BigBro
New Around Here
I'm planning my new home network and I have an idea to virtualize some things. Plan of this network is shown on the picture. Now some considerations behind it:
- I need a DMZ to provide some services to WAN. VLAN 20 is dedicated to DMZ.
- Hosts in DMZ will be routed by pfSense VM.
- I've read that it is a good practice to have DB server(s) in a separate sub-network.
- Hosts in DMZ and DB sub-networks will be backed up to FreeNAS VM. That is why I need a virtual pfSense router. In this way ERL (Edgerouter Lite) does not have to route traffic between LAN and DMZ which means gigabit connection between LAN and ERL will not be used during backup process. As a side effect, backup speed can be faster than 1 gbps, but the main motivation here is to avoid saturation of LAN <-> ERL link during backup process.
- All home PCs and electronics will be connected to untagged VLAN 10 ports or through Wi-Fi.
Now some schematic firewall rules.
Edgerouter Lite:
LAN -> WAN (all ports)
DMZ -> WAN (ports: 53, 80)
WAN -> DMZ (web services ports)
pfSense VM:
LAN -> DMZ (all ports)
LAN -> DB (all ports)
DMZ -> DB (port 3306)
DMZ -> DMZ WAN (ports: 53, 80)
DB -> DMZ WAN (ports: 53, 80)
DMZ WAN -> DMZ (web services ports)
The main complication here is that virtual pfSense router. If ERL would have one more interface, then I could trunk two gigabit connections to LAN, one to DMZ and one to WAN. In this case, even during backup process, at least 1 gbit of bandwidth would be available for LAN <-> WAN. But reality is that it has only 3 interfaces and I was not able to find fast enough router with more interfaces and comparable price. I do not need fast LAN <-> WAN routing atm, it is limited by my WAN speed anyway. But I'd need fast LAN <-> DMZ routing if I want to avoid pfSense VM.
Another option would be to exclude ERL and use only pfSense VM for routing. There are two reason to avoid it:
1. If ESXi host goes down for some reason (most probably my mistake), I do not want my family members to loose internet access. So LAN <-> WAN routing must be done outside of ESXi.
2. If something goes wrong with ESXi host, I'd like to be able to use VPN and IPMI to resolve the problem. This point is not very strong, because I'll have physical access to the box as soon as I'm back home.
So, what do you guys think? Does it make sense? Am I missing something that can make all this thing simpler?
P.S. Edgerouter POE seems to have 5 gbit ports, but in fact 3 of them are switched and CPU has only 3 ports like ERL.
P.P.S. Sorry for my English
- I need a DMZ to provide some services to WAN. VLAN 20 is dedicated to DMZ.
- Hosts in DMZ will be routed by pfSense VM.
- I've read that it is a good practice to have DB server(s) in a separate sub-network.
- Hosts in DMZ and DB sub-networks will be backed up to FreeNAS VM. That is why I need a virtual pfSense router. In this way ERL (Edgerouter Lite) does not have to route traffic between LAN and DMZ which means gigabit connection between LAN and ERL will not be used during backup process. As a side effect, backup speed can be faster than 1 gbps, but the main motivation here is to avoid saturation of LAN <-> ERL link during backup process.
- All home PCs and electronics will be connected to untagged VLAN 10 ports or through Wi-Fi.
Now some schematic firewall rules.
Edgerouter Lite:
LAN -> WAN (all ports)
DMZ -> WAN (ports: 53, 80)
WAN -> DMZ (web services ports)
pfSense VM:
LAN -> DMZ (all ports)
LAN -> DB (all ports)
DMZ -> DB (port 3306)
DMZ -> DMZ WAN (ports: 53, 80)
DB -> DMZ WAN (ports: 53, 80)
DMZ WAN -> DMZ (web services ports)
The main complication here is that virtual pfSense router. If ERL would have one more interface, then I could trunk two gigabit connections to LAN, one to DMZ and one to WAN. In this case, even during backup process, at least 1 gbit of bandwidth would be available for LAN <-> WAN. But reality is that it has only 3 interfaces and I was not able to find fast enough router with more interfaces and comparable price. I do not need fast LAN <-> WAN routing atm, it is limited by my WAN speed anyway. But I'd need fast LAN <-> DMZ routing if I want to avoid pfSense VM.
Another option would be to exclude ERL and use only pfSense VM for routing. There are two reason to avoid it:
1. If ESXi host goes down for some reason (most probably my mistake), I do not want my family members to loose internet access. So LAN <-> WAN routing must be done outside of ESXi.
2. If something goes wrong with ESXi host, I'd like to be able to use VPN and IPMI to resolve the problem. This point is not very strong, because I'll have physical access to the box as soon as I'm back home.
So, what do you guys think? Does it make sense? Am I missing something that can make all this thing simpler?
P.S. Edgerouter POE seems to have 5 gbit ports, but in fact 3 of them are switched and CPU has only 3 ports like ERL.
P.P.S. Sorry for my English
Attachments
Last edited:
