Skip to main content

Network Design Comparison — Original vs. Proposed

Classification: Internal — Architecture Decision Record Prepared by: Anshin Health Engineering Version: 1.0, 2026-03-22

This document compares the original interim network design (Juniper SRX320 + EX2200 switches, documented in sre-iac/network/interim/) against the proposed target design (OPNsense CE on Beelink EQ12 Pro + TP-Link Omada 10G fabric). Both designs are derived from actual configuration files in the sre-iac repository.

1. High-Level Comparison

DimensionOriginal Design (sre-iac/network/interim/)Proposed Target Design
Edge firewallJuniper SRX320 (dedicated hardware appliance)OPNsense CE on 2× Beelink EQ12 Pro (software firewall on commodity hardware)
High availabilitySingle SRX320 — no HA, single point of failureCARP HA pair — automatic failover in ~3 seconds
IDS/IPSSRX Screen (basic: SYN flood, port scan, ICMP flood limits)Suricata full IDS/IPS (ET Open, Abuse.ch, SANS — 40,000+ signatures)
VPNNot configured in sre-iacWireGuard (primary) + OpenVPN + IPsec IKEv2 with 2FA TOTP
Load balancerNot presentHAProxy on OPNsense with health checks and automatic application failover
Network switching1G EX2200 (Juniper) — 1G max per link10G SFP+ TP-Link SX3008F — 10× faster server interconnect
Switch managementJuniper CLI (SSH) / J-WebOmada SDN GUI + REST API (Claude-accessible)
DNS serverFreeIPA only (static DHCP in SRX)Unbound DNS-over-TLS in OPNsense + FreeIPA
License costSRX320: ~$500 hardware + Juniper supportBeelink pair: ~$378, all software $0 forever
Multi-WANSingle WAN (ge-0/0/0, DHCP)Dual WAN ready (WAN1 fiber + WAN2 cable/fiber via USB NIC)
API / automationLimited (Juniper Netconf, complex)Full REST API on OPNsense + Omada API (Claude-manageable)

2. VLAN / IP Addressing Comparison

The original design uses a different subnet scheme than the proposed design. This is the most significant compatibility issue that must be resolved during migration.

VLANNameOriginal Subnet (sre-iac)Proposed SubnetNotes
VLAN 2Legacy Production10.10.96.0/20(migration target — retire after cutover)Transitional VLAN for current flat network
VLAN 100OOB Management192.168.169.0/2410.10.100.0/24Conflict — different subnet families
VLAN 200Compute / Control Plane10.20.0.0/2410.10.200.0/24Different 3rd octet convention
VLAN 300Ceph PublicIsolated on ex2200t-02Isolated on sx3008-02Same intent, different hardware
VLAN 400Ceph ClusterIsolated on ex2200t-02Isolated on sx3008-02Same intent
VLAN 500Provider Network10.50.0.0/2410.10.500.0/24*Different convention
VLAN 600DMZ (original) / K8s (proposed)10.60.0.0/2410.10.600.0/24*Purpose changes slightly
VLAN 610HA Sync / MetalLBL2 only (no gateway)10.10.98.0/24 (MetalLB VIPs)Purpose differs
VLAN 700VPN ClientsNot present10.10.700.0/24*New in proposed
VLAN 1000–1099Tenant VLANs (Neutron)L2 pass-throughL2 pass-throughSame
Homestead192.168.125.0/24 (ge-0/0/5)192.168.125.0/24 (dedicated port or VLAN)Same subnet, same purpose

Note: The proposed doc uses 10.10.X00.0/24 notation for readability. These should be validated against FreeIPA's existing reverse DNS zones before migration.

OOB Management subnet conflict

The original OOB VLAN 100 uses 192.168.169.0/24. The proposed design uses 10.10.100.0/24. The iLO addresses (10.10.96.235, .236, .237) are already in the 10.10.96.0/20 range, which is actually VLAN 2 (legacy). This must be reconciled before deployment — iLO addresses will need to move to whichever subnet becomes the canonical OOB range.

3. Security Policy Comparison

Original Design — SRX320 Security Zones

The SRX320 config defines 5 zones with explicit inter-zone policies:

UNTRUST (WAN)
  ├── → DMZ: Allow HTTP/HTTPS inbound (DNAT to 10.60.0.10)
  └── → all others: DENY

TRUST (VLANs 2, 200, 500)
  ├── → UNTRUST: PERMIT all (internet access)
  ├── → TRUST: PERMIT all (inter-VLAN, open)
  └── → DMZ: DENY

DMZ (VLAN 600)
  ├── → TRUST: PERMIT HTTP/HTTPS (reverse proxy → backends)
  ├── → UNTRUST: PERMIT all (updates, OCSP)
  └── → others: DENY

HOMESTEAD
  ├── → UNTRUST: PERMIT all (internet only)
  └── → all internal: DENY

MGMT (VLAN 100)
  ├── → MGMT: PERMIT (intra-OOB)
  └── → all others: DENY (and UNTRUST → MGMT: DENY)

Screen (IDS) on UNTRUST only:

  • ICMP: ping-death, large ICMP, flood (1000/s), fragment attacks
  • IP: source-route, tear-drop, spoofing, bad-option, block-frag
  • TCP: SYN flood (200 attack threshold), land, syn-frag, port scan (5000/s)
  • UDP: flood (1000/s), port scan

Proposed Design — OPNsense Security Zones

OPNsense replaces the SRX zone model with interface-based rules, retaining the same logical segmentation but adding:

  • Suricata on WAN — 40,000+ signatures (vs SRX Screen's ~15 rule types)
  • VPN zone (VLAN 700) — no equivalent in original
  • Explicit K8s zone — VLAN 600 (MetalLB) as a distinct zone
  • HAProxy — application-layer health checks and failover (no equivalent)

Gap Analysis: What Original Has That Proposed Must Match

SRX FeatureOPNsense EquivalentStatus
TRUST → TRUST permit all (inter-VLAN)Inter-VLAN rules on VLAN interfaces✅ Covered in proposed rules
HOMESTEAD → UNTRUST permit, HOMESTEAD → internal denyHomestead interface rules✅ Covered
MGMT complete isolationVLAN 100 rules✅ Covered
SRX Screen SYN flood protectionSuricata + OPNsense built-in SYN flood✅ Superior coverage
DNAT inbound 443 → DMZ VIPOPNsense NAT + HAProxy✅ Covered, with added health checks
Juniper LACP ae0 (2×1G to switch)OPNsense LAN (1× 1G to sg3428-01)✅ Functional (reduced to 1G, acceptable)
SRX DHCP serverOPNsense DHCP server (per-VLAN)✅ Built-in
SyslogOPNsense syslog → Prometheus✅ Superior (searchable in Grafana)
Static MAC→IP reservationsOPNsense DHCP static leases✅ Covered

What Proposed Adds That Original Does Not Have

New FeatureValue
CARP HA failoverEliminates single point of failure at edge
pfsync state replicationExisting TCP sessions survive failover
Suricata full IDS/IPSThreat signatures vs basic flood protection
WireGuard VPNSecure remote access for staff
HAProxy with health checksApplication-level failover to AWS or partner
Unbound DNS-over-TLSEncrypted DNS, ad/malware blocking upstream
Multi-WAN failoverFiber + cable redundancy
Full REST APIClaude Code can query and manage
Omada SDNGUI management of all switches from one interface
10G server interconnect10× faster inter-server networking vs 1G

4. Physical Switch Architecture Comparison

Original: Juniper EX2200 (1G)

SRX320
  │ 2× LACP (ae0, 2Gbps aggregate)

ex2200t-01 (24-port 1G) — Network plane
  │ 2× LACP bonds per server (2Gbps aggregate per server)
  ├── stk01 (pmx-01): ae1
  ├── stk02: ae2
  ├── stk03: ae3
  ├── pmx01 (HP#1): ae4
  └── blnk-fed4201: ae5

ex2200t-02 (24-port 1G) — Storage plane (isolated)
  │ 2× LACP bonds per server
  ├── stk01 bond-stor: ae1
  ├── stk02 bond-stor: ae2
  ├── stk03 bond-stor: ae3
  └── pmx01 bond-stor: ae4

ex2200p-01 (24-port 1G PoE) — OOB management (isolated)
  ├── iLO HP#1, #2, #3
  └── UPS #1–4

Maximum server bandwidth: 2× 1G LACP = 2Gbps per server (send + receive). Storage traffic shares the same 1G links in original; separated to dedicated EX2200 in original (good design).

Proposed: TP-Link 10G + 1G

OPNsense (CARP pair)
  │ 1× 1G RJ45 each (re1) to sg3428-01

sg3428-01 (24-port 1G) — Network 1G access
  │ 1G SFP uplink

sx3008-01 (8-port 10G SFP+) — Network 10G spine
  │ 10G DAC per server
  ├── HP#1 sfp0: 10G
  ├── HP#2 sfp0: 10G [future]
  ├── HP#3 sfp0: 10G [future]
  └── HP#4 sfp0: 10G

sx3008-02 (8-port 10G SFP+) — Storage 10G spine (isolated)
  │ 10G DAC per server
  ├── HP#1 sfp1: 10G
  ├── HP#2 sfp1: 10G [future]
  ├── HP#3 sfp1: 10G [future]
  └── HP#4 sfp1: 10G

ex2200p-01 (repurposed for OOB — unchanged from original)

Maximum server bandwidth: 1× 10G per plane = 10Gbps network + 10Gbps storage, independent planes. 5× improvement on network bandwidth per server.

5. Migration Path: Original → Proposed

The migration is additive — new hardware is installed alongside existing, traffic is cut over one VLAN at a time, the Cisco bridge/EX2200 remain as fallback.

StepActionRiskRollback
1Install OPNsense on Beelinkss, configure CARP, test without trafficLowPower off Beelinks
2Install 10G NICs in all serversMediumRemove NICs
3Install TP-Link switches, connect DAC cablesLowUnplug switches
4Mirror VLAN 2 (legacy flat) to OPNsense LAN — dual routingMediumPrefer SRX route
5Cut VLAN 200 (compute) to OPNsense — move 1 server at a timeMediumSRX static route
6Cut WAN NAT from SRX → OPNsense (single ISP IP, CARP VIP)HighSRX re-enable in <5 min
7Provision WireGuard VPN on OPNsense — test remote accessLowFirewall rule disable
8Enable Suricata (IDS mode, alert only)LowDisable plugin
9Decommission SRX320 and EX2200 switchesLow after 2-week validationKeep on shelf

6. Cost Comparison

ItemOriginalProposed
Edge firewall hardwareJuniper SRX320 (~$500 new, ~$150 used)2× Beelink EQ12 Pro (~$378)
Edge firewall softwareJunOS (included, no ongoing license)OPNsense CE (free forever)
IDS/IPSSRX Screen (basic, included)Suricata (free, plugin included)
VPNNot configured (Juniper VPN available but not deployed)WireGuard/OpenVPN (free, built-in)
Load balancerNot presentHAProxy (free, plugin included)
Network switching1G EX2200 (already owned)10G SX3008F × 2 + 1G SG3428 × 2 (~$880)
Switch managementJuniper CLI/J-Web (free)Omada SDN + OC200 (~$80, software free)
Server NICsBuilt-in 1G only10Gtek NICs (~$196 for 4)
Total additional cost$0 (hardware on-site)~$1,534 (NICs + switches + Beelinks + OC200)
Security improvementBaseline+IDS/IPS, +HA, +VPN, +10G, +API
Ongoing license cost$0$0 forever

Document Control

RevDateAuthorDescription
1.02026-03-22Anshin EngineeringInitial comparison — sre-iac interim vs proposed target