Hi,
our new house will be finished in a view month and I am planning the network.
The house will be two floors, and has at least one network outlet per room.
I am planning to have one physikal FreeNAS box and one Proxmox box running some servers.
What do you think of this setup? Is this doable or am I missing something?
You should be aware of the fact that inter-VLAN communication needs a router and CRS3xx is essentially not a router. Meaning that RB4011 wouldn’t only be your internet gateway/router/firewall, it would be inter-VLAN router as well. With its routing capacity around 2.5 Gbps it would become single bottleneck in your LAN. Unless you plan to invest in a much beefier router (none of Mikrotik’s SOHO devices qualify), you might reconsider VLAN planning (e.g. if family LAN clients will stream lots of data to/from NAS, put them into same VLAN).
The said router should be sufficient for a 1G WAN link.
Or is the WAN link faster than 1G?
To me it looks perfectly designed, IMO.
Another plus is that this 48+ port switch has active cooling fans, whereas the 24+ port switches don’t have any active cooling capability built-in.
This should replace both the 4011 and that switch.
https://mikrotik.com/product/ccr2004_1g_12s_2xs#fndtn-testresults
Thanks for your input.
Regading VLAN routing I will have a look and maybe add a second SFP+ connection to the NAS, adding it to the server and family VLAN.
WAN will be about 500MB, so it should be fine.
The CCR2004-1G-12S+2XS looks good, but it only has SFP ports. So I would still need a switch to connect the RJ45 network outletts in the rooms.
Copper SFP(+) modules exist. So you don’t need a switch per se. And 1G SFPs work in SFP+ cages, if 10G is overkill.
But with using the 1G port for WAN and 2 or 3 SFP+ ports for FreeNAS and Proxmox, I will have 9 or 10 usable ports for the rest of the house, right?
Can you recommend some SFP+ cables to be used with Supermicro motherboards (Supermicro X10SDV-2C-7TP4F and X10SDV-TP8F) ?
I am currently planning to use a S+AO0005 to connect router and switch and three S+DA0003 to connect the switch and the server.
Yes, you will. But (and that may be a big but): the CCR2004 is not a switch. It has a maximum of about 35Gbps of throughput, either routed or bridged, and that speed drops rather quickly when you ask more of it than just routing or bridging max size packets.
If you want line speed throughput between your 10G-capable stuff, get a switch. Looking at your drawing, I’d look into a CRS328-24P-4S+RM. Cheaper than the CRS354 and it gives you POE to power the APs, if 24 ports will do you. And I wouldn’t put your NAS & proxmox boxes in a different VLAN from your home clients, unless you run terminal servers on that Proxmox box and have TS clients in your LAN. Routing is not the forte of the CRS line; for MT stuff, the old saw ‘switch when you can, route when you must’ still very much holds true. Where the Cisco’s and Junipers of this world have built L3 switches that can route as fast as they can switch, MT hasn’t (yet).
The RB4011 is a very nice router and will do 1G+ without breaking a sweat. You might even get the WiFi one (the RB4011iGS+5HacQ2HnD-IN) and replace one of the cAPs with it, if that would work for you as far as WiFi coverage is concerned.
Thanks for your help.
I think I will go with the CRS354 and RB4011.
I am also planning a mutiroom audio system using some Raspberry PIs which will use up about 15 ethernet ports. And I think the CRS354 will give me some spare ports.
Currently only the APs are using PoE and they cuome with a PoE injector. For PoE cams I am currently not 100% sure if I will get one. If I will get them, I will get a CRS328-24P-4S+RM later.
Would it make sense, from a performance and security point of view, to add a pfsense or opnsense firewall infront of the router? (WAN > Pfsense > RB4011 > CRS354)
Ah. Yes, in that case the CRS354 makes more sense.
Would it make sense, from a performance and security point of view, to add a pfsense or opnsense firewall infront of the router? (WAN > Pfsense > RB4011 > CRS354)
Not really. The RouterOS firewall is capable enough on its own (it’s basically Linux iptables), and the RB4011 has enough horsepower to handle normal firewall duties without having any issues with your internet connection.