I plan on setting up a network soon and I’m currently planning it out selecting software.
So I decided to get community feedback to set it up properly and see if better options where available.
The software below I had planned on running on its own server as network traffic will fluctuate during holiday gatherings and large 300+ family reunions.
Yes, I me and my wife both have large families.
I plan on using Mitx boards possibly in a blade server setup on a 10gb home network.
10 Gigabit for a home network? Are you going to edit raw 4K video straight from an SSD-cached storage array?
For security and practicality reasons, you want to keep the email/print/storage services separated from the router/firewall/IDS. This can be done physically, or through virtualization.
Giving 300 people internet access on their phone isn't all that taxing on the router; it's the wireless side you should worry about.
I agree with @Just.Oblivious, before you go into the software side of things you need to think about how all those clients will connect to the router, if the connection method is wireless then you'd need a fairly significant wireless setup with multiple access point to eliminate dead zones and to account for all the wireless traffic.
Also as @Just.Oblivious suggests you'd need to restrict access to some of the more sensitive parts of your network, because 300 users running rampant through an unsecured network is a recipe for a bad day.
I done something similar where I've created a separate VLANs for the other people in my house and firewalled it off from the rest of the network to restrict access to my servers and main workstation because I inherently distrust devices on the network that I don't have control over.
I made a post about it here if you are interested:
@Just.Oblivious @MichaelLindman
Just planning, I do plan on having it segmented.
Yes, I do plan on video editing.
I do plan on running a unifi poe wireless behind a wips/ids & firewall.
I also plan on running ip poe surveillance, apache, database server, and a cloud server for learning purposes and such.
And plex media over the freenas if I don't choose to separate it as well.
As I said I'm planning as I learn better hands on.
And it being 10gb I thought I might as well future proof the network.
Edit - I'm looking into a log in gateway and running encryption over the wireless which would increase the network traffic load.
But still reading up on it, to me it's the deep end of the pool.
@Just.Oblivious @MichaelLindman
Do you guys have any better software picks?
Trying to get this all planned out so I can start a diagram and a hardware list.
Then create a map.
Don't want any surprise needs and have to rip up walls to run cable, under alocate switches/patch panels, and server cabinet space.
Also have to setup a UPS solution.
Let's see, you basically need three boxes:
Router
Any box with multiple network interfaces will do.
OS: pfSense
Services:
So far so good.
Virtualization host
Building a separate box for each server is silly, so let's virtualize the less demanding services and run them from one host system. Use a hypervisor (like VMWare ESXi or Proxmox) to achieve this.
Virtual machines:
Storage box
Storage is not my thing, but Freenas is a well known option. Plex can be ran as a docker container on top of Freenas.
To split up the network, all you need is a managed switch, and some access points that support VLAN tagging with multiple SSID's.
pfSense will handle the routing and firewalling between the networks, no need to have separate hardware here.
Here is a theoretical network layout (this numbering scheme is just an example):
VLAN 1: Private LAN (10.1.0.0/24)
VLAN 2: Guest LAN (10.2.0.0/22, only internet access)
VLAN 3: No internet (10.3.0.0/24, only accessible from the private LAN)
We all know what happens when iOT devices have access to the internet, so let's not do that.
VLAN 4: Public services (10.4.0.0/24)
Yes, this is absolutely overkill for a home network. But if you want to go all-in, this is one way to do it.
Personally I like to separate my DMZ/Public VLANs further.
I.e. my intranet is 10.1.0.0 etc my DMZ would be 172.1.0.0 etc.
Just for ease of discovery and such.
Good post though.
OP:
What do you want to accomplish. What is the strategy? Do these 300 people need long term access to the data they put on the file server?
@Just.Oblivious thanks.
I was kinda worried running a Xeon D integrated board might be overwhelmed by 10gb with all the extra background processes.
Though it can hold 128gb of ecc ram.
@Yockanookany
Na, family and holiday gatherings.
Will be 8hr registered logins through a captive portal that expires.
10gb will overkill even if your lucky enough to have a 1gb internet connection. Not to mention with only wireless clients.
If you have large file transfers between workstations thats another story. But if you need bandwidth for a nas then a good switch with plenty of backplane and support for things like bonding and vlans will save you tons.
Just some thoughts.
But it would be fun to setup a 10gb network if you had the funds.
Edit: Some ideas on the security network. HD IP cams suck up bandwidth like crazy. Plan up to 10mbit each. Vlans wont save you from saturation.
At home I setup a completely separate network to handle security. The ipcams and nvr run their own switches and router. The only bottleneck in this scenario is the nvr. But link aggregation would help with load balancing.
Yeah, @wendell had an old video from 2015 explaining how link aggregaton/teaming only benefit from processing speed not cores on 10gb, something about not being optimized for multiple cores.
If @wendell was looking for video ideas, this thread might be a good starter.
All this thought process of mine started when he mentioned doing Dhcp on its own ideally in a network environment in the last Pfsense video lol.
So my mindset turned to single points of failure, workload balancing/resource management and security etc.
I'm tired so I'm running on in conversation like a mouthy #zombie.
this layout would work pretty well. vlans config in a switch to the vm host would handle IDS in various contexts -- you could have a single IDS with multiple interfaces (e.g. pfsense) and that would work pretty well I think.
you could have a "real" pfsense box at the internet connection and one or two pfsense VMs if you want really fine grained routing control. Otherwise you could do multiple interfaces on a single box + the IDS/VLANs would work fine.
Here's an article you might find useful since we all can't have Google fiber #deaddreams
SpaceX plans worldwide satellite Internet with low latency, gigabit speed | Ars Technica
All good things to consider. Gigabit wont be sufficient forever.
Be sure to put though into write speeds as well, wouldnt want to waste all that available bandwidth on some old hdds.
Boards I want to run have 2 m.2 slots, I think a 960 Samsung would be sufficient for Cache.
For some reason this is all I can think of while looking through the article...
This may be what I mount the mitx boards in.
RM-2270 2U Dual Mini-ITX MB 14" Deep Rackmount Case
http://www.circotech.com/rm-2270-2u-rackmount-case-for-dual-mini-itx-motherboard-system-14-deep.html
