L3 managed switch vs virtual firewall

Robert T. · 1 Feb 2024 at 16:25

Hi all,

Soon will be upgrading my personal computer and current one will become VMware lab only, and my personal will be general use.
I am thinking about turning one of my currently unused HP gen8 microservers into WSUS/'file server' facing internet wirn Server 2019 on it, current PC would become lab environment turned on only when I want to work on it and my main PC will be main PC..
I was thinking about putting VM Workstation on microserver to run virtual opnsense or pfsense fire4wall to protect all of it, but with 16GB of RAM on microserver - would it run..?? not sure..

So thinking - I can buy fanless managed L3 capable 8-port switch and use ACL's on it to protect microserver abit, plus make VLAN's on switch and segregate rest of network with it...

Questions:
Would it run?
If yes - Which switch to buy? are ubiquiti capable of running without any cloud 'manager' ??

ChrisD. · 1 Feb 2024 at 16:58

What's the requirements for firewalling your lab?

paradigm · 1 Feb 2024 at 16:58

I really hope you aren’t proposing to expose SMB to the internet when you say “ WSUS/'file server' facing internet”. That sounds like a recipe for trouble.

16GB of RAM should be enough for a pfsense install along with one or two other VMs (depending on size, obviously), though upgrading to more RAM will help tremendously.

Robert T. · 1 Feb 2024 at 17:42

Well, there's reason for ' before and after file server... :cry:

Not SMB, no... and I think about VLAN's and ACL's as means of near-FW capability.. hence "managed L3 switch"... now than I think about it, are there any small routers with that amount of ports? Have to admit it just came to me so not in subject.. will investigate myself as well..

Don't think Gen8 microservers can support more than 16GB, not touched on them for while, but official support was 8GB's I believe... ? Correct me if I'm wrong..?

TechMinerUK · 1 Feb 2024 at 21:10

Robert T. said:
Well, there's reason for ' before and after file server...
Not SMB, no... and I think about VLAN's and ACL's as means of near-FW capability.. hence "managed L3 switch"... now than I think about it, are there any small routers with that amount of ports? Have to admit it just came to me so not in subject.. will investigate myself as well..

Don't think Gen8 microservers can support more than 16GB, not touched on them for while, but official support was 8GB's I believe... ? Correct me if I'm wrong..?

Yeah, max supported is 16GB due to the chipset and the unit only having two slots.

As for routers with 8 ports, there are quite a few combined firewall/router units out there which will meet the criteria however if I were doing this I would have a decent firewall at the front of the network and then just VLAN the entire lab off so its completely segregated from the main network and anything that goes out to the internet is going out directly.

Robert T. · 2 Feb 2024 at 17:03

ChrisD. said:
What's the requirements for firewalling your lab?

Literally to learn their intefrace and internal workings, so basically it was "since I already have it, best way to learn it is to route real traffic through it".

Since yesterday I have put my hands on SG300-10 Cisco managed switch thou, not played with it much for obvious reasons, but it seems like it is L3 capable - rudamentary test got me pinging host across from different VLAN, so looking as it may work..

Will be putting it to work soon, as I don't have all pieces yet, but think this will do for moment... and I can always do virtual FW at later time anyways..

Thanks for help, if you have any other thoughts - put it in, there is never enough of good advice..

ChrisD. · 2 Feb 2024 at 18:41

Usually what folks do with VMware labs is to run pfSense/OPNsense or similar between the lab and their own network. In OPNsense you set up various VLANs for management, vMotion, vSAN etc. Then you can also configure BGP for the NSX Edges to peer with.

This should be a good starting point:

Building a VCF lab with pfSense (Part 1) | Datareload

datareload.com

Although I imagine you are not running VCF at home unless you have a decent amount of hardware, but if anything it should provide some decent background reading.

WJA96 · 2 Feb 2024 at 20:48

Robert T. · 3 Feb 2024 at 09:48

ChrisD. said:
This should be a good starting point:

Building a VCF lab with pfSense (Part 1) | Datareload

datareload.com

Yeah, single 8700K with 128GB of RAM will not give me that, but as a starting point - thanks a lot, will be good read. May introduce my second microserver into lab at later time, but it has only 8GB of RAM, so...

And correct WJA96 - it is not a question... fortunately, I do not need new certifications anymore to prove my knowledge, so it's a balancing act between lab complexity, usefulness, but also power consumption for 24/7 computers at home.. hard to keep it upright with all strings attached..

Rabtech · 3 Feb 2024 at 11:28

After any years of tweaking with my home lab, various non L3 managed switches etc - My advice would be NOT to virtualize your firewall and use a cheap physical old 6th Gen (or higher) i3/i5 dedicated box (Dell/HP) with a dual 1Gb/2.5Gb/10Gb NIC. Being about to reboot the VM host when you need to without disrupting the internet connection for the rest of the family is worth it. Box itself should consume less power than a reasonable router.

A L3 switch is nice for testing (if you are going down the CCNA/equivalent route) but for a set and forget lab a reasonable L2 managed switch should be fine.

WJA96 · 3 Feb 2024 at 13:38

Robert T. said:
And correct WJA96 - it is not a question... fortunately, I do not need new certifications anymore to prove my knowledge, so it's a balancing act between lab complexity, usefulness, but also power consumption for 24/7 computers at home.. hard to keep it upright with all strings attached..

The challenge back is that folks see people saying stuff like L3 switches can be configured in a near-firewall way (your phrase, not mine) and before they know it they’re sending out naked Taylor Swift images to 100,000 email addresses per minute….

Robert T. · 5 Feb 2024 at 16:49

OK, sold..

Will run one microserver as 24/7 physical FW and use additional NIC's in it to provide filtered VLAN traffic to other Windows computers inside my home..
May use L3 switch as a internal segregation for vSAN, vMotion etc once I get new PC and set up two vCentre lab..

Already installed OS's on both of them over weekend.

Avalon · 6 Feb 2024 at 17:15

My initial thought was depending on how fast the connection is and what additional packages/rules etc. you end up running, a microserver may not be the ideal choice for a firewall, so it’ll be interesting to see how you get on.

Robert T. · 7 Feb 2024 at 16:43

Have FTTP 1gbps, both servers have Intel i3-3240 2core/4threads processors and opnSense unit will have 12GB's of RAM..
I am interested myself, there's option to upgrade to 45W TDP Xeon 4c/8t CPU as well, but will see what those i3's can do.
It will not go live for few weeks thou.. need to wait until I have migrated workloads between HDD's..

Avalon · 7 Feb 2024 at 23:42

Robert T. said:
Have FTTP 1gbps, both servers have Intel i3-3240 2core/4threads processors and opnSense unit will have 12GB's of RAM..
I am interested myself, there's option to upgrade to 45W TDP Xeon 4c/8t CPU as well, but will see what those i3's can do.
It will not go live for few weeks thou.. need to wait until I have migrated workloads between HDD's..

You’ll be fine with i3’s for that, the earlier Turion II based stuff wouldn't be so much fun though.