Thank you for your recommendations.

Unfortunately, I don’t know anything about pfSense or OPNSense. How much effort does it take to become familiar with it and what costs do you have to expect for the basic hardware?

I would like to design the structure independently of the provider. In the meantime, I saw that firewalls with 10Gbit/s connections are rarely offered or are very expensive.

As a start, I imagine using a Layer 2+ switch in order to at least be able to separate the different networks and since this switch supports the mentioned IGMP snooping and multicast. This switch can also be used for 2.5Gbit/s or 10Gbit/s in the future. Specifically, I looked at the following switch “Netgear MS510TXM”: [https://www.downloads.netgear.com/files/GDC/MS510TXUP/MS510TXUP\_MS510TXM\_DS.pdf](https://www.downloads.netgear.com /files/GDC/MS510TXUP/MS510TXUP_MS510TXM_DS.pdf)

Is this a correct approach or am I completely wrong here, apart from the solution with pfSense/OPNSense?

Show original language (German)

@rbisig I use this switch/router (CRS326-24S+2Q+) from Mikrotik.

The box is quite steamy!!!

This device leaves nothing to be desired, but it is not intended for run-of-the-mill users who don’t know anything about networks, but everything can be learned.

With the SFP you are very flexible. Either you use fiber or copper as a connection medium between the individual network devices.

Show original language (German)

@user109

To be fair, it should also be said that the box not only has a lot of steam, but also requires a lot of steam (i.e. energy) and makes a lot of noise with the three fans. In addition, when fully expanded, depending on the SFP used, the price is well over CHF 1000.

Show original language (German)

@hed wrote:

@user109

To be fair, it should also be said that the box not only has a lot of steam, but also requires a lot of steam (i.e. energy) and makes a lot of noise with the three fans. In addition, when fully expanded, depending on the SFP used, the price is well over CHF 1000.

@hed I think you’re completely wrong about your assumptions and you don’t always have to talk badly about everything.

I used fiber SFP’s as much as possible, they don’t need as much energy as the copper SFP’s.

I can set the fans to a minimum and you can no longer hear them. (At most when restarting as is usual with all servers).

A switch/router like this doesn’t belong in the living room, but rather in a technical room with a 19″ server rack or 19″ patch distributor. The thing can roar as loudly as it wants, the Synology RS1619xs+ is even louder, but who cares?

Max 69 W isn’t much in my opinion, just take a look at Cisco switches in the same category with and without POE, they draw a lot more (100-600W) and cost 5 times as much.

TE asked everyone what they could use for 10Gbit/s (including their requirements)…

It should be clear to even the last backwoodsman that something like this isn’t available at ridiculous prices.

The latest technology has its price, but whether you really need it is another matter.

Show original language (German)

Thank you for your discussions.

Based on your posts, I notice that, for cost reasons, a firewall with a port-to-port throughput of approximately 1Gbit/s should currently be sufficient. Ultimately, a switch should be connected to this firewall so that the different networks can be divided into VLANs and services such as IGMP snooping can also work via multicast. The cabling is almost exclusively done with Cat 7 network cables.

Can you recommend a firewall (new device or used)?

Show original language (German)

If you want to tackle it with pfSense, Netgate SG-4100 or the even more powerful SG-6100 would be fanless (i.e. quiet) and good quality devices with pfSense already preinstalled:

https://www.erdineering.ch/pi/Shop/Firewalls/netgate-sg-4100.html

Since they are Intel processors, they have significantly more performance than the ARM processors commonly used in consumer routers and the RAM, at 4 or 8 GB, is of course significantly larger than the usual 0.5 to 1 GB in provider routers.

There are also test reports and videos on the Internet, plus various other documentation.

For a serious evaluation, you would have to do a little additional research.

If I were already retired, I would probably start with an SG-4100 base model, because with the “upper middle class” model you already get all services including VPN server >= 1 Gbit/sec up to 2. 5 Gbit/sec.

Show original language (German)

Hobby-Nerd ohne wirtschaftliche Abhängigkeiten zur Swisscom

@rbisig wrote:

Thank you for your discussions.

The cabling is almost exclusively done with Cat 7 network cables.

@rbisig

In this context, it is important that the cable remains 8-wire throughout. Unfortunately, there are still so-called split installations today, where the 8-wires are split into two junction boxes.

Show original language (German)

@Werner wrote:

If you want to tackle it with pfSense, Netgate SG-4100 or the even more powerful SG-6100 would be fanless (i.e. quiet) and good quality devices with pfSense already preinstalled:

[https://www.erdineering.ch/pi/Shop/Firewalls/netgate-sg-4100.html](https://www.erdineering.ch/pi/Shop/Firewalls/netgate-sg-4100. html)

Since they are Intel processors, they have significantly more performance than the ARM processors commonly used in consumer routers and the RAM of 4 or 8 GB is of course also significantly larger than the usual 0.5 to 1 GB in provider routers .

There are also test reports and videos on the Internet, plus various other documentation.

For a serious evaluation, you would have to do a little additional research.

If I were already retired myself, I would probably start with an SG-4100 base model, because with the “upper middle class” model you already get all services including VPN server >= 1 Gbit/sec up to 2.5 Gbit/sec.

I have been using a Netgate 6100 for about 2 years and am extremely satisfied with it. pfSense or OPNsense are probably the best open source NGFW without expensive maintenance and license costs for private households and many companies. Of course, there are not as convenient Layer 5 - 7 filters or SD-WAN functions as with a FortiGate, but the range of functions is completely sufficient in most cases. Particularly noteworthy is the good documentation and the excellent (commercial) support from Netgate respectively. pfSense. OPNsense can be expanded to include various NGFW functions using excellent plugins such as zenarmor (https://www.sunnyvalley.io/).

Show original language (German)
4 days later

I have been using Opnsense-based routers for years (opnsense.org). Opnsense can be ordered on your own hardware or pre-installed as an appliance (https://shop.opnsense.com/). The newer generation of Opensense appliances uses AMD Epyc and no longer Intel Xeon and is significantly more energy efficient.

Show original language (German)

Hello @rbisig, unfortunately I haven’t read anywhere whether you have, for example, a NAS installed in your network that also supports virtualization, otherwise my suggestion would be to use a virtual PFSense, some of the previous speakers already have the ecological/energetic one factor discussed,

I also use a setup like this for myself,

Segmentation with vlans.

Multiple WAN,

And routing/nating options on pf,

This also allows for the possibility of building fallbacks/redundancies, in the sense that you still want to be online if the excavator tears the fiber, or if the mobile path no longer has reception at the same time…

So it’s relatively easy to configure access ports and pass them on as a trunk to the virtual PF, because they do the “magic” and in the trunk in another vlan back to the switch…

Power consumption is manageable, performance with today’s hardware is no longer a problem in my opinion,

Greeting

Chris

Show original language (German)

Swisscom Network Engineer IP+ AS3303,
ASN3303