Currently I have CRS326-24S+2Q+ which I would like to use for HW Accelerated Bridging at Wire Speed and use filtering and stateless inspection with connection tracking. I have upgraded it to RouterOS 7.1.3 and I want to optimize both wire speed and security.
I do have concerns on whether this is secure enough but willing to give it a try.
However, due to my security concern and as noted in the documentation, we can’t also have firewall stateful inspection rules also HW accelerated in the same device and I am currently limited to one Bridge for HW off-loading.
Q1: Is it possible to add a CRS309-1G-8S+IN and use that for using HW accelerated stateful FW rules between the VLANs/Network Segments at Wire Speed?
The proposed approach would be to use the QFSP+ ports with a break-out cable to BOND multiple CRS309 SFP+ ports to use to accomplish near wire speeds.
Q2: Or would a dedicated Mikrotik Router be able to accomplish the wire speed routing and use the CRS326-24S+2Q+ for dedicated FW Rules offload processing?
I have looked at the routers from Mikrotik and it would seem for the cost my 3rd option might be better if the first one does not work?
Q3: Or would two CRS326-24S+2Q+ be a better approach using one for FW Rules offload processing?
My Internet Firewall is a FIrewalla Gold Plus which has helped me thus far in securing my network with very little performance issues and a nice mobile interface to look at traffic/rules/filter/security/vlans, etc…
The reason I ask this is because just using VLAN filtering/etc does not seem to be as secure as an actual an FW using stateful inspection. Perhaps I am old school but it would seem to me I can simply hijack a workstation on the internal network and change the IP address and add whatever VLAN Tag I want on the packet to breach simple VLAN filtering and stateless inspection with connection tracking? Also using stateless I have to have rules for the return traffic also don’t I?
I am actually not being paranoid as a work computer which was on the same network when I had a simple flat one was hacked via the company network and then in turn hacked my entire network. Due to my work and complex home/work configuration they eventually even my hacked my apple devices. And yes Apple was surprised this occurred and so was Verizon because I was targeted. This is in turn the reason why I am over-segmenting and paying very specific attention to keeping this from ever happening again and if it does to isolate it. Some may call it using an overkill of networking/security but I am trying not to take speed hits in the process.
Before you ask yes I have a need for the extra speed as I have very diverse and complex setup my home/home office.
It is also somewhat of an exercise it learning some of the newer networking technologies as I also work in IT
I think your mixing up form and function.
The MT Device is a switch and you clearly stated you have an upstream firewall that takes care of firewall rules etc. so not sure what the issue is??
Its a switch so Wire Speed should be a given.
Security wise are you asking what additional security functionality can the MT device provide ON TOP of what your firewall already does??
Well not much at L3, because the device is a switch not a router, although it could be used as a router but you would then lose wire speed.
The focus on security should be your firewall which is handing out DHCPs correct. There are ways so that new DHCP IPs are not handed out and only existent static IPs on an ARP list can connect to the network etc. Other than isolating users into vlans so that untrusted users cannot connect to anything but the internet is typical as well and vlans from the get go segment subnets from each other at L2 and the firewall should do the same at L3.
My two cents, others are far more conversant of what the switch may be capable of…
There are multiple firewalls in a typical corporate/branch office environment. When you are referring to “My Firewalla” it is performing the DMZ/Internet firewall function only. It handles ingress/egress FW (stateful) inspection to/from the public internet as well as the 4 direct attached network ports. However, inside a corporate/office network there are usually internal firewalls/secure network segmentation devices as well to protect yourself from perhaps a compromised server/desktop/laptop/system. This very thing happened to me and is still happening to devices in which are currently offline on my network.
My goal is two fold - first to build out a similar DMZ/Internet firewall and Internal Switch/Bridge - which is just as secure without having to buy additional firewalls(which do not do wire speed). Second to do this @ wire speed if possible. In other words a poor man’s version of a traditional corporate secure infrastructure.
So yes “My Firewalla” is a DMZ firewall for ingress/egress traffic but it will not do the following:
Network Segmentation/Security @ wire speeds
Scale to support the bandwidth required to do stuff like video streaming segmentation/security
Only has three physical 2.5gb internal network ports
As far as DHCP, DNS, Firewall(Stateful), I would think I might not use it for all VLANs/LANS & use the CRS326-24S+2Q+ for at least some of this for the following reasons:
It won’t scale/perform at wire speeds.
There will be some VLANs which I might not want to expose on that Internet/DMZ router for internal use only
Traditionally it is usually best practice to put these additional services closest to the end points as possible
Since network bandwidth/CPU is usually the limiting factor I would not use the Firewalla to do VLAN/VLAN or LAN/LAN stateful inspection and secure segmentation as it would not scale for both.
This is where the CRS326-24S+2Q+ switch comes and where my questions come from. I do not want to have to buy another similar firewall I want to use the capabilities of this switch and/or multiple switches/routers to do network/security segmentation from LAN/LAN & VLAN/VLAN @ wire speed. The Mikrotik platform has been the first platform that actually provides this at a consume price point.
My requirements are nearly met by the current Mikrotik platform except for what I see as two major gaps:
Multiple bridge HW offloading on the same switch
Both FW(stateful) & VLAN Bridging/Routing w/HW Offloading @ wire speed at the same time
Right now my current CRS326-24S+2Q+ can do the following:
Single Bridge HW offloading per switch
Note: My assumption is that this Single Bridge limitation would require additional CPU chips as well as channels to accomplish most likely one per bridge and that probably does not fit in with the companies roadmap until prices come down some more
FW(stateless) inspection or VLAN Bridging HW offloaded @ wire speed but not at the same time
So my question was referring to how do I potentially combine other Mikrotik products to accomplish my goal.
So the following potential scenarios:
CRS326-24S+2Q+
a) Single Bridge HW offloading
b) VLAN Bridging/Routing w/HW Offloading @ wire speed
2)Add another Mikrotik device
a) Smaller Mikrotik switch CRS309-1G-8S+IN - FW(stateful) inspection w/HW Offloading @ wire speed
i) Using 4 x SFP+(10gb) ports to the QFSP+(40gb) on the CRS326-24S+2Q+
b) Mikrotik Router CCR2116-12G-4S+ Bridging/Routing w/HW Offloading @ wire speed
i) Using 4 x SFP+(10gb) ports to the QFSP+(40gb) on the CRS326-24S+2Q+
c) Add another CRS326-24S+2Q+ switch - FW(stateful) inspection w/HW Offloading @ wire speed
i) Using QFSP+(40gb) port to the QFSP+(40gb) on the first CRS326-24S+2Q+
Try to accomplish everything on the CRS326-24S+2Q+ switch
a) Get some guidance on locking down as much as possible using the existing limitations
Other options - I am open to other suggestions as well
Hopefully that clarifies the questions and look forward to further feedback
Please remember that this is not a home network but I actually work/support from my home office, It is both a home and branch office network with similar requirements.
