I plan on setting up a network soon and I’m currently planning it out selecting software.
So I decided to get community feedback to set it up properly and see if better options where available.
The software below I had planned on running on its own server as network traffic will fluctuate during holiday gatherings and large 300+ family reunions.
Yes, I me and my wife both have large families.
I plan on using Mitx boards possibly in a blade server setup on a 10gb home network.
10 Gigabit for a home network? Are you going to edit raw 4K video straight from an SSD-cached storage array?
What kind of traffic will this network realistically see?
How is the network laid out (including wireless access)?
What are the requirements in terms of features, security, and internet throughput?
For security and practicality reasons, you want to keep the email/print/storage services separated from the router/firewall/IDS. This can be done physically, or through virtualization.
Giving 300 people internet access on their phone isn't all that taxing on the router; it's the wireless side you should worry about.
I agree with @Just.Oblivious, before you go into the software side of things you need to think about how all those clients will connect to the router, if the connection method is wireless then you'd need a fairly significant wireless setup with multiple access point to eliminate dead zones and to account for all the wireless traffic.
Also as @Just.Oblivious suggests you'd need to restrict access to some of the more sensitive parts of your network, because 300 users running rampant through an unsecured network is a recipe for a bad day.
I done something similar where I've created a separate VLANs for the other people in my house and firewalled it off from the rest of the network to restrict access to my servers and main workstation because I inherently distrust devices on the network that I don't have control over.
I made a post about it here if you are interested:
Just planning, I do plan on having it segmented. Yes, I do plan on video editing. I do plan on running a unifi poe wireless behind a wips/ids & firewall.
I also plan on running ip poe surveillance, apache, database server, and a cloud server for learning purposes and such. And plex media over the freenas if I don't choose to separate it as well.
As I said I'm planning as I learn better hands on. And it being 10gb I thought I might as well future proof the network.
Edit - I'm looking into a log in gateway and running encryption over the wireless which would increase the network traffic load.
But still reading up on it, to me it's the deep end of the pool.
Router Any box with multiple network interfaces will do.
OS: pfSense
Services:
Routing
NAT
Firewall
DHCP
DNS
IDS/IPS: Snort
Caching (if absolutely necessary): Squid
So far so good.
Virtualization host Building a separate box for each server is silly, so let's virtualize the less demanding services and run them from one host system. Use a hypervisor (like VMWare ESXi or Proxmox) to achieve this.
Virtual machines:
RADIUS server for authenticating wireless clients
Mail server
Web server
Database server
"Cloud" server
Additional experimental machines for learning
Storage box Storage is not my thing, but Freenas is a well known option. Plex can be ran as a docker container on top of Freenas.
To split up the network, all you need is a managed switch, and some access points that support VLAN tagging with multiple SSID's.
pfSense will handle the routing and firewalling between the networks, no need to have separate hardware here.
Here is a theoretical network layout (this numbering scheme is just an example):
VLAN 1: Private LAN (10.1.0.0/24)
Workstations (10GbE)
Storage server with Plex service (10GbE)
Experimental virtual machines
All devices connected to the "private" wireless SSID
VLAN 2: Guest LAN (10.2.0.0/22, only internet access)
All devices connected to the "guest" wireless SSID
Other services for guests
Traffic shaping/QoS (if necessary)
VLAN 3: No internet (10.3.0.0/24, only accessible from the private LAN) We all know what happens when iOT devices have access to the internet, so let's not do that.
IP Camera's + network video recorder
Home automation
Network printers
Management interface for the virtualization host
Switch management portal
UPS ethernet interface
Management interface for the access points
RADIUS Authentication server for wireless clients
VLAN 4: Public services (10.4.0.0/24)
Mail server
Web server (port 80 and 443 only)
Database server (limited to access from within this subnet)
"Cloud" server
Experimental virtual machines (the ones that have to be accessible from the internet)
Yes, this is absolutely overkill for a home network. But if you want to go all-in, this is one way to do it.
10gb will overkill even if your lucky enough to have a 1gb internet connection. Not to mention with only wireless clients.
If you have large file transfers between workstations thats another story. But if you need bandwidth for a nas then a good switch with plenty of backplane and support for things like bonding and vlans will save you tons.
Just some thoughts.
But it would be fun to setup a 10gb network if you had the funds.
Edit: Some ideas on the security network. HD IP cams suck up bandwidth like crazy. Plan up to 10mbit each. Vlans wont save you from saturation. At home I setup a completely separate network to handle security. The ipcams and nvr run their own switches and router. The only bottleneck in this scenario is the nvr. But link aggregation would help with load balancing.
Yeah, @wendell had an old video from 2015 explaining how link aggregaton/teaming only benefit from processing speed not cores on 10gb, something about not being optimized for multiple cores.
If @wendell was looking for video ideas, this thread might be a good starter.
All this thought process of mine started when he mentioned doing Dhcp on its own ideally in a network environment in the last Pfsense video lol.
So my mindset turned to single points of failure, workload balancing/resource management and security etc.
I'm tired so I'm running on in conversation like a mouthy #zombie.
this layout would work pretty well. vlans config in a switch to the vm host would handle IDS in various contexts -- you could have a single IDS with multiple interfaces (e.g. pfsense) and that would work pretty well I think.
you could have a "real" pfsense box at the internet connection and one or two pfsense VMs if you want really fine grained routing control. Otherwise you could do multiple interfaces on a single box + the IDS/VLANs would work fine.