Thank you.
I’ve just sketched the fibers. (I’m still yED’ing the whole plot)
See every dot as unmanaged L2 switch with 2sfp/4or8eth. They’re all din rail and poe.
Connected (typ) to such a switch are a) wired ip phones and b) some cap (lite, hAPac3, Omni5).
The big circle just connects many fibers but is also unmanaged. It should not be considered a root or star point.
The dsl modem is business grade modem with internal pbx. Other people let it manage their whole business network. (DTAG/Elmeg/Zyxel)
The routing throughput can be said to be sufficent.
For me it’s a dumb backbone where I can reach out from the network side to all my devices (webinterfaces). Everything has fixed ip’s.
Prohibiting access to these webinterfaces from vlans is firewall or switch settings.
I tend to make this also a vlan, so that if someone plugs in (dj aka script kiddies) nothing happens in first place.
But note since they’re all on the same L2 network I can (and want to) give out the dsl as gateway in dhcp since all caps can reach it. This is where some basic load balancing should happen by sending the Omni5 traffic (public only) to a different gw then the rest of the shop.
For now I’ll have my dhcp servers somewhere on a cap and dns depends on the vlan.
In future I’ll put at least one Ubuntu Server also onto this network to serve internal web and dav to the corporate vlan and all the dhcp servers and a radius. But for now a cap will do fine.
However, what I do not understand:
Why should I put all the traffic onto one hAPac3 cap, process it there and then pump it back through the same fiber to a dsl-gateway/router?
Especially if the throughput of the box is made for business.
With local forwarding, access control/filter between the vlans the user data can go out directly to the dsl.
It travels only in one time over the fiber and from all routers/caps there is only one hop to the gw or to the wan side of another cap.
All networks exist happy on the lan side of a cap router/switch and there is nothing on the wan side of any device that a normal user must access.
Only in the corporate vlan it will be necessary to reach clients in other segments (aka behind some router on that backbone).
I do not see the necessity for a centralized router on one ac3 when the same result can be achieved without.