I'm trying to upgrade my small office network to support IPv6. WAN has dual stack and I want to run a dual stack LAN as well. All I want the hEX for is (a) firewall security for IPv6 (preventing inbound connections, except for specific host/port combos) and (b) inbound VPN access to LAN over IPv4. I plan to set up the network topology like this:
Code: Select all
WAN router <-> hEX <-> WiFi router/NAT/DHCP <-> Layer 2+ switch <-> everything that is wired
As for IPv6, the WiFi router provides no protection at all, so I need to set up stateful packet inspection to block any incoming traffic on IPv6 that is not part of an established outbound connection. Of course, being IPv6, NAT is not needed. These packets have to traverse the same WAN and LAN ports as the IPv4 packets, which is where I get really unsure if this is even practical at high throughput (300 Mbps).
Finally, I want to set up VPN access. I'd love it if I could set it up to allow Bonjour to traverse it so I could access the office printer easily, so I guess that means L2TP/IPsec since I'll have an Apple device at the other end, but even then I'm not sure what to do to enable the "local" multicast traffic to cross the VPN. I can set up another post just to cover that, I only bring it up here to point out that this means probably using another port on the hEX to direct VPN traffic around the WiFi router and directly to the switch, right?
Does this sound like a winning plan? Do you have a better idea? Or should I just send back the hEX and live with IPv4-only for a while longer?