I am planning to upgrade my home network in preparation for me buying a NAS and some security cameras. I have tried to research my hardware option as much as possible but not sure I am going the right way so I am asking some feedback.
Sorry for the long post, lots of info to digest.
Layout:
Modem --> ISP Router(1,2) --> OPNSense Firewall --> L2 web managed switch --> WLAN router, NAS, PoE switch for cameras (1GBPs), Home Theater, 2 PC's.
(1): I plan to keep using my ISP provided router in between the modem and OPNSense. Mostly because I do not trust myself and I don't want to mistakenly allow unfiltered WAN traffic in.
(2): Currently my internet service is terrible. Maximum I can get is 30 down / 1 up.... (for the crazy price of 80 AUD per month). However my ISP sold the network and the new owner is planning a network upgrade (Jan 2023 is a loooong wait) which should allow plans up to 1 Gbps down.
For a L2 web managed switch I am considering a QNAP QSW-M804-4C for a total of 8 10Gpbs RJ45 ports (4 of which are SFP+ combo ports)
The current plan to build a OPNSense firewall. The OPNSense build is based on a Ryzen 5000G CPU (cheapest available, but if possible a 5000GE 35 watt TDP version) + B550 mobo + Intel X540-T2 nic. I wanted to get the Ryzen 5000 in order to get PCIe 4.0. I know this is overkill but I did want 10gbps ports and a decent chance of routing that between VLANs. I think that it should be able to handle the 1Gbps out to the WAN + some minor routing between VLANs (perhaps traffic from Security Camera VM to NAS) + maybe a VPN connection into a VLAN if I want to access some things remotely.
Not sure if there is any benefit to going for a Intel X710-4T nic? The X540 already offers 2 10Gbps ports: 1 for WAN, 1 for LAN and I can always buy a second NIC later. Would it be safer to have the WAN and LAN on separate NICs? I didnt think that would make much difference.
I did investigate a L3 switch/router. However I can build my own firewall + buy an L2 switch for the same price as getting something like an Ubiquiti Edgerouter ER-8-XG while not be beholden to any company trying to change their licensing arrangement to a subscription in the future. And the custom build likely having more "toy" power than the L3 switch.
I was planning on build 1 OPNSense firewall server + 1 NAS Server which will also host some VMs (including security camera VM). The rational was twofold: I could build a simpler lower TDP OPNSense firewall, and I was under the impression it would be more secure. The security issue might not be true? Either way the NAS server would run a ZFS filesystem and run some other VMs including maybe a virtualized desktop for light load, media server, security camera server. Not sure I want all that on the same machine that will have the WAN port and there may not be enough PCIe lanes (x16 for GPU, x8 for HBA, x8 for NIC) on X570 which only has 20 lanes connected to the CPU and 4 to the chipset.
I want to get a WLAN router capable of multiple SSIDs for VLAN separation of my WIFI. I want to wait for a Wifi 6E capable WLAN router but if I would get it now I would get a QNAP QHora-301W. Trusted devices on VLAN A, Guests on VLAN B, Work laptops VLAN C, Wireless controller for A/C on VLAN D (it runs android 4 and no updates are available, all I want it is let it access NTP servers so the clock resets properly on a network outage).
Sorry for the long post, lots of info to digest.
Layout:
Modem --> ISP Router(1,2) --> OPNSense Firewall --> L2 web managed switch --> WLAN router, NAS, PoE switch for cameras (1GBPs), Home Theater, 2 PC's.
(1): I plan to keep using my ISP provided router in between the modem and OPNSense. Mostly because I do not trust myself and I don't want to mistakenly allow unfiltered WAN traffic in.
(2): Currently my internet service is terrible. Maximum I can get is 30 down / 1 up.... (for the crazy price of 80 AUD per month). However my ISP sold the network and the new owner is planning a network upgrade (Jan 2023 is a loooong wait) which should allow plans up to 1 Gbps down.
For a L2 web managed switch I am considering a QNAP QSW-M804-4C for a total of 8 10Gpbs RJ45 ports (4 of which are SFP+ combo ports)
The current plan to build a OPNSense firewall. The OPNSense build is based on a Ryzen 5000G CPU (cheapest available, but if possible a 5000GE 35 watt TDP version) + B550 mobo + Intel X540-T2 nic. I wanted to get the Ryzen 5000 in order to get PCIe 4.0. I know this is overkill but I did want 10gbps ports and a decent chance of routing that between VLANs. I think that it should be able to handle the 1Gbps out to the WAN + some minor routing between VLANs (perhaps traffic from Security Camera VM to NAS) + maybe a VPN connection into a VLAN if I want to access some things remotely.
Not sure if there is any benefit to going for a Intel X710-4T nic? The X540 already offers 2 10Gbps ports: 1 for WAN, 1 for LAN and I can always buy a second NIC later. Would it be safer to have the WAN and LAN on separate NICs? I didnt think that would make much difference.
I did investigate a L3 switch/router. However I can build my own firewall + buy an L2 switch for the same price as getting something like an Ubiquiti Edgerouter ER-8-XG while not be beholden to any company trying to change their licensing arrangement to a subscription in the future. And the custom build likely having more "toy" power than the L3 switch.
I was planning on build 1 OPNSense firewall server + 1 NAS Server which will also host some VMs (including security camera VM). The rational was twofold: I could build a simpler lower TDP OPNSense firewall, and I was under the impression it would be more secure. The security issue might not be true? Either way the NAS server would run a ZFS filesystem and run some other VMs including maybe a virtualized desktop for light load, media server, security camera server. Not sure I want all that on the same machine that will have the WAN port and there may not be enough PCIe lanes (x16 for GPU, x8 for HBA, x8 for NIC) on X570 which only has 20 lanes connected to the CPU and 4 to the chipset.
I want to get a WLAN router capable of multiple SSIDs for VLAN separation of my WIFI. I want to wait for a Wifi 6E capable WLAN router but if I would get it now I would get a QNAP QHora-301W. Trusted devices on VLAN A, Guests on VLAN B, Work laptops VLAN C, Wireless controller for A/C on VLAN D (it runs android 4 and no updates are available, all I want it is let it access NTP servers so the clock resets properly on a network outage).
