Suggestions for firewall please

[Sly870]

Hello

I need some advice please, starting to get a wee bit frustrated with my network setup

I run a Fritzbox in the kitchen that is my modem, internet comes in there. I then run a network cable to my loft where I have a little Unifi USG 3port as the router/firewall that then goes into an unmanaged POE switch to the rest of my network (NAS, Unifi AP, HA etc). I want to replace the USG and let the Fritz do the routing bit, seeing as I am stuck with it, but I want to run a firewall for VLAN's and managing the Unifi AP etc.

I am not going to buy a big massive Dell server that eats 100w a day of power, that is completely out of the question. I found that with the USG in place, I battle on Discord servers and internet browsing, without it, internet is perfectly adequate but, without, VLAN's and all that fall apart.

Looking for what you guys run as firewalls or how you have your networks setup etc please

 

[fredbert]

What features do you want your 'firewall' to have? Both hardware and software. Also, what aspect of the USG device is causing a problem or limiting what you want to do?

Is there a bottleneck? Does it use 100MbE interfaces? Is it end-of-support and riddled with vulnerabilities?

I found that with the USG in place, I battle on Discord servers and internet browsing, without it, internet is perfectly adequate but, without, VLAN's and all that fall apart.

I'm not really following this sentence. Are you saying you do have VLANs and they are only supported in your setup when using the USG?

You need to have a firewall/router that can treat each interface (or in the case of consumer devices, LAN interfaces) separate to each other. That will require the ability to customise the routing table for different LAN-side subnets and also needs to support VLAN tagging. You could also think about using a managed switch to support VLANs, thereby separating traffic LAN-side.

I'm waiting to see what SRM 1.3 offers in the updated VLAN support (it already has customised routing). But I can't offer advice on other consumer level kit; business grade kit will do all you need but may features above stateful firewall, network/routing, and [probably] VPNs will often required a subscription.


As for my setup: it sounds quite similar to what you have. A Virgin Media Hub 5 (woot! it has WiFi 6 and 2.5GbE) used in bridge mode (pfft! no use fo new features) cabled to RT2600ac. That then connects wired to TP-Link managed switch. On SRM 1.2 there is only VLAN support for default '0' and Guest '1733', which I have set up tagging on the switch. Then everything else hangs off the switch: meshed MR2200ac; NASes; Macs; etc.

As I said, I'm waiting to see what the trailed new VLAN features will be like in SRM 1.3.

 

[RonV42]

Very confused here also. The USG can do vlans for routing purposes and with the ports on the USG setting vlan config is eaily achieved:

https://help.ui.com/hc/en-us/articles/219654087-UniFi-Using-VLANs-with-UniFi-Routing-Hardware

You can even create routing rules between the VLAN's in the USG. The sticking point will be how you configure the AP's SSID to VLAN / Network mappings. I would suggest you remove the unmanaged switch and put a layer 2 switch in it's place the Unfi 8 port poe lite it a nice box if you need more ports than the 16 port poe lite. Than you can power the AP's have port by port VLAN configs.