Best practices for firewall placement

hi there
after i replace my pfsense machine with ipfire i see its time to re-design my firewall placement
so i see it nice place to ask what is best placement firewall in DC my network as shown :
1- wan sides have 3 internet connect each one have 100mbits come from my isp .
2- core router mikrotik ccr2004 for load balance and some NAT works .
3- server side have mikrotik ccr 1009 router for routing and tunnels purpose
4- clients side have mikrotik ccr 1009 router for capsman (mikrotik wireless management ) and pcq queues .

i need two firewall one for server sides to block all traffic form clients sides except port 443 for and port 1812 and 1813 for and port 53 and icmp for

clients side for location block and Transparent proxy and some rules filters .

my thought :
core router → server firewall (ipfire) → server-router → server-switch (L2)
core router → clients firewall (ipfire) → clients-router → clients-switch

its nice to see any suggestions


By server do you mean your cloud vms/machines?
The arrangement that you have in mind is already good if you ask me but the mileage depends on how strong each particular machine is.

For example, your core router’s processing power is much less than your firewall then you really should prefer to put your firewall at the edge so that the firewall already reduces the amount of packets that your core router needs to process and effectively save up on precious cpu cycles - specially when we’re talking about machines that are below the 3.0 GHz processing line.

That said, you did mention that the core router is there for load balancing so it may be that your core router is pretty beefed up and you won’t have to worry about having the core router perform the basic firewall functionalities to trim down the traffic by dropping unnecessary packets.