Hi, folks. I’m trying my best to do my homework before I come here with questions, but even when trying to be selective about what I’m searching for, it’s often a fire hose of information that’s hard to take in.
I’m trying to prepare for exposing self hosted services to the internet with a reasonable amount of security. Tailscale isn’t going to be a great option for my use cases due to added friction for additional users as well as the total number of users I expect to have, so my goal is to segregate my 1-2 servers from the rest of my home network, so that if they’re compromised, the rest of my network is fine. Based on what I’ve read, I think I want my regular VLAN 1 to be my network as is, and then I can make a separate VLAN for my NAS and, eventually, a mini PC that are hosting services. I want to be able to talk to those devices from VLAN 1 but not the other way around, and I think I can do that with VLAN rules.
I’m trying to follow this Home Network Guy guide, but as it relates to what I’m trying to do, I have a few questions. My network setup is partially constrained by the layout of my apartment and where I can find electrical outlets, so I can only change it so much. Basically, it’s internet in->Verizon’s provided router->living room switch->office switch. The living room switch is sort of a repeater just to make everything reach, but it also connects game consoles, which also double as media streaming machines, like streaming Jellyfin from our own NAS. The NAS, my desktop, and my work PC are all connected to the office switch, and eventually a mini PC will live here full-time as well; as stated above, I want just the NAS and mini PC on their own VLAN. I think what I need to do is put a firewall between my router and the living room switch to define the VLAN rules and tag packets, and then replace the office switch with one that understands VLAN tags. So my questions are:
- In that guide, he has a firewall mini PC that costs about $540. A quick search on Amazon results in similar machines ranging from $100 to almost $600. It’s not going to break the bank in either case, but I don’t want to buy something I don’t need, and I can’t tell what “too much” or “not enough” is.
- I’d prefer not to replace the Verizon router if I don’t have to, because I’m not sure how much of my service depends on it, so assuming that’s possible to leave untouched, would it then connect to the firewall’s WAN port or LAN port? If it’s not serving as the router itself, I’d imagine LAN, and then I’d need at least two LAN ports on the firewall device, but I just wanted to be sure.
- There are two hops before any packet makes it to its destination in the office; do both switches need to be managed switches for the VLAN tags to stay intact? Or just the office switch?
- Is there anything in the above that I’ve gotten so wrong that it somehow invalidates my questions, and I’m further away from understanding this than I think I am?
Thanks for any help you folks can offer!
I haven’t really paid attention on prosumer-hardware lately as my RB4011iGS+RM just keeps on working. 6 watts is really low tho, according to spec sheet my router pulls 18W 24VDC. Few links I checked from your original post however give 15W TDP, so maybe some seller is pulling numbers out of their sleeve or there’s differences between models. Either way, those are pretty damn efficient boxes.
With that celeron CPU I think they have less troughput than what I’m running, but if your internet connection isn’t several hundred megabits I don’t think that’ll be an issue. I had issues with some edgerouter, while it claimed to do full gigabit in practise it managed only up to ~700Mbps and even less than that with even slightly complicated routing.
I don’t have any direct recommendations, but I’d stay away from TP-Link and other budget brands which often promise a lot more than they can actually deliver. My switches are from HPE and they are pretty cheap second hand (or even free if you happen to stumble in a office renewal somewhere).