On Sun, 28 Nov 2021 07:20:14 -0600 o1bigtenor via Dng <dng@lists.dyne.org> wrote:
> Greetings > > In anticipation of a fiber optical connection (moving from a wireless) I > have been planning out and purchasing some bits of hardware. Am finding > that networking is, at least sure seems to be, another black hole for time > and effort. > > TL;DR (skip to last paragraphs for the question(s)) > > At present this is a soho office kind of installation but that will slowly > be morphing into something that is at least somewhat larger. There are a > number of input sensor locations being worked on some of which would be > generating, initially at least, up to 15 data streams sampled possibly > every second (some maybe more often - - - decisions aren't all done as yet) > so there will be a fair amount of data running around on my network which > I'm trying to keep largely a wired affair. > > At this point I'm working on the three entry bits of hardware (and their > software) - - - the router, hardware firewall, and the managed switch. The > initial hockup on the fiber system is going to be at 250 Mbps sysmetric. > > For the router I'm planning on using OpenWRT running on a Nanopi r4s which > according to the folks over on openwrt capable of even very close to full > Gbps speeds (IIRC tested to some 918 Mbps) which would give some headroom > for future increases although I don't see a need for the foreseeable > future. > > For the switch I have found myself a XyZel 1900-48 that I'm working on > getting OpenWRT on. This ability to run a managed switch on OpenWRT is > somewhat new but its open source and I'm not tied (I don't think) to > OpenWRT - - - - except I don't know any other real alternative - - - so > that's not a difficult solution either. I don't 'need' 48 ports but I have > 16 at present on a hub and its almost full and that's for stuff only here > in the orifice (sic!). I also want the capabilities of forcing streaming > services and wireless communications to not collect any more data from any > other part of the network (using VLANs) as is possible. > > Then lastly to the hardware firewall. > I've been looking at pfsense and opnsense. Both are ipv6 possible although > both are mostly focused on ipv4 at the present. IPfire seems to have gotten > itself into a holding pattern and is not continuing work toward ipv6 > functionality. Any one of these options are producing headaches when I'm > trying to figure out how to configure them - - - nothing installed at > present, just researching so far. > > So - - - - questions - - - - > 1. is my splitting the network system into the three parts a good idea or > should I truncate parts 1 and 2 into the router? If you would please give > reasons - - - please? Hi, If you want to have reliability splitting is good, if the router breaks you still have a working firewall and switch and so on. If you want also some redundancy you should think of buying two of everything: 2 routers 2 firewalls 2 switches (2 x24 rather than 1x48 ports) I personally prefer x86 hardware for this kind of things when I see that little boxes like the Nanopi R4S they make me think about toys. In my case sadly I'm tied to adsl over pots so for the modem I still need to use this little plastic blackboxes. In your case I would swap the nanopi for a nice mini-itx board with intel nics, a sfx/flex psu (or pico psu), 4-8 gb of ram and a well ventilated case (with low noise Noctua fans). > 2. are there any good sources for information on and about networking? > debian has moved to nftables from iptables - - - is devuan doing > similar? I think so. > Where does one find information to enable a firewall that works yet > isn't stupid? I use arno-iptables-firewall It is easy to create a basic setup for your network, reliable, comes with good defaults and can easily be tweaked (for port-forwarding, vpns, geoip filtering and so on, don't know about vlans as don't use them yet). > (I've wondered about having some kind of easy 'switch' that when users left > their systems that the system wouldn't be calling home in the overnight at > least a la ms googly. Dunno if that's 'simple' or not - - - so much to > learn and so little time to do it all in!) > > TIA Ciao, Tito _______________________________________________ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng