Hey folks,

Looking for some filtering/edge network advice and ideas. At our edge, we use two firewalls. One firewall, a Netgear SRX5308, handles infrastructure systems connectivity (servers, etc) and inbound services. The other firewall, a Smoothwall, handles all client connectivity and web content filtering for workstations and devices on the trusted network and the BYOD network. Each firewall has its own independent internet connectivity, essentially meaning that the SRX and Smoothwall sit side by side at the edge.

This set up has worked well for many years, however, with the introduction of BYOD, of found that I've had to create a lot more rules to allow certain apps and services to work, which is fine, but I fine the networking configuration interface on Smoothwall inelegant and frustrating.

The SRX is showing it's performance limitations now, and is going to be replaced with a Ubiquity Networks EdgeRouter. This has prompted me to consider modifying the edge network to a single firewall, hopefully resulting in a single point of ingress / egress, and a single place for my inbound / outbound ruleset. Taking this further, it would involve bringing the Smoothwall behind the new router, and it becoming a web filter only.

That's the notion that's confusing me at the minute, Smoothwall only being a web filter. I'm aware that moving the SW behind another router, means I may lose my transparent filtering ability (as all of my trusted network workstations would no longer have their gateway set as the SW - not such a big deal for the trusted network, with GP), but I'm having trouble rationalising (in my head) how the Smoothwall would be configured purely as a web filter. To put this in context, the SW has three physical interfaces, Trusted Network, BYOD (Also separate VLAN, with DHCP server) and External (internet). Trusted network is fairly straight forward, GP will handle browser config for non-transparent connections, WPAD could also take care of non-GP devices. On the BYOD network, nothing need change, clients can have the SW as their gateway (set by DHCP) and continue to have transparent filtering. It's the external connection that's confusing me I suppose. The idea in my head is to connect the external interface on the SW to an interface on the new edgerouter, effectively making it (the edgerouter) an upstream gateway of the SW(?).... but there is something about that idea that doesn't sit well with me, and I can't quite put my finger on it.

Does anyone have any thoughts on this idea? Perhaps point out any blind spots, or will it even work (in theory) or is it a recipe for disaster?

Thanks for reading folks.