Multi-Gateway rather than multi-wan

atevet · May 20, 2024, 5:46 AM

Hi all,
I have a 4-port pfsense device and a pretty simple flat network.
I want to set up multiple gateways on the network and have different devices connect to different gateways that will have different configurations on them.
NOTE: only a single WAN link

WHY? you might ask...

I have kids who are coming of age for using devices... the simple answer...

so essentially I have everyone on the same network. I want to configure two nics on the pfsense to have 2 different IP addresses - let's say 192.168.1.1 and 192.168.1.2 and then assign IP addresses to kids devices that will have .2 as a gateway and have more restrictions and filters in place for what they can access through .2 as opposed to having pretty open access on .1

I have an unmanaged switch so without buying a new switch I don't have vlan options...

there is no need for kids' devices to access any other devices on the network.

It seems like a pretty simple ask...

Just to add - the kids devices are wireless and while my UniFi AP's can handle vlans - again I don't actually have a managed switch at this point so would prefer not to spend more.

also open to creative solutions - like what if I run 2 x /25 instead of /24 and then have kids on 1 network vs the other for adults... would that need vlans?

The Party of Hell No · May 20, 2024, 5:05 PM

@atevet
I think to create new gateways you have to have a service like a VPN to go out to, However instead of setting up a separate gateway you might first investigate whether your ISP offers a filter service for your children's traffic... problem is they will filter your traffic also.

you could install pfblockerng and use it to strictly filter/restrict your kids LAN and still have everything going out the WAN.

Or purchase a vpn service, however I would reverse the usage. I would suggest your traffic go out the VPN service and their's go out the WAN since you will have the ISP to back up your restrictions and filters i.e. a call from your ISP about such and such movie being downloaded illegally at your IP.

atevet · May 22, 2024, 11:00 PM

@atevet so far I've put in the new device and turned it on. At this point I think I'll be able to manage everything using a single network, statically assigned IPs for the kids' machines, and rules that manage content for those. I'm new to this but the journey has started :)
I've also installed pfblockerNG, Snort, and some monitoring plugins... how bad could it be lol

SteveITS · May 23, 2024, 12:36 AM

@atevet Seems like a recipe for asymmetric routing. Why not just separate the two using two subnets?

atevet · May 25, 2024, 10:27 AM

@SteveITS interesting - but if I have dedicated wifi access points (the ubiquiti devices) won't I need vlans to manage 2 networks? I already have to different SIDs - one for the kids - if the networks are going to be split and the UAP is on network 1 for example, would it still be able to serve requests on network 2?

coxhaus · May 25, 2024, 12:51 PM

@atevet
I am not sure you want to use 2 different NICs for LAN on the Pfsense side. If you cross networks then you will have slow bridging. It is best to have WAN or WANs and 1 LAN for your firewall.

In the Cisco world you just add a second IP address on the 1 interface and run 2 networks off the same interface, ethernet port, so 1 NIC. You don't need multiple ports. If you want to route fast then that is what a layer 3 switch was built for. If you have a really fast CPU and low traffic load then you can get away with using a router. At some point you cross a line where a layer3 switch will be faster.

I run multiple gateways using a layer 3 switch. All my local routing is performed by my Cisco layer 3 switch. It can route all my networks at wire speed. Then my layer 3 switch routes all traffic to pfsense as it is the default route. My gateways all point to my layer 3 switch.

The Party of Hell No · May 25, 2024, 2:11 PM

@atevet
What have you decided on your setup? Is it working the way you want?

atevet · Jun 1, 2024, 1:26 PM

so far I've got the single network set up with static addresses for most devices and some others using dhcp.
I've created a grouping - for example KIDSDevices so I can use single rules to apply to them.
I did start going down the proxy path with the squid packages - I thought at least if I can send the kids info via the proxy that I'd be able to get a better view of what's being accessed and then block as needed, however I also found out that the squid packages are being deprecated so there's probably no point going down that path to have to come up with a new solution later on right?
I think it would have been doable to force the kids down the proxy path while keeping access open for everything else.
so right now I still don't have a good way to view what's being accessed nor a way to block.
I've put in NTOPNG to try and get some visibility but I don't think it necessarily provides enough data or an easy way to view it (not an expert here).
I'm also considering putting in external log analysis but also not my forte

The Party of Hell No · Jun 1, 2024, 1:26 PM

@atevet
What you are doing sounds good. Yes you should be cautious creating networking around packages which are planned to be deprecated.

The package pfBlockerNG > DNSBL > DNSBL Category has two lists - shallalist (Wrong, shallalist is no longer online) and UT1 which give quite extensive choices to block content without having to do a lot of investigation.
Also: pfBlocker in Python mode has an imho oddly named Python Group Policy section to exclude IPs from DNSBL - allowing the adult devices to go around the above lists.