if you want to
> be ready for gigabit speed.
>
> There are many nice boxes around without SFP ports (like the ones from AsRock
> industrial e.g.) but don't use Zotac nano ci329 with pfSense, it doesn't run
> stable (Linux in contrary runs like a charm on these).
>
> Zyxel Switches are basically OK, but you don't get security updates after some
> years, the interface doesn't work on all browsers and they have weird bugs
> (e.g. prios in RSTP together with LAGGs). You're better of with a MikroTik
> using SwOS. The MikroTiks boot amazingly fast, SwOS is easy to configure and
> they are rather cheap. You get a Desktop Switch with 2x 10GbE and 8x 1 GbE for
> <$100. If you want to play around with your Zyxel to install whatever on it,
> that's fine, but I wouldn't invest my time on that ─ better get your lab
> running.
>
> Opinions on the topic will go apart, you'll get tons of advice in any
> direction. To a certain extent it's about your personal liking. Mine you
> probably just read above...
>
> Regards, Adrian.
>
>
>
> _______________________________________________
> Dng mailing list
> Dng@???
> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
>


--
Rod Rodolico
Daily Data, Inc.
POB 140465
Dallas TX 75214-0465 US
https://dailydata.net
214.827.2170 ext 100