| I don't have any annoying router or CPE from my ISP. Just fibre to the basement and an ethernet plug in the wall in my apartment providing 1Gb Internet access. So I have a few EdgeRouter Lite 3s doing NAT and port forwarding (IPv4) because they can do that in hardware. As they are not open and I don't really trust them, I just pretend that they are on the ISP side of my network (even though they are mine, and I "control" them). So their LAN ports count as the "outside" in my setup. They provide networks like 192.0.2.0/24 that I just pretend are my public IP's. This is also where the AP with GF's phone and chrome-cast resides on a separate VLAN. This has the benefit of me being able to play around with "real network" behind the firewalls in the next layer without worrying about causing downtime and issues for her (big win). After that I have my "real" firewalls (a bunch of APU4C4s) that segment my network into several parts and multiple layers. They have less work to do as they don't need to do any NAT/translation.
It also makes the firewall rules much simpler as there are no NAT/RDR rules and I don't have to think about whether a firewall rule apply pre- or post- translation (NAT/RDR). It would of-cause be a lot easier if I just had a /24 of public IPv4 addresses, but this setup lets me sort of pretend that I do, even though I only have two static IPv4 addresses and an extra one with DHCP. I just recently got IPv6 with a /56 routed to me from my ISP and this is what I am messing around with currently. I have some Juniper switches (EX2200/EX3300/EX4200) that can do IPv6 routing in hardware (and ACLs), meaning that I can do things a lot more like I wanted with IPv4 because I don't need any NAT.
One of the benefits for example is that I can just route a /64 to my local mirror servers over a VLAN for bulk traffic without putting any load on my firewalls. As the traffic is only to/from a few destinations and ports, ACLs in the switch are fine for me (+ local firewall on the mirror servers).
This bulk traffic is probably close to 90% of my total bandwidth usage, which is just syncing the local mirrors.
This means that this traffic is not clogging up the NIC queues on the firewall competing with "interactive traffic" like web-browsing, etc. Is this needed? No, not really. The firewalls can easily handle the traffic, but it is simple to remove 90% of the load on them for basically free. All this may seem complicated and/or convoluted (and it probably is) but it makes (for me at least) my network much easier to reason about, and makes tinkering/experimenting easy and less likely to affect "production". |