Looking for switch reccomendations.

zara654

New Member
May 15, 2021
23
1
3
I’m looking to lock down my network by segregating all of my computers in case someone gets in. I had picked up one of these, and found it a bit lacking for the price. Wasn't aware it was ten years old, and the web gui was so lacking. (FireFox 5.0.1 was not fully supported) I'm fine in the command line, but would prefer a webgui for getting the switch up and running, and then go to CLI for more advanced features, and locking security down. I also don't completely trust Cisco, as they've had issues with back doors.

All of the computers behind it need at least gigabit. I would like jumbo frames support, and the ability to bond two ethernet connections on a few. I’ll have gigabit internet, and probably upgrade that. These machines don’t need to communicate between each other mostly, though. I might want to use a few for distcc, but I don’t believe going above gigabit would improve performance for that.

vlan wise I need at least six. I’m splitting up to ten computers into different vlans, (maybe more) and will have a GT-AX11000 behind one of the vlans with my personal computer and entertainment stuff connected through it. I have a cheap switch connected to the router for expanding to more devices that don't need all that much bandwidth. The second VLAN is for a honey pot running on a Raspberry Pie. The third vlan is for a Qubes system.

The fourth vlan will have at least two computers, but probably up to ten eventually. I might split the ten computers into multiple vlans depending on what each gets used for. Network performance needs low latency for these machines. On the fifth vlan I’ll have at least one raspberry pie running a node for a search engine, and might expand that up to multiple Raspberry Pies or even a server eventually. Having support for a sixth vlan just seems like a good idea for growth of the network.

I should not need POE.

Currently, looking at Netgear. How does this compare to their more expensive models? What features am I lacking for that severe price drop?

This switch is going to be what's directly connecting to my modem, and acting as a firewall too. Any models with quality firewalls built in? Should I have another machine and vlan for running a third party firewall? How many ports would you recommend I get?
 

im.thatoneguy

New Member
Oct 28, 2020
26
4
3
This switch is going to be what's directly connecting to my modem, and acting as a firewall too.
You probably don't want your Modem performing NAT\Firewall. I would look at something like an Ubiquiti ER-X ($59) handling DHCP, routing, VLAN Tagging and NAT. EdgeRouter X

Then cheap managed switches where needed depending on topology and bandwidth needs. e.g. this tplink ($29.99).
 

zara654

New Member
May 15, 2021
23
1
3
You probably don't want your Modem performing NAT\Firewall. I would look at something like an Ubiquiti ER-X ($59) handling DHCP, routing, VLAN Tagging and NAT. EdgeRouter X

Then cheap managed switches where needed depending on topology and bandwidth needs. e.g. this tplink ($29.99).
I definitely don't want my modem doing NAT/Firewall. That's what I want the switch to act as. My understanding is I might need to add another computer to the switch to handle the firewall. I'd prefer to have a switch that runs the firewall, though. Currently, using this as my firewall.

I need at least 8 ports, as I'm going to be link bonding, and want the switch to scale up to at least six vlans. This is for a cryptocurrency operation, and I will definitely be attracting hackers. I'm fine with using an enterprise level switch. The prices just get crazy expensive quick, and I want to make sure I'm buying something worth the cost for my needs, and something that can scale up as I put more computers on the network.
 

im.thatoneguy

New Member
Oct 28, 2020
26
4
3
If you're an attractive security target and not needing high bandwidth... all the more reason to deploy a separate firewall\security appliance\router with Deep Packet Inspection/Intrusion Protection. Even an enterprise L3 switch's firewall is going to be both underwhelming in performance and features. I would invest in a good security appliance\router\gateway and save the switch for the switching. Maybe a PFSense or OPNsense box at the least.

You don't need a port for every VLAN on the router unless you're directly attaching each machine to the router. But that's what the switch is for. Your router would have a trunk link to the router\security appliance in which all of the tagged traffic flows to the router and it can route based on vlan then tag the sorted traffic appropriately and kicks it back to the managed switch over the trunk link and the managed switch divvies up the packets based on their vlan tag. So in a lot of situations your router might be connected to the network through a single trunk. But that port could have thousands of VLANs flow in and out through the single connection. Vlan Routing\static routing\dhcp relaying performance is often a lot of what you're paying for on an L3 enterprise router to take the load off of a central router. You're mostly thinking of Option 1 but check out Option 2 and 3: (46) InterVLAN Routing: 3 options - YouTube. In "Option3" though you still need a security gateway connected to your WAN.

BTW personal opinion is that it's better to just go with faster ports than deal with port bonding. 10g gear on ebay is like $20 per NIC and DACs are practically the price of two RJ45 cables if your runs are short.
 

zara654

New Member
May 15, 2021
23
1
3
If you're an attractive security target and not needing high bandwidth... all the more reason to deploy a separate firewall\security appliance\router with Deep Packet Inspection/Intrusion Protection. Even an enterprise L3 switch's firewall is going to be both underwhelming in performance and features. I would invest in a good security appliance\router\gateway and save the switch for the switching. Maybe a PFSense or OPNsense box at the least.

You don't need a port for every VLAN on the router unless you're directly attaching each machine to the router. But that's what the switch is for. Your router would have a trunk link to the router\security appliance in which all of the tagged traffic flows to the router and it can route based on vlan then tag the sorted traffic appropriately and kicks it back to the managed switch over the trunk link and the managed switch divvies up the packets based on their vlan tag. So in a lot of situations your router might be connected to the network through a single trunk. But that port could have thousands of VLANs flow in and out through the single connection. Vlan Routing\static routing\dhcp relaying performance is often a lot of what you're paying for on an L3 enterprise router to take the load off of a central router. You're mostly thinking of Option 1 but check out Option 2 and 3: (46) InterVLAN Routing: 3 options - YouTube. In "Option3" though you still need a security gateway connected to your WAN.

BTW personal opinion is that it's better to just go with faster ports than deal with port bonding. 10g gear on ebay is like $20 per NIC and DACs are practically the price of two RJ45 cables if your runs are short.
Yeah, I just need fast ports. I'd like port bonding as an option for speeding up writes across the network. Just don't want the network to be the bottleneck. Would it be safe security wise to back up all of these machines to a backup server on another VLAN? Would I need a backup server per VLAN?

Going to look into a PFSense box. My AX-11000 is a pretty good router, but I think I'll turn that into a wireless access point. DD-WRT doesn't support it either.
 

zara654

New Member
May 15, 2021
23
1
3
Ok, so I probably want a Netgate box acting as a router and firewall (Should I get two, and have them each handling separate duties for performance reasons?) that splits off into a switch. The router assigns the VLANS to the switch's ports, which then splits off into separate networks. Should the switch be managed?

I'll need port bonding supported as my wireless access point supports that, and I don't want it bottlenecked when I have consoles and my computer downloading stuff. I have a cheap switch connected to the wireless access point as that's good enough, and already works for my current needs.

Just need to figure out which switch I need for supporting expansion and not bottlenecking the network. In particular that backup server, which I plan on building if all of this works out.
 

im.thatoneguy

New Member
Oct 28, 2020
26
4
3
One router should be fine. Yes you'll need a managed switch since you'll have to identify which ports are on which vlan.

You can tag vlan at your NIC but if a user can change vlan tags then you won't get any security benefit since a hacker with admin/root could just remotely change the nic vlan. Useful though for hypervisors and vswitches.

You'll also need a managed switch to bond ports for most forms of bonding.

If though your machines are in separate rooms once you've split out the vlan ports you can use unmanaged switches.
 

zara654

New Member
May 15, 2021
23
1
3
One router should be fine. Yes you'll need a managed switch since you'll have to identify which ports are on which vlan.

You can tag vlan at your NIC but if a user can change vlan tags then you won't get any security benefit since a hacker with admin/root could just remotely change the nic vlan. Useful though for hypervisors and vswitches.

You'll also need a managed switch to bond ports for most forms of bonding.

If though your machines are in separate rooms once you've split out the vlan ports you can use unmanaged switches.
Yeah, definitely unmanaged. I'm basically adding two expensive devices to my network, and everything else can be fairly cheap. Can figure out unmanaged switches later when I expand. Thanks for the help.

I get tax a write for buying all of this computer stuff to play with. Might as well have fun.