Suggestions for Office Networking Hardware

Hardware Hub Networking
, ,
1

I have an office that requires some networking gear to get started.
We already have an ISP providing 1Gbps symmetric fiber connection and are looking to acquire hardware to provide us with wired and wireless connectivity.
At the moment we are 3 people working inside but there is potential to having around 6-8 people there at the same time. We have a small 10U server rack that’s completely free. We will be working on sensitive stuff and, because of that, security is important to us. We want to be able to access our workstations remotely if needed and are also thinking about adding a custom (or not) NAS in the near future.

I have looked at some gear but, although I’m pretty proficient in it, I feel like you guys here will probably have better suggestions.

I don’t know if I should add more details but if so please let me know and I will gladly do so!

Thanks! :slight_smile:

1 Like
2

The bare minimum is segmenting Servers and Workstations (and wifi/guest wifi) into different networks with a firewall between them. For example the wifi (even less the guest wifi) has no business accessing management interfaces, that is strictly an “admin on cable”-privilege.

Aruba CX6100-series is cheap enough, I do not like the Aruba InstantOn-Series. If you need GUI for some reason, there is an argument for Unifi or Mikrotik to be made.

Firewall wise, I like Sophos (XGS138 would be my pick for your size) , can see why someone would go Fortinet or PFSense though.

The “deeper” in your network something is, the less exposed it is to the outside. If you were paranoid, you would put a different firewall vendors between each zone. In practice, having the “WAN-DMZ”-firewall and “Segmentation”-firewall (the one keeping everything in neat little groups) be different vendors is usually enough.

Network DMZ Internet Files Management
WAN :white_check_mark: :x: :x: :x:
VPN :white_check_mark: :white_check_mark: :white_check_mark: :x:
Workstation-LAN :white_check_mark: :white_check_mark: :white_check_mark: :x:
Server-LAN :x: :warning: :white_check_mark: :x:
Management :x: :x: :white_check_mark: :white_check_mark:

Segmenting your network as shown is a pain. Changing anything that is relevant to security (like resetting a password) involves either a secondary computer (that does not have internet!) or unplugging your laptop from the “work”-zone and into the “management”-zone (which, does not have internet access).
Servers are also an iffy thing, on the one hand, you may want to push backups to an S3-store of sorts, or need some software to phone home for license-reasons, but you do not actually want your servers to have internet access.

1 Like
3

Thank you very much for your reply and advice!

The segmentation is the simplest thing I can do and is already planned.

In terms of Aruba vs Unify do you have strong gripes about going the unify route? It does look simpler and easier to manage because of GUI. I do know that it has a few bugs here and there, specially for more advanced users but not sure if these will affect me.

Your table is very clear and I appreciate that. I know that doing that is a pain and it will probably take some time for me to set it up with my colleagues but since at the start we won’t be dealing with too much sensitive data it’s a good stage to test stuff and learn more about it.

Do you recommend any chassis for a simple NAS? We don’t need solid state storage but if the price difference is small we may go for it.

1 Like
4

I’m one of those who rather strongly would advice against going for network gear that’s more or less cloud only and/or requires external software for management (I’m not refering to an ssh client or a browser).

You really don’t need anything super fancy, what you might want at least is a switch that supports SPF+ as you might want to hook up a faster switch later on.

Something like a Zyxel GS2200-10 will do fine and doesn’t break the bank,

As for firewall it depends on what you’re looking for, pfsense will do just fine however DPI (if required) eats a lot of processing power and isn’t a “set and forget” thing, it’ll also be very expensive hardware-wise for 1Gbit rates. I think this comment sums it up pretty well, https://www.reddit.com/r/PFSENSE/comments/1gsotle/comment/lxhunrd/ . If you’re fine with IDS / IPS pfsense will do fine, get Intel NICs and something that actually comes with some kind of BIOS / firmware aftermarket (ie not something off Aliexpress).

Having that in mind, grabbing a HP/Dell/Lenovo Mini PC that isn’t ancient and add a M.2 NIC (such as https://www.aliexpress.com/item/1005008904049465.html ) to it will tick all boxes.

https://www.newegg.com/p/1VK-0003-1NS78?Item=9SIAKDCKFE2751 (EoL but still getting firmware updates)
Amazon.com: Lenovo ThinkCentre Tiny M70q G5 Intel Deca Core i5-14400T (Beats i7-13700T), 16GB DDR5, 512GB NVMe, DisplayPort, HDMI, WiFi 6E, RJ-45, Wired KB & Mouse, Win 11 Pro, 3YR Wty, Business Desktop - Black : Electronics
Dell Pro Micro QCM1250 - micro Core i5 i5-14500T 1.7 GHz - 16 GB - SSD 256 GB - 1D5HX - Mini PCs - CDW.com

  • Note: I have no idea what’s the best place to pick up these in US

As for AP(s) I would go for something dead simple, grab something based on Mediatek Filogic and is supported by OpenWrt. Configure it as a dumb AP and you’re done. This will be very secure and you’ll be able keep the software up to date or a long period of time, not mention if you want to extend the network (using wireless) WDS makes it very easy and seamless.
https://www.newegg.com/acer-connect-vero-w6m-mesh-router/p/N82E16833820063
It does require some tinkering but its not too bad, Testing to determine if you are a bot!
That will also give you a few more additional ethernet ports if needed.

If you want something to use out of the box, Amazon.com: Zyxel WiFi 6 AX3000 Wireless Gigabit Access Point | Mesh, Seamless Roaming, & MU-MIMO | WPA3-PSK Security | Cloud, App or Direct Management | POE+ or AC Powered | AC Adapter Included | NWA50AX PRO : Electronics which is a cut down hardware-wise version of the Acer one (no 6Ghz, dual core vs quad core CPU) etc. Look at OpenWrt’s ToH if all details, it will however do just fine acting as an AP.

As for VPN, Wireguard works very well and is available on most platforms. Given the low amount of people running the vanilla version will be more than enough, you may want to look into something like netbird ( GitHub - netbirdio/netbird: Connect your devices into a secure WireGuard®-based overlay network with SSO, MFA and granular access controls. ) but it also adds more complexity.

As for NAS, it all depends on how much data storage you need and how much “care” about it. Getting “true” ECC capable hardware is going to be much more expensive than your average NAS (both will likely do just fine in your case however).

5

As dumb as it sounds: It is your network, you have to deal with it.

I like Cisco, but they come at a price not everyone wants to pay. I hate Dell switches, I can see why people like Aruba. I get why people dislike Lancom. Mikrotik and Teltonika hold special places in my heart.

Storage is not exactly my area of expertise.