Hello Everyone,

I've just learned that Openreach have installed FTTP in the road where I live... and I'm now trying to negotiate with them to get it installed in my home - which is a 1st floor flat. There are complications there in that Openreach automatically designate a block of flats as an "MDU" - Multiple Dwelling Unit - and automatically de-scope it from installations. They then revert to the position where the landlord has to apply for the installation, but make no attempt to notify landlord or tenants. Which seems a bit off, but... on the basis that connectivity is now almost in the foreseeable future, I'm looking at connectivity options. 

My local exchange is supported by CityFibre and they can offer me a 5Gbps service for around £80/month, along with a static IP address, which will allow home hosting, which is my goal. 

From what I've read, the Openreach FTTP presentation is RJ45 Ethernet - but I do suspect CityFibre would have to use a different device if they want to present at 5Gbps... maybe SFP+ at 10Gbps or a 10Gbps regular RJ45? Either way, my current thinking would be to run from the ISP terminator to a 3912 fibre router and then on to a dedicated internal DMZ setup... 

My questions relate to that DMZ piece. In order to "host@home" my plan would be to to use the pfSense firewall package (the Community Edition is free), running on a Protectli VP 6670 for the hardware platform, costing around 940 Euros. This would give me 2 x 10Gbps SFP+ ports [for the main throughput] and then 4 x 2.5Gbps Intel Ethernet RJ45 ports, which I can use to create up to 4 discrete DMZ. This would allow me to split out my DMZ in to tiers - allowing me to host an NGinx reverse proxy [to terminate all incoming traffic for inspection via WAF]; a web server; and finally an externally-facing DB Sever, all in isolated DMZ tiers. Outbound traffic would make use of the SFP+ ports and simply go straight out over the 10Gbps ports to the 5Gbps uplink. 

At least, that's my theory. 

I'd be extremely grateful if anyone has anything like this in operation today, and, if so, if they would be kind enough to share their experience. I'm rather nervous about jumping straight in to this - we're talking something in the region of £1800 to cover the cost of a 3912 and the Protectli host with some RAM and a couple of small NVMe drives in RAID1 - so I don't want to do a "Ready! Fire! Aim!" and end up buying an incompatible solution, or ordering a service I can't make work. 

Of all the various dimensions to this, the area where I'm least experienced/most cautious covers the routing and addressing of incoming traffic from the service presentation, to a Draytek firewall router, to the pfSense hardware. Daisy-chaining the default gateways for outbound traffic should not be a major problem... but getting the various devices to play nice for incoming 80/443/25 traffic is likely to be quite a little but more complex, and I'd be incredibly grateful for any advice members would care to offer.

Thanks in advance.