For the last years we've been using a Sonicwall PRO 2040 firewall in a relatively small hosting environment. But we want to upgrade to a faster box which also support IPv6 and preferably we'd like to stay with Sonicwall (as it has served us well over the years) and upgrade to a NSA 2400.
All this time we have run this firewall in so called 'transparent mode'. This way the firewall is completely transparent to the network (i.e. servers) behind the firewall but still the firewall protects the network. Servers that are behind the firewall are configured as if the firewall is not there, e.g. the gateway address is that of a router outside of the firewall. This, in combination with VLAN's (*), allows us to host each server separately from each other in the most transparent way to the customers.
(*) Explanation: On the firewall, we have created virtual interfaces for each server and tagged it with a VLAN. All these virtual interfaces use a single physical interface which is connected to a switch. This switch is configured with these VLAN's as well and separates all traffic into individual physical ports. E.g. traffic for VLAN 5 only goes to physical port 5, traffic for VLAN 8 only goes to physical port 8, etc. The only common port is the port to which the firewall is connected. This ensures that the servers cannot communicate with each other directly, only through the firewall, even though they are in the same IP network space.
Now that we are moving to a new IP address space and also want to support IPv6 we are rethinking our solution. One reason for that is that transparent mode support for IPv6 seems to be very rare or non-existing at all. So if we want to support IPv6 we have to use routed mode. With this, all kind of questions pop up and hopefully some can help me with some opinions and/or answers.
Is routed or transparent mode used more commonly for IPv4?
Can we use transparent mode on IPv4 and use routed mode on IPv6 or do we have to use routed mode on IPv4 as well?
Using routed mode, if our IP range is X.X.X.0/26 (i.e. 64 consecutive IP addresses) and the data center gateway we have to use is X.X.X.1, do we then put the WAN of the firewall on X.X.X.2 and the internal port on X.X.X.3 and then configure the servers to use X.X.X.3 as the gateway address?
Is it correct that in routed mode the firewall always needs a minimum of two IP addresses (for the internal and external interfaces) while in transparent mode the firewall only needs a single IP address (WAN) ?
Will we still be able to separate all servers by putting them all into their own VLAN, requiring all traffic between the servers to pass through the firewall? If so, what will the subnet mask have to be? I.e. what we don't want to do is put each server into it's own IP network segment as this would costs us 4 IP addresses per server (network, broadcast, gateway and the server itself).
Is there any advantages to using routed mode over transparent mode? Or the other way around?