Sanity Check of New Network Layout

[rolfi]

Hey there!

I am currently restructuring my network (see attached layout) and would greatly appreciate your thoughts
A few explanations to the network diagram before I ask all of my questions:
The ISP will replace the 1G fiber with 10G this year, so I marked it both. Then, the traffic goes into the firewall which does IDS/IPS (suricata, snort, etc) and acts as a Wireguard VPN gateway. The signal then goes through a managed switch for VLAN tagging, like, wifi clients into a VLAN, IoT devices into a VLAN, etc. So far, all of this is in the basement. Then, in the ground the floor, there is the ASUS router to which the wifi clients connect to (the BE98 does VLAN per SSID), in floor 1 and floor 2 an ASUS XT-8 repeater/AP for the same purposes.

Now my questions:

1) Does this layout make sense from a security and logical view?
2) When connecting to the guest ssid on the BE98 and, for example, VLAN tag 10 is added to it and AP isolation for the guest network is enabled, is the switch overwriting the isolation if I want devices in the guest network to communicate with each other? Or is my understanding (and layout?) completely flawed?
3) If I connect to one of the XT8's, that repeats the three (can repeat up to 3 SSIDs) different SSID's from the BE98, will the VLAN tagging happen here as well? My understanding would be yes, given the XT8 just repeat the signal and the "decision" for tagging is made at the BE98.

Thanks!

 

[Tech9]

This is quite messy project, honestly. You need serious investments for 10Gbps ISP going to your LAN. The firewall doing IDS/IPS at this speed has to be something serious, you better run the network on a 10GbE with PoE managed switch and deploy PoE APs. This is how my business networks run, but you are looking at thousands in new equipment. Home routers as APs, 2 out of 3 not VLAN capable - why? This need for speed will eat your wallet.

 

[Tech9]

I would send this GT-BE98 back immediately (in case it was purchased already), get one GT-AX11000 Pro instead and make AiMesh with existing (somewhat*) matching 3-band XT8s. Additional firewall, smart switch - not needed. Keep the NAS of course, connect it to your main router. Seriously, what else do you need at home? What you can't do with Gigabit fiber and why the mismatch of beta tester edition Wi-Fi 7 and Wi-Fi 6?

* - limited to what AiMesh is in Asuswrt 4.0

 

[coxhaus]

Well, you could run Pfsense without IDS/IPS. Your ASUS is not going to have it as it has a much smaller CPU. There are some low wattage i7 out there that can move some data. Most businesses don't care about wattage and they just use the highest-powered CPU. The other thing you did not mention is it 10gig link rate or data speed.

ASUS has no chance of processing a 10gig data stream. The hardware is built too light and too small of CPU.

 

[rolfi]

Thanks for the responses, folks! Much appreciated

This is quite messy project, honestly. You need serious investments for 10Gbps ISP going to your LAN. The firewall doing IDS/IPS at this speed has to be something serious, you better run the network on a 10GbE with PoE managed switch and deploy PoE APs. This is how my business networks run, but you are looking at thousands in new equipment. Home routers as APs, 2 out of 3 not VLAN capable - why? This need for speed will eat your wallet.

The firewall lowers it to 2.5gbs, but deals with that easily (including IDS/IPS). So there shouldn't be any worry on that end.

I would send this GT-BE98 back immediately (in case it was purchased already), get one GT-AX11000 Pro instead and make AiMesh with existing (somewhat*) matching 3-band XT8s. Additional firewall, smart switch - not needed. Keep the NAS of course, connect it to your main router. Seriously, what else do you need at home? What you can't do with Gigabit fiber and why the mismatch of beta tester edition Wi-Fi 7 and Wi-Fi 6?

* - limited to what AiMesh is in Asuswrt 4.0

Yeah, it was purchased already, and the time to send it back ended...

Two questions though:
How is the GT-AX11000 Pro superior to the BE98?
What did you mean with "why the mismatch of beta tester edition Wi-Fi 7 and Wi-Fi 6?"? I didn't get that

Well, you could run Pfsense without IDS/IPS. Your ASUS is not going to have it as it has a much smaller CPU. There are some low wattage i7 out there that can move some data. Most businesses don't care about wattage and they just use the highest-powered CPU. The other thing you did not mention is it 10gig link rate or data speed.

ASUS has no chance of processing a 10gig data stream. The hardware is built too light and too small of CPU.

To your question about link rate and data speed: Yeah, it's 10gig data speed coming in. But the firewall can only deal with 2.5, so there it's already lowered.

100% agree with your final statement.