Hello everybody,
I have a 15-year old system with a role of firewall (pf)/DHCP server/squid/squidguard. This system which is currently running FreeBSD 11, has 3 network cards, each one serving a network segment (wan, dmz, lan). Built at a time I had no knowledge of VLANs, and trying to connect each interface to the corresponding network segment, I ended up with a spaghetti of network cables: each card went to a small unmanaged switch on the same rack (so, 3 small switches in the same rack in total). Ok, I had to install switches because next to the firewall there was a LAN-, a DMZ- and a WAN-operating device. From these 3 switches I had to install uplink cables to connect it to the rest of my infrastructure. All in all, a pitiful situation.
The system has 3 intel NICs installed, all of them using the em driver. Additionally, traffic on LAN/WAN is at the 4Mbps mark, with peaks (during downloads) at 60-70Mbps. These are exceptions though. DMZ traffic is very small.
Some 5 years ago, the backbone of the switching of my building was replaced with structured cabling: a cisco optical switch at the basement and some D-link managed switches per floor. I did not do something special at the time, apart from disabling STP on the switches and configuring them to be SSH'able etc...
Just when I started becoming an old dog (no new tricks to be learnt), a couple of months ago I stumbled upon VLANs, and utilized them for the purpose of having to "connect" together a foreign network between some building floors. Easily done on the switches with some VLAN configuration. I have left my original network traffic on the default VLAN (1) which is untagged for all purposes.
Question 1 (a bit OT though): I am one of two persons in our IT, however I am the only one knowledgeable on VLANs. If a switch goes bad during my absence, we're scre**d; we have one or two switches, but configuration is different. Noone will be able to program them properly
Should I get rid of the VLANs and install cabling to do the floor interconnecting work?
Getting forward, I was thinking: could I perhaps simplify cabling and/or the configuration of my firewall, by following one of the following scenarios? Please do take into account that I have never configured/used VLANs on my FreeBSD system:
Scenario 1: this is doable I believe. Replace the 3 switches (LAN, DMZ, WAN) connected to my pc with a single managed switch. Distribute the switch ports to 2-3 VLAN groups (LAN=1, DMZ, WAN). Use a single network cable to carry 802.1q tagged traffic to my basement Cisco gigabit switch and then split traffic as needed. The only disadvantage I see in this scenario is that if something goes terribly wrong on the managed switch, it will be impossible to replace by my collegue. As it is right now, if a switch fails, it would be easy to replace it with a small (5- or 8-port) non-managed switch .
Scenario 2: I am not sure whether one could do this or not: the idea is to have a single NIC instead of 3 ones and then establish (somehow?) 2-3 VLANs on this NIC. I'm discussing the possibility of 2 instead of 3, since LAN traffic belongs on the native VLAN. A managed switch will still be needed, but at least I'll be needing a single NIC.
Which scenario would you recommend? One of the two mentioned above, something completely different?
Thanks for taking the time needed to read this lengthy message, much appreciated.
I have a 15-year old system with a role of firewall (pf)/DHCP server/squid/squidguard. This system which is currently running FreeBSD 11, has 3 network cards, each one serving a network segment (wan, dmz, lan). Built at a time I had no knowledge of VLANs, and trying to connect each interface to the corresponding network segment, I ended up with a spaghetti of network cables: each card went to a small unmanaged switch on the same rack (so, 3 small switches in the same rack in total). Ok, I had to install switches because next to the firewall there was a LAN-, a DMZ- and a WAN-operating device. From these 3 switches I had to install uplink cables to connect it to the rest of my infrastructure. All in all, a pitiful situation.
The system has 3 intel NICs installed, all of them using the em driver. Additionally, traffic on LAN/WAN is at the 4Mbps mark, with peaks (during downloads) at 60-70Mbps. These are exceptions though. DMZ traffic is very small.
Some 5 years ago, the backbone of the switching of my building was replaced with structured cabling: a cisco optical switch at the basement and some D-link managed switches per floor. I did not do something special at the time, apart from disabling STP on the switches and configuring them to be SSH'able etc...
Just when I started becoming an old dog (no new tricks to be learnt), a couple of months ago I stumbled upon VLANs, and utilized them for the purpose of having to "connect" together a foreign network between some building floors. Easily done on the switches with some VLAN configuration. I have left my original network traffic on the default VLAN (1) which is untagged for all purposes.
Question 1 (a bit OT though): I am one of two persons in our IT, however I am the only one knowledgeable on VLANs. If a switch goes bad during my absence, we're scre**d; we have one or two switches, but configuration is different. Noone will be able to program them properly
Should I get rid of the VLANs and install cabling to do the floor interconnecting work?Getting forward, I was thinking: could I perhaps simplify cabling and/or the configuration of my firewall, by following one of the following scenarios? Please do take into account that I have never configured/used VLANs on my FreeBSD system:
Scenario 1: this is doable I believe. Replace the 3 switches (LAN, DMZ, WAN) connected to my pc with a single managed switch. Distribute the switch ports to 2-3 VLAN groups (LAN=1, DMZ, WAN). Use a single network cable to carry 802.1q tagged traffic to my basement Cisco gigabit switch and then split traffic as needed. The only disadvantage I see in this scenario is that if something goes terribly wrong on the managed switch, it will be impossible to replace by my collegue. As it is right now, if a switch fails, it would be easy to replace it with a small (5- or 8-port) non-managed switch .
Scenario 2: I am not sure whether one could do this or not: the idea is to have a single NIC instead of 3 ones and then establish (somehow?) 2-3 VLANs on this NIC. I'm discussing the possibility of 2 instead of 3, since LAN traffic belongs on the native VLAN. A managed switch will still be needed, but at least I'll be needing a single NIC.
Which scenario would you recommend? One of the two mentioned above, something completely different?
Thanks for taking the time needed to read this lengthy message, much appreciated.
