Network advice

cadtiagof

1. What do you mean by "access control"

Restrict internet access.

4. Yes if you bridge the interfaces, but I'd then question why you're separating them physically.  Note that you'll need a much higher specification host than otherwise as all broadcasts as well as LAN b to c traffic will transit the pfSense host.  There's probably a smarter way to do that.

This was not a question. Since I don't have an Access Point, I'm thinking in using my ISP wirless router whith the network cable on the lan side.

5. That's just firewall rules, but makes me wonder even more why you're separating them physically

I don't know if this is the best way. I might have some shares on the Lan a with no password. I thoght that this was a way to give them some protection.

Cry Havok

1. In general yes, but your question is still too general (are you talking about restricting all protocols, just HTTP, what)

2. You can still link the wireless router to the same physical network as the other wired devices - I do just that.  Bridging has a performance impact.

3. Protection from what?  If you don't trust the users on network that much I'd repeat my recommendation that you put all desktops on their own network and all servers on another.  Note that you really, really, really shouldn't have shares without any security if you don't 100% trust every user who may ever have access to your network and have robust anti-malware protection in place.

cadtiagof

1. In general yes, but your question is still too general (are you talking about restricting all protocols, just HTTP, what)

For now was thinking in HTTP and P2P

4. You can still link the wireless router to the same physical network as the other wired devices - I do just that.  Bridging has a performance impact.

That was my idea. Sorry if I was confusing you.

5. Protection from what?  If you don't trust the users on network that much I'd repeat my recommendation that you put all desktops on their own network and all servers on another.  Note that you really, really, really shouldn't have shares without any security if you don't 100% trust every user who may ever have access to your network and have robust anti-malware protection in place.

This is a store where I have the office PC's and software, but I sell LCD's, an the new ones have WiFi. By providing internet for those devices I don't want to compromise my office network.

Cry Havok

1. HTTP is easy - Squid and Squidguard or a similar solution.  P2P is very hard and there is no simple solution.  Blocking all outbound ports by default and only opening those required (and ideally forcing all clients to connect through a proxy) will go a long way to stopping it.

2. In that case I'd strongly recommend you have one (physical) network for the office network and another for the "customer" zone (with WiFi).  The "customer" network should be filtered off from everything but DHCP, DNS and the proxy server.

cadtiagof

1. HTTP is easy - Squid and Squidguard or a similar solution.  P2P is very  hard and there is no simple solution.  Blocking all outbound ports by default and only opening those required (and ideally forcing all clients to connect through a proxy) will go a long way to stopping it.

P2P It's not a very important metter, if I maket a bit harder than for the user it's enuf for now.
I'm thinking on using Squid and forcing the use of the proxy. Wich authentication method you would use? Captive Portal, Local to Squid, Radius?

The "customer" network should be filtered off from everything but DHCP, DNS and the proxy server.

What do you menan by "filtered off"?

5. In that case I'd strongly recommend you have one (physical) network for the office network and another for the "customer" zone (with WiFi).

In wich network would you put the Web Server, VoIP and Print Server?

Cry Havok

1. From the office side I'd say simply forcing Squid should be enough, you can look at the Squid and DHCP logs to find anybody wasting time.  On the "customer" side that's up to you - Squid with authentication or Captive Portal.

2. Only able to access the DHCP, DNS and proxy services on the pfSense interface.

3. As I said at the start, I'd put the Web Server in a DMZ and VOIP ideally in it's own network.  If the print server needs to be accessed from both networks then put it in the DMZ too.  Very simply - the "customer" network should have no access to anything on the "office" network and the "office" network shouldn't access anything on the "customer" network.  Put all shared services on a shared network.

cadtiagof

So, you would create 4 LANs;

a)office;
b)custumers;
c)DMZ - Web/Mail Servers, Print Servers;
d)VoIP.

Will Squid work on the custumers and office LANs at the same time, or I have to put it on other machine?

Thanks for your help and time. ;)

Cry Havok

Yes - that's the best from a security perspective IMO.

Squid will work on multiple interfaces.  You can configure authentication to be required and then have one (or more) networks whitelisted so they don't have to authenticate.

cadtiagof

One last question.

If I, for some reason (work from other place, …) , need to access to one of my office PC or the Database Server from the Internet or from the WiFi network how should I do it?

Cry Havok

Done "right" I'd recommend the use of a VPN (OpenVPN, IPsec or PPTP), then you can run anything (such as RDP, Remote Desktop Protocol) and have whatever access you want.

As a fallback you could simply run RDP without a VPN, but that would require exposing RDP on every host on all networks to the untrusted one, which I'd not recommend.

cadtiagof

I'll try the VPN.

If the wiki isn't enough, I'll came back to the forum.

;D