Church Firewall

I’m working on trying to create a capstone for my bachelor’s degree, and I am creating a project plan to build a network infrastructure at the new site that my church purchased. The existing 6,300 square foot building will be gutted and designed for the church with classrooms, and I’m working on trying to build an MDF in my plan. I was wondering what churches use for a firewall. At the moment the church is at about 120 in attendance weekly, but it is growing. I’m building it on paper with CAT6a, redundant switches, 10 gigabit switches and routers, 802.11ac WAPs, and network runs from the patch panel in the MDF to jacks in the walls.

I was also wondering if if would be better to run the network cables through conduit or use STP when fluorescent lights are nearby.

Any suggestions would be great. Are there any case studies out there for successful implementation in churches?

Thank you kindly,

I would installed shielded Cat6 throughout the building and try in run thru 1.5-2" conduit with pulls to major areas of the building so you can install more if needed in the future. Can you share your LAN/Network diagram as I’m not a network expert and could benefit from your knowledge in that area. Thanks! Jim Casazza North River Church of Christ in Marietta GA

A lot depends on budget, as with most things, but for our new campus I’m running Cat6a (non-shielded), using Aruba/HPE PoE switches (2530’s with 2 x SFP+), single mode fiber between switches, and a SonicWall TZ 400 for routing and edge security.

If this was an origin campus (meaning content originates at that location) I’d probably go with a minimum of a pair of NSA 2600’s for failover and future growth, but that would likely be massive overkill.

I’ve also gotten into the habit of putting enclosed racks in first, even for communications, because no matter how many “electrical no storage” signs you put up, MDFs seem to collect other people’s stuff. I recently used one of those Tripp Lite hinged wall-hanging racks and absolutely love it because I can fit a 48 port PoE switch in and still close the door with patch cables plugged in! :slight_smile:

Also be sure to include cable management and quality labeling supplies. Patch cables will typically outlast network switches and routers, so I’m a fan of keeping those things as tidy as possible on new deployments.

My overall thoughts on what you’ve proposed:

  • redundant switches: I love the idea but haven’t done that myself… most critical for me is having the same switch brand everywhere with compatible firmware so I can import/export configs if needed.
  • CAT6a: I’ve never used CAT6a but it is probably a good idea to start with what’s next. I’ve never used shielded network cable and haven’t had an issue, but obviously shielded would be awesome if budget allows (our last quote put shielded significantly more expensive… like 3x the price, but I need to look at other vendors)
  • 10 gigabit switches and routers: obviously 10GbE uplinks are critical, but I wouldn’t have 10GbE to the desk (which I don’t think you were saying), but this sounds great, I would add “PoE+” as a baseline, everything is PoE these days and I wish I hadn’t spent so much money on power bricks in the past…
  • 802.11ac WAPs: if budget allows, I’m happy with my Ruckus setup, but would also use a cloud-based ZoneDirector in future deployments. Otherwise, I hear current UniFi has gotten much better.
  • Network runs from patch panel to jacks: yes yes yes!
  • Network cables through conduit: we’ve always just used standard conduit without issue. For large runs that may contain tons of cable, we stick with open cable tray as long as there is drop ceiling along the way.

Really it sounds like you’re already there, but I thought I’d share our setup in case it helps fill in any details. Or, maybe if you’ve met me you’ll know you want to avoid stuff I do. :wink:

1 Like

We use SonicWall here but pfsense is really good if you are on a small budget. As for cabling, We use high quality cat6 unshielded and we’ve never ran shielded even if its going near fluorescent. We never generally run copper through conduit, we do run fiber through conduit assuming it doesnt have a thick shield already around it. We have redundant core switching but for distribution/access layer we’ve never had a reason to make them redundant. I think you are on the right track! My only recommendation would be to keep it simple and try not to overcomplicate it. Although you always want to strive for the best uptime and speed possible, you are not building out a datacenter or something super mission critical.


I am a huge fan of pfSense, but it really depends on your needs. Are you doing public Wi-Fi? Just for staff? If just staff, how many are there?

10Gbps is overkill for now, but it doesn’t hurt. I’d definitely put in the cable to be 10Gbps, but would probably just do 1Gbps switching/routing for now. The 10Gbps equipment still carries a very hefty premium, but will be easy to remove from a rack later (as opposed to ripping cables out of the walls and replacing them).

1 Like

I have to agree with @computer_freak_8. 10Gbps switches are going to be out of the price range for a church with 120 weekly attendance, and very much overkill. I would say that a decent layer 3 core switch has helped our small church. Scrap the idea of redundant switches entirely.

The other thing that you don’t mention is ongoing mgmt of the network. Are the trustees going to take care of it or will you? Either way, you’re going to want something easily manageable. Like @OneSeventeen said, I’d keep it all the same brand where you can. Ubiquiti has switches and APs that all tie into UniFi and make management and deployment so much easier and allow you to tie into a cloud controller later. They are affordable considering what you get. Ubiquiti doesn’t have great UTMs yet with content filtering and malware blocking, so a lot of smaller churches will still go with SonicWALL or they will take advantage of Cisco’s ASA discounts provided for churches through TechSoup (if it’s available to them, see below).

How many switches do you need? We have two servers (we also have a RPi for monitoring and a PBX, but I don’t really count those), we’re running VoIP and IP Cameras, desktops, APs, and network drops to each classroom. Our space is larger than yours and we get by on two 48 ports switches in our main closet and an additional 24 port PoE+ (of which we have 5 or 6 ports used) at the front of our building for cameras and APs.

My 2¢: Honestly, for your capstone, it may be better for you to design a hypothetical campus network with several buildings on a main campus and one remote campus that’s a single building or something. It sounds like what you’re designing won’t help the church you’ve selected, but rather send them into massive, unnessaccary debt.

If you’re set on this church being the subject of your capstone, I recommend getting a better feel for both what they need and what they can afford. Network design is never about getting the best possible everything for anything of any size regardless of cost, but rather balancing a budget against needs and wants, and designing a network that affords elasticity, manageability, and upgradability. Hopefully your professor agrees that a large and complex network diagram with all the bells and whistles is less valuable than a real world implementation with a budget and needs that are being met creatively within that budget. Good luck!

1 Like

I thought the ASA discount through Tech Soup specifically excludes religious organizations?

I’ve had a few friends from other churches get several things from Cisco before. Never an ASA, but I imagine the policy is the same. Maybe they didn’t know better, and Cisco didn’t do their homework? I could check, I suppose.

Ineligible: The following organization types are not eligible to receive donations through this program.
Religious organizations without a secular community designation. To have a secular designation, an organization must provide services to people regardless of their religious beliefs and must not propagate a belief in a specific faith. It must also have a tax ID (EIN) separate from that of the church or religious organization.

That probably explains it, one has a pre-school (like ours) that is also 501(c)(3) and the other runs a food shelf/donation center thing that’s the same.

So, that route is open if the church offers any services like that to the community.

If you really need a UTM then Sophos or Untangle will probably be more than enough but you should set aside 50 bucks a month or so in licensing fees. That being said, I wouldn’t bother with a UTM right now unless they have some service running on-site that would really call for it (like if some elder insists on having on-premise Exchange or something weird like that). If just firewall capabilities are needed then I’d do (and have running in several churches ranging up into the 60 staff realm) Ubiquiti Unfi stacks.

My take is that the network is currently being over-engineered for a small church, it still won’t be right-sized for them even by the time they quadruple membership so you’d be doing them somewhat of a disservice if you implemented all of that today. If you can get SFP+ on the switches that’s great but I wouldn’t sweat 10 Gbps right now. You would be surprised how little a network gets used in a small or even moderate sized church 99% of the time.

Finally, I would add that whatever you put in place needs to be able to be supported at a cost-effective rate within a budget and be able to be replaced in a reasonable hardware refresh lifecycle. This can be hard to do well without some experience and I see young IT guys cause significant problems and frustrations for churches down the road when they aren’t cautious here. Think in terms of “hey, even if I would support this right now for free to bless my church, if I got hit by a bus tonight or got called away to missions in Indonesia, would this be affordably supported by an IT expert/managed service provider/volunteer/etc.?”


Our school moved this summer, and I had to build out network, wireless, phone, and security.
We did the following:

  • Standard Cat6 plenum rated. A good balance of speed and affordability. Plenum rated may be required by your fire code, since areas above ceiling tile are often used for cold air return.
  • Cisco SG-300 POE switches
  • Multimode fiber run between MDF and an IDF. Cat5/6 should not have runs longer than 100 meters. We often use 300’ as a safe cushion. Single mode fiber is not normally used for building infrastructure.
  • Color coded wiring, patchbay jacks, and patch cables: white-phones, blue-network, green-wifi, yellow-security cameras. Red is reserved for fire alarms, the architect also recommended avoiding orange.
  • Routine network lines normally do not need conduit. We did have 3" conduit installed through walls for routing of cables. You will be surprised how fast that fills up.
  • IMPORTANT: You will need J-hooks to lay network lines across as you run them down hallways. Plenum rated network cabling is easily kinked and damaged by pinching. Good J-hooks are curved to avoid bends that are too sharp.
  • We use a SonicWall TZ400 for the school. The key with the firewall is bandwidth capacity, but also processor, since the firewall handles significant functionality, which can include filtering, failover to mulitple ISP, DHCP, routing between VLANS, etc. Be sure to include the security subscription, since it offers filtering and other protections.
1 Like

Literally the only thing I would change is using the TZ400 for layer 3 switching (aka routing between vlans). We had IP Cameras on a different subnet and when all the traffic had to go through our TZ400 to get to the DVR, it killed our network. I got a decent layer 3 switch and set it up to take care of all that and the standing utilization on the TZ is down 90% at least, and the switch is hardly phased by it.

Especially since the SG300 is a layer 3 switch that’s quite powerful. I’d also have used Singlemode fiber. We’re nearing the useful lifespan of Multimode (it looks unlikely we will see beyond 10GBit over MM without new specs, where SM is passing 400G and has added flexibility via frequency multiplexing).

Yeah, I’m hearing network guys advocate single mode getting run within buildings more and more often because of the limits on the cables themselves; furthermore, relatively cheap single-mode modules are popping up as well so I agree that multimode may not be deployed too much longer. The more I look at it, the more I realize that I may very well be running single mode the next time I have to do a backbone.

We do use the TZ400 for routing between VLANS, but most of that is to connect to relevant management interfaces. All security devices and DVR are on same VLAN, phones on that VLAN, etc, so very little traffic actually needs routed.

  • Greg

I know this is a little late to the party, but a few things to consider.

  1. As to your question of STP vs. Conduit, you’ll need to consider if the air space above the lights where the cable will be running is a return air system (open with no duct work). If it is you will need to have plenum cable if it is not in a conduit.
  2. One option for your firewall is a free solution called Untangle NG firewall. It provides many solutions that will fill many of the rolls you need.