Usually I just lurk and am able to find what I need, or enough information to make a decision, but I'm stumped on this one.
First
I need help deciding on a firewall. Plan is to use OPNsense, and all the recently reviewed products and threads here have been helpful but has also caused me a lot of confusion. The plan for the overall network starts in the garage (where my server is) Modem --> Router --> 10G SFP+ L2+/L3 switch --> Server/Blue Iris/out to rest of house. For reference my current connection speed is 2000 down / 200 up, and I'm trying to build for the eventual 10G deployment.
Firewall/Router requirements:
2.5G Ports (to handle coming in from the current modem)
10G SFP+ Ports
Ability to handle VPN traffic (for when my family is away and I'm the offsite backup for a friend)
The C3758R platforms seem nice (in 1U, so probably the Qotom), and QAT is a plus, but from reading I don't think it will be all that helpful in the end (seems like the implementation is too old to actually accelerate VPN traffic under WireGuard). The n305 boxes (GoWin 1u) also seem nice, but the constant hardware revisions concern me. Then there is the Minisforum MS-01, seems absolutely overkill, but also useful for other things, and easily repurposed later. The plan was to run bare metal, but it seems like at least running ProxMox as the base for backups would be best, and in the end allow me to run a few more things once I'm comfortable with a virtualized router/firewall setup.
My confusion comes into play with how much processing power I actually need. Everyone seems concerned with routing vlans (which I will be setting up for all the standard stuff, iot/guest/ipcams/etc), but isn't that better handed off to the switch anyways, leaving the router to just handle internet traffic? I can't see any reason for my internal traffic to need to go through the router with a proper switch capable of routing vlans. I'd like to turn on all the extra security features, but I probably don't need that much. I also don't want to be feeling the pinch and need to purchase a new router in a couple years.
So unless I'm confusing something here, the C3758R or the n305 should handle everything just find on the router/firewall side, though with slower VPN performance than an I9 MS-01 (assuming no suricata/zenarmor).
The closest thing I've seen with posted numbers is the Protectli boxes, but at the time of writing this, they don't have updated numbers for the new Vault VP6670 which seems to be the closest comparison to the MS-01.
Power usage isn't a big concern, though I can see the appeal in a low power setup (server (dual E5-2650 v2 with 24 HDDs) idles at 270 watts, and is slated for eventual replacement). Cost isn't too big of a concern, total budget for redoing the network is $2500-$3000 (IPCams, poe switches, and everything associated with the security side is a separate budget).
Second
I need switch recommendations. Right behind the router the plan is a SFP+ aggregation switch, L2+/L3 (like TL2-F7120) so that it can handle all the talk between vlans without having to send it to the router, everything in the rack will be hooked up with fiber (or DAC), and a single transceiver to connect the media cabinet that is on a Cat6A run. Web GUI is a must, I haven't programmed a switch in over a decade at this point, and I have a new baby, time is limited to (re)learn a skill. I'd like to keep all the switches (therefor interfaces) the same for ease of management (since they should all be managed).
The only other switch I'll need is something 10G Base-T to place in my media cabinet for the home theatre stuff, an AP (yet to be determined, but wifi 6 with 2.5G PoE+ uplink), and then maybe from there it might hop into the attic on that side of the house for those cameras. Something with 2.5G ports with 10G uplinks would work, a PoE injector can be used for the AP, second 10G link can run to the switch for the cameras. Something like TPE-3102WS so it just has the power already?
I don't want to be paying licensing to use the hardware either. So while I typically buy a ton of stuff from eBay, if it's enterprise grade and I'll need to pay to keep using it, count it out.
If I've missed something please let me know, I think I've thought this all through, probably too much. I did price out a Unifi setup, and while slick looking, single pane management, and within range, I just don't like the walled garden nature of it especially since getting something like the UDM-SE for the 10G and 2.5G WAN ports just seemed like a waste of money, I won't be using Ubiquiti cameras (which would be required to use it as an NVR also), and I'm not sold on their APs.
First
I need help deciding on a firewall. Plan is to use OPNsense, and all the recently reviewed products and threads here have been helpful but has also caused me a lot of confusion. The plan for the overall network starts in the garage (where my server is) Modem --> Router --> 10G SFP+ L2+/L3 switch --> Server/Blue Iris/out to rest of house. For reference my current connection speed is 2000 down / 200 up, and I'm trying to build for the eventual 10G deployment.
Firewall/Router requirements:
2.5G Ports (to handle coming in from the current modem)
10G SFP+ Ports
Ability to handle VPN traffic (for when my family is away and I'm the offsite backup for a friend)
The C3758R platforms seem nice (in 1U, so probably the Qotom), and QAT is a plus, but from reading I don't think it will be all that helpful in the end (seems like the implementation is too old to actually accelerate VPN traffic under WireGuard). The n305 boxes (GoWin 1u) also seem nice, but the constant hardware revisions concern me. Then there is the Minisforum MS-01, seems absolutely overkill, but also useful for other things, and easily repurposed later. The plan was to run bare metal, but it seems like at least running ProxMox as the base for backups would be best, and in the end allow me to run a few more things once I'm comfortable with a virtualized router/firewall setup.
My confusion comes into play with how much processing power I actually need. Everyone seems concerned with routing vlans (which I will be setting up for all the standard stuff, iot/guest/ipcams/etc), but isn't that better handed off to the switch anyways, leaving the router to just handle internet traffic? I can't see any reason for my internal traffic to need to go through the router with a proper switch capable of routing vlans. I'd like to turn on all the extra security features, but I probably don't need that much. I also don't want to be feeling the pinch and need to purchase a new router in a couple years.
So unless I'm confusing something here, the C3758R or the n305 should handle everything just find on the router/firewall side, though with slower VPN performance than an I9 MS-01 (assuming no suricata/zenarmor).
The closest thing I've seen with posted numbers is the Protectli boxes, but at the time of writing this, they don't have updated numbers for the new Vault VP6670 which seems to be the closest comparison to the MS-01.
Power usage isn't a big concern, though I can see the appeal in a low power setup (server (dual E5-2650 v2 with 24 HDDs) idles at 270 watts, and is slated for eventual replacement). Cost isn't too big of a concern, total budget for redoing the network is $2500-$3000 (IPCams, poe switches, and everything associated with the security side is a separate budget).
Second
I need switch recommendations. Right behind the router the plan is a SFP+ aggregation switch, L2+/L3 (like TL2-F7120) so that it can handle all the talk between vlans without having to send it to the router, everything in the rack will be hooked up with fiber (or DAC), and a single transceiver to connect the media cabinet that is on a Cat6A run. Web GUI is a must, I haven't programmed a switch in over a decade at this point, and I have a new baby, time is limited to (re)learn a skill. I'd like to keep all the switches (therefor interfaces) the same for ease of management (since they should all be managed).
The only other switch I'll need is something 10G Base-T to place in my media cabinet for the home theatre stuff, an AP (yet to be determined, but wifi 6 with 2.5G PoE+ uplink), and then maybe from there it might hop into the attic on that side of the house for those cameras. Something with 2.5G ports with 10G uplinks would work, a PoE injector can be used for the AP, second 10G link can run to the switch for the cameras. Something like TPE-3102WS so it just has the power already?
I don't want to be paying licensing to use the hardware either. So while I typically buy a ton of stuff from eBay, if it's enterprise grade and I'll need to pay to keep using it, count it out.
If I've missed something please let me know, I think I've thought this all through, probably too much. I did price out a Unifi setup, and while slick looking, single pane management, and within range, I just don't like the walled garden nature of it especially since getting something like the UDM-SE for the 10G and 2.5G WAN ports just seemed like a waste of money, I won't be using Ubiquiti cameras (which would be required to use it as an NVR also), and I'm not sold on their APs.
I also prefer WireGuard though, so I certainly understand that choice.