Currently I have CRS326-24S+2Q+ which I would like to use for HW Accelerated Bridging at Wire Speed and use filtering and stateless inspection with connection tracking. I have upgraded it to RouterOS 7.1.3 and I want to optimize both wire speed and security.
I do have concerns on whether this is secure enough but willing to give it a try.
However, due to my security concern and as noted in the documentation, we can't also have firewall stateful inspection rules also HW accelerated in the same device and I am currently limited to one Bridge for HW off-loading.
Q1: Is it possible to add a CRS309-1G-8S+IN and use that for using HW accelerated stateful FW rules between the VLANs/Network Segments at Wire Speed?
Q2: Or would a dedicated Mikrotik Router be able to accomplish the wire speed routing and use the CRS326-24S+2Q+ for dedicated FW Rules offload processing?
Q3: Or would two CRS326-24S+2Q+ be a better approach using one for FW Rules offload processing?
My Internet Firewall is a FIrewalla Gold Plus which has helped me thus far in securing my network with very little performance issues and a nice mobile interface to look at traffic/rules/filter/security/vlans, etc...
The reason I ask this is because just using VLAN filtering/etc does not seem to be as secure as an actual an FW using stateful inspection. Perhaps I am old school but it would seem to me I can simply hijack a workstation on the internal network and change the IP address and add whatever VLAN Tag I want on the packet to breach simple VLAN filtering and stateless inspection with connection tracking? Also using stateless I have to have rules for the return traffic also don't I?
I am actually not being paranoid as a work computer which was on the same network when I had a simple flat one was hacked via the company network and then in turn hacked my entire network. Due to my work and complex home/work configuration they eventually even my hacked my apple devices. And yes Apple was surprised this occurred and so was Verizon because I was targeted. This is in turn the reason why I am over-segmenting and paying very specific attention to keeping this from ever happening again and if it does to isolate it. Some may call it using an overkill of networking/security but I am trying not to take speed hits in the process.
Before you ask yes I have a need for the extra speed as I have very diverse and complex setup my home/home office.
It is also somewhat of an exercise it learning some of the newer networking technologies as I also work in IT![:)]( "Smile")
Thanks in advance.
I do have concerns on whether this is secure enough but willing to give it a try.
However, due to my security concern and as noted in the documentation, we can't also have firewall stateful inspection rules also HW accelerated in the same device and I am currently limited to one Bridge for HW off-loading.
Q1: Is it possible to add a CRS309-1G-8S+IN and use that for using HW accelerated stateful FW rules between the VLANs/Network Segments at Wire Speed?
Q2: Or would a dedicated Mikrotik Router be able to accomplish the wire speed routing and use the CRS326-24S+2Q+ for dedicated FW Rules offload processing?
Q3: Or would two CRS326-24S+2Q+ be a better approach using one for FW Rules offload processing?
My Internet Firewall is a FIrewalla Gold Plus which has helped me thus far in securing my network with very little performance issues and a nice mobile interface to look at traffic/rules/filter/security/vlans, etc...
The reason I ask this is because just using VLAN filtering/etc does not seem to be as secure as an actual an FW using stateful inspection. Perhaps I am old school but it would seem to me I can simply hijack a workstation on the internal network and change the IP address and add whatever VLAN Tag I want on the packet to breach simple VLAN filtering and stateless inspection with connection tracking? Also using stateless I have to have rules for the return traffic also don't I?
I am actually not being paranoid as a work computer which was on the same network when I had a simple flat one was hacked via the company network and then in turn hacked my entire network. Due to my work and complex home/work configuration they eventually even my hacked my apple devices. And yes Apple was surprised this occurred and so was Verizon because I was targeted. This is in turn the reason why I am over-segmenting and paying very specific attention to keeping this from ever happening again and if it does to isolate it. Some may call it using an overkill of networking/security but I am trying not to take speed hits in the process.
Before you ask yes I have a need for the extra speed as I have very diverse and complex setup my home/home office.
It is also somewhat of an exercise it learning some of the newer networking technologies as I also work in IT
Thanks in advance.
Statistics: Posted by tdampier — Mon Jan 01, 2024 10:31 pm