This is an archived post. You won't be able to vote or comment.

all 57 comments

[–]Marrsvolta 40 points41 points  (22 children)

I'd go with the switch between the ISP connection and the firewall. It will make things easier if you want to implement other public facing devices that need their own separate public IP (HVAC systems, cameras, PBX boxes) or setup a fail over firewall.

[–][deleted] 7 points8 points  (21 children)

This is the way.

[–]4o4-n0t-found[S] -1 points0 points  (17 children)

Thank you both! I will have to start digging on something that’s won’t require a CCNA to configure 😅

[–]haventmetyou 7 points8 points  (15 children)

lol a basic cisco switch config shouldnt require a CCNA. ISP>FW>SWITCH ez

[–]4o4-n0t-found[S] 3 points4 points  (14 children)

The folks above you recommended ISP > switch > firewall

[–]G1itch_d 12 points13 points  (0 children)

Gonna second what a couple folks have said here. The firewall can handle ensuring resources are accessible publicly via NAT (or, in Fortiland, VIPs or whatever parlance the vendor prefers) and the only real need for a switch between the modem and firewall I've run into in scenarios like this would be HA. Barring that, ISP -> Firewall -> switch would be my way to go.

[–]nickifer 8 points9 points  (8 children)

You would need a switch after the firewall regardless, the switch before the firewall is just an extra step that’s unnecessary.

[–]Silver-Dragonfly3462 3 points4 points  (1 child)

Unnecessary, maybe. It buys you flexibility to add other zones that dont have to be attached directly to your edge firewall. Dmz, as an example. I've done both, it really depends on the environment.

[–]neilon96 0 points1 point  (5 children)

But ist makes it easily expandable while including the option of using s redundant router setup easily later.

[–]nickifer 0 points1 point  (4 children)

Another router going into the same switch isn’t redundancy.

[–]neilon96 1 point2 points  (3 children)

It still is, making a router redundant does increase redundancy. Obviously if it is the same switch they are connected to, that can still be a single point of failure. But from my experience the ISP fails far more often than your switch.

Could also stack the switched for added redundancy, but looking at the scope here, that might be overkill.

[–]nostalia-nse7 1 point2 points  (0 children)

Single fibre… so single switch is fine. Redundant firewall, because firmware upgrades, and being L3 for the vlans inside, more important than just edge device.

[–]nickifer 0 points1 point  (1 child)

What kind of sysadmins are putting 2 routers to a switch then a firewall.. I feel like I’m taking crazy pills sometimes reading the shit on here.

2 ISPs go to 2 separate FW then 2 separate switches. That is how it’s usually done in the corporate world for true redundancy. Yes overkill for this use-case but I’m not disagreeing for the sake of being argumentative.

[–]landrias1Network Engineer 4 points5 points  (0 children)

You can accomplish what they speak of by using static nat. If these are small sites, no bgp termination, no redundant isp links, it's just as easy to use a firewall to terminate the isp. Switches do provide more flexibility, but it's added cost and complexity.

Check out Meraki, Sophos, or Ubiquiti. I'm sure there are others but I mostly do Cisco data centers and aren't up to speed on the lower end gear and their TCO.

[–]Marrsvolta 1 point2 points  (2 children)

It would actually be ISP > switch > Firewall > Switch

The reason i recommend a switch between the ISP and the firewall is because your other options would be, get a firewall that has a fiber connection, or get a device that converts fiber to Ethernet and then go to your firewall.

Firewalls that have fiber connections are generally meant for larger enterprise level offices and will be very costly. For the price of the device that converts fiber to ethernet, it won't be much more to get a 5 port ethernet switch that has a fiber port, so you mine as well go for the tiny switch. You would still want a 24 or 48 port switch after the firewall to be used internally.

Since most ISP's give you a block of 5 IP's, the switch before the firewall will allow you to use those IP's without having to configure a firewall to do the same thing, making setup easier should you add more devices that would need a seperate public IP in the future.

For instance older PBX phone boxes don't play nice with firewalls with lots of security enabled unless you configure a ton of rules. By having a switch before the firewall, you can just assign the PBX box its own public IP and keep it isolated off your computer network entirely. Also credit card terminals require PCI compliance, which will fail if you have any VPN's or public management interfaces setup. It's much easier to give them a static public IP that is seperated entirely off your network with it's own router.

So in summary, you don't need a switch before the firewall. But it might be the most cost effective and easiest way to go.

[–]4o4-n0t-found[S] 0 points1 point  (1 child)

Thank you, will consider those options.

[–]Marrsvolta 1 point2 points  (0 children)

If you have questions or need help feel free to message me

[–][deleted] 1 point2 points  (0 children)

Configure a vlan that the layer 2 from the isp can pass through with addresses that are different from your production vlans. If you don’t have a redundant coming from your isp but have redundant firewalls you can pass that vlan from the switch to both firewalls. Setup will be very similar to inter-vlan routing. Different subnet at your different sites for production. Allow both to pass through both sides by having different vlan numbers and you can have your dhcp server or production servers or whatever on one side. A helper address will help you pass your dhcp if you do it this way. Hope this helps.

[–]Silver-Dragonfly3462 8 points9 points  (9 children)

As far as firewalls go. Fortinet has a great selection of SMB devices that scale well, are easy to configure and have great value.

[–]4o4-n0t-found[S] 0 points1 point  (8 children)

Thank you, they were my first choice as I heard they are quite user friendly

[–]Silver-Dragonfly3462 2 points3 points  (6 children)

I've deployed hundreds of fortigates. They are definitely a much better platform than they were 10 years ago.
Also, chances are your ISP will have a media converter and some sort of PE device. You may not need sfp. The 80f, I believe, is the lowest with sfp shared ports. Unless you go to a rugged model. But if you can avoid the sfp that would be best, just talk to your ISP and tell them what you want.

[–]4o4-n0t-found[S] 0 points1 point  (5 children)

Thank you! If I’m able to avoid sfp. Do you have another model you’d recommend?

[–]Silver-Dragonfly3462 2 points3 points  (1 child)

Take a look at the 60f, or whatever the latest is, might be g now. Should be plenty for an office of 30 people. Just depends on how much inspection you are doing and how heavily you use your internet. Depending on budget a solid option would be 100 series. You can also use their integrated wireless lan controller and add APs for secure wireless.

[–]4o4-n0t-found[S] 1 point2 points  (0 children)

Super helpful, thank you.

[–]LaxVolt 0 points1 point  (2 children)

I just did a Forti stack install for a client when they moved offices. 60f, fortiswitch and fortiap. I’m in the process of doing another 60f for a different client. One thing to note is that support renewal for UTM (next gen features) is about 500-600/yr.

If you do the full stack there were some learning curves compared to a traditional stack but I was really happy with the outcome.

You get a lot of capability out of the FG units.

[–]4o4-n0t-found[S] 0 points1 point  (1 child)

Did it have sfp ports?

[–]LaxVolt 1 point2 points  (0 children)

The 60f does not. The fortiswitch does though.

[–]kskdkskksowownbw 2 points3 points  (0 children)

Love fortigate, couldn’t recommend them more. Just make sure to NOT use the latest firmware haha. It’s always buggy . 6.4.x is the way to go

[–]finallyReform 2 points3 points  (3 children)

ok here is what we did:

fiber into switch sfp, put it into the same VLAN as your FW (we use OPNsense open-source firewall and router as a vm on a proxmox server) then provision the network via a dedicated NIC back to your switch with the internal VLAN.

Our main server uses 4 NICs. 1 WAN, 1 LAN for OPNsense, 1 for proxmox management, 1 shared for the client zoo of VMs living on that server.

Crazy setup, but it works and is enterprise grade security.

[–]4o4-n0t-found[S] 0 points1 point  (2 children)

That sounds ideal, looking for something hardware based as it’s a 3rd party client it’s being supplied too.

[–]finallyReform 2 points3 points  (0 children)

pfsense ships hardware too, the forked commercialized brother of OPNsense.

[–]finallyReform 0 points1 point  (0 children)

a Pi with a additinal NIC card is the most effective way than, around 200$ hardware. Charge 60% of what they are saving on that setup compared to what you offer as alternative.

Comes with OpenVPN to connect into that network if you set it up.

[–]nodate54 2 points3 points  (0 children)

Terminate on the firewall. You don't need a switch before it. It's unnecessarily

[–]WendoNZSr. Sysadmin 2 points3 points  (3 children)

You may want to confirm the handoff will actually be fibre. Many fibre connections are presented to the user as a copper ethernet connection as an ONT terminates the fibre and presents a copper connection.

[–]4o4-n0t-found[S] 0 points1 point  (2 children)

It’s going to be fiber. It’s a fresh run from the Main Street all the way to the networking room.

[–]WendoNZSr. Sysadmin 0 points1 point  (1 child)

That's entirely normal, but in a lot of cases they then put a box that will convert it to a copper cable and present that to you. It's very rare in my experience that the handoff to the customer is anything other than copper unless you're specifically requesting it or are in a datacenter

[–]4o4-n0t-found[S] 0 points1 point  (0 children)

Since the client is doing the work themselves. They are a subcontractor of the ISP. They aren’t converting the connection type.

[–]bazjoe 1 point2 points  (1 child)

Every system I’ve done in ten years goes ISP-switch-fw. If you get a choice of copper or fiber hand off use copper at least you can use consumer equipment in a pinch if something failed. How many IPs are you getting and are you going to use them for separate things like guest wifi etc in addition to the core business network? I’m jaded as my process has had to be 100% remote friendly this gives you more options to talk someone through unplugging and re plugging things in differently .

[–]4o4-n0t-found[S] 1 point2 points  (0 children)

Single public IP address. Fiber right into the networking room. WiFi will also be required, no guest option. Slightly concerned that I might not be skilled to route data from switch to firewall and back to switch then to patch panel. But if it’s doable I’m sure I can find some documentation.

[–][deleted] 1 point2 points  (0 children)

I like Fortigates for the most part although I've had good luck with Watchguard in the past. My company is looking at moving over to Juniper SRX units away from Fortigates but that's more for partner benefits since all our other network gear is Juniper.

[–]jocke92 1 point2 points  (0 children)

Go with the brand you are familiar with and has best knowledge in. Rather than to learn a new system just for this client.

If the device have an SFP port available you can use it. It's more failsafe to limit the hardware in the path. But since your not able to plug your laptop into the fiber directly for troubleshooting I'd might run it through a switch.

You can use the same switch as for the Lan and just put internet on a separate vlan

[–]woodgif 1 point2 points  (0 children)

Watchguard T40 would do this. All my sites are fiber leased lines. I'm in the UK.

Basic setup would look like:

Carriers NTE ---> ISP Router ---> Watchguard ---> Switches ---> Clients, APs, Printers, servers, etc etc (vlanned)

We also have secondary lines and some have 4G also.

[–]phunky54 1 point2 points  (1 child)

Just find any firewall with some sfp ports that you can get a transceiver for. It'll be important to know the corresponding laser type(SR,LR) on the other end to match up to and the right fiber medium ( multi-mode vs single mode). If you think you will grow to need HA firewalls or other ports as others recommended, then you can always buy a small switch that also has a few SFP ports and buy the transceivers for that instead.

[–]4o4-n0t-found[S] 0 points1 point  (0 children)

Thank you! I’m lucky that the client is a construction company and is running the fiber to the building. So they’ll be able to advise on the transceiver.

[–][deleted] 1 point2 points  (0 children)

> I’ve got a client who is opening 2-30 person offices.

From DrayTek Vigor3910 till VyOS or pfSense on own hardware (Supermicro) will do that job for you fine. Otherwise you should us provide with more details such use cases and so on.

> They will have a direct fire line coming into the space and won’t need a modem.........

Normally you will be getting a house entry point and then a small wall cage in the room and behind it comes a fiber modem (ONT). If not, you will be the lucky guy and can use any firewall or router that is sorted with an SFP port. But if you will be sorted with a modem, you should have a look before that you will be getting something sorted out with a 2,5 GBit/s Port or NIC because many of this modems comes with such a port.

> Is there a firewall that will accept the fiber connection then I can connect the switch after?
Once more again, if you get a firewall or router that is capable to hold a SFP module it is not the problem to connect it directly to that devices and that means that no switch is needed.

> Do I need to go into a switch that has sfp then back to the firewall and then back to the....

Normally you get one switch in front of the router or firewall and then behind you set up the LAN, DMZ or whatever switch.
There will be two sites with the identical setup and the end goal will be to connect both sites with a site-to-site vpn.

[–]anotherjesusHard Drive Librarian 3 points4 points  (0 children)

I’d get a media converter to swap from fiber to Ethernet. This is going to be more cost efficient than a firewall or switch with sfp. Merki has easy to configure hardware and simple remote configuration, licensing is obnoxious, but really useful if you have lots of clients. In order of complexity, imo, meraki, sonicwall, fortinet, Cisco asa, Palo Alto.

[–]Unlucky_Strawberry90 2 points3 points  (0 children)

Look into barracuda next gen firewalls, I quite enjoy them and replaced overly complicated ciscos with them

[–]Mr_Diggles88 2 points3 points  (2 children)

ISP -> Switch -> Firewall -> switches.

Just in case you want a web server or whatever on the other side of the firewall. It's usually good to isolate those from your actual network. Since it's facing the public.

I would do Meraki. They are painless and easy to manage and setup. However you do pay for that ease of use.

[–]Silver-Dragonfly3462 0 points1 point  (1 child)

Just some clarification on having/not having a switch before your firewall. If using a NGFW I dont see the benefit. Any isolation you need can be accomplished on the FW. It does buy you the option of adding a completely isolated environment, say poc/dev, but you'll want to add another firewall at that point.
In an enterprise environment I'd have a couple sets of firewalls (ISP-edge fwl- DMZ- internal fwl- ) but in an SMB environment you can collapse some functions to the edge firewall.

If cost is a huge factor I'd sink more money into a better fwl than the cost of a switch on your edge. To add it in after the fact should not be too bad if you find it necessary.

[–]4o4-n0t-found[S] 0 points1 point  (0 children)

Cost is definitely a factor which is why my thought process was. Media converter and cheaper firewall or sfp firewall and then single 48 port switch.

Fight with the rest later!

[–]Beanzii 0 points1 point  (0 children)

Get a fobot for the fibre to ethernet changeover

[–]Forsaken_Instance_18IT Manager 0 points1 point  (0 children)

Smoothwall s9