How to split LAN into two? - Jikjik101's network
-
If you think that you would have more separated lans, then manageable switch pays off via multiple vlans.
But other than that it is flavor issue, which you prefer more -
Would it not be possible, theoretically, to use VLANs without a switch if all the LAN clients support VLAN tagging directly?
I realise it would not provide much by way of security and that it may be completely impractical if you have lots of clients. It would also rely on you trusting the client computers.
However if you need to separate the traffic for some reason other than security this might be possible.I've never tried this but I'd be interested in your thoughts. :)
Steve
-
Hmm, i've never seen this in action. so does this mean, that i don't trust people/client machines?!?
-
@metu: is the manageable switch alone is enough to create a vlan? i'm talking about hardware requirements. so from my pfsense box-manageable switch-different vlans?
@stephen: sorry but i don't understand what you are saying. If i have a vlan-capable client, i can separate this client from others in my LAN directly? And this client is the one who can control/manage the VLAN and not me? what if i have 3 vlan-capable clients, how are they going to communicate? thinking vlan alone makes my head aches. :-[
Myy current situation, I have one LAN composes of Group A(staff) and Group B(guests). My LAN has a file server of which Group B should not have access for confidentiality reason. I read that I cannot filter traffic coming in and out in the same interface. But I need to restrict Group B to access the file server. The question is how?
-
@metu: is the manageable switch alone is enough to create a vlan? i'm talking about hardware requirements. so from my pfsense box-manageable switch-different vlans?
Yes, a small VLAN capable switch is sufficient for your needs. I'm not sure that all manageable switches are VLAN capable.
@stephen: sorry but i don't understand what you are saying. If i have a vlan-capable client, i can separate this client from others in my LAN directly? And this client is the one who can control/manage the VLAN and not me? what if i have 3 vlan-capable clients, how are they going to communicate? thinking vlan alone makes my head aches. :-[
[/quote]
Notice also that Stephen said it would not provide much by way of security so I think that rules his idea out for your circumstances.Myy current situation, I have one LAN composes of Group A(staff) and Group B(guests). My LAN has a file server of which Group B should not have access for confidentiality reason. I read that I cannot filter traffic coming in and out in the same interface. But I need to restrict Group B to access the file server. The question is how?
You need to be able to configure separate interfaces for group A and group B so you can create distinct firewall rules for each group. You can use separate physical interfaces for each group (but your slots are all in use so you might need to replace a single port card by a dual port card to get the additional interface) or you can use VLANs to get distinct "virtual" interfaces over a single physical interface. If you use VLANs you will need at least a small VLAN capable switch. Where I live small VLAN capable switches are available for under the local equivalent of US$100.
Given that you aren't allowing significant traffic between group A and group B you should see any significant performance difference between the two options.
Actually money is not the factor, it is our office location. We are currently situated in a place of nowhere. Buying gadgets like this will require us at least a 3-hour travel or at worst, needs to wait 30-45 days for our supplier to get the hardware from their manufacturer/distributor.
If your superiors are not prepared to fund someone for the three hour trip and are not prepared to wait 30-45 days for your current supplier to provide and are not prepared to authorise an "exception" to get suitable equipment sooner and want the solution "now" then they are not serious about the security.
To get the security you appear to need you require either an additional port or the VLAN capable switch.On thinking through this a bit more, I notice its not clear how groups A and B currently connect to pfSense: possibly both groups connect to a single switch, maybe there is a wireless access point or two etc. What you will need will actually depend somewhat on the mix of devices in the different groups. For example, if every device in group B is WiFi capable then you could get away with configuring a USB Wireless NIC that can act as an access point in your pfSense box. Group B devices would then come in over WiFi and would have their own separate firewall rules. (I'm presuming your existing pfSense box has at least one spare USB slot.)
-
Yes, a small VLAN capable switch is sufficient for your needs. I'm not sure that all manageable switches are VLAN capable.
Nice. I will start looking for a VLAN capable switch.
Notice also that Stephen said it would not provide much by way of security so I think that rules his idea out for your circumstances.
Just for the sake of discusion, how will the three VLAN-capable computers communicate? Do not consider the security here.
You need to be able to configure separate interfaces for group A and group B so you can create distinct firewall rules for each group. You can use separate physical interfaces for each group (but your slots are all in use so you might need to replace a single port card by a dual port card to get the additional interface) or you can use VLANs to get distinct "virtual" interfaces over a single physical interface. If you use VLANs you will need at least a small VLAN capable switch. Where I live small VLAN capable switches are available for under the local equivalent of US$100.
Given that you aren't allowing significant traffic between group A and group B you should see any significant performance difference between the two options.
What do you mean by this?
If your superiors are not prepared to fund someone for the three hour trip and are not prepared to wait 30-45 days for your current supplier to provide and are not prepared to authorise an "exception" to get suitable equipment sooner and want the solution "now" then they are not serious about the security.
To get the security you appear to need you require either an additional port or the VLAN capable switch.Which do you suggest, VLAN switch or additional port?
On thinking through this a bit more, I notice its not clear how groups A and B currently connect to pfSense: possibly both groups connect to a single switch, maybe there is a wireless access point or two etc. What you will need will actually depend somewhat on the mix of devices in the different groups. For example, if every device in group B is WiFi capable then you could get away with configuring a USB Wireless NIC that can act as an access point in your pfSense box. Group B devices would then come in over WiFi and would have their own separate firewall rules. (I'm presuming your existing pfSense box has at least one spare USB slot.)
Sorry, I was not clear on this.
switches - wired clients
pfsense box ->switch-|
|-wireless router - WiFi clientsGroup A - wired clients and WiFi clients
Group B - WiFi clients onlyI will give you more details network diagram on my next reply(hopefully I can make one).
There is another post that looks like my problem. http://forum.pfsense.org/index.php/topic,39654.0.html
@Nachtfalke:Hi,
not sure how this works in pfsense but I think there is an option "Virtual IP". I think this could help you (if you do not have/like tuj use VLANs)
-
Notice also that Stephen said it would not provide much by way of security so I think that rules his idea out for your circumstances.
Just for the sake of discusion, how will the three VLAN-capable computers communicate? Do not consider the security here.
There aren't three VLAN capable computers, only a VLAN capable switch and VLANs configured on pfSense. One switch port connects to your LAN switch (group A), one switch port connects to your wireless router. These switch ports are configured in distinct VLANs, add VLAN tags on input to the switch, strip VLAN tags on output. A third switch port connects to pfSense and is configured to belong to both VLANs and passes through VLAN tags on both input and output. On pfSense you configure two VLANs on its port connected to the switch and use VLAN IDs the same as you configured in the switch.
You need to be able to configure separate interfaces for group A and group B so you can create distinct firewall rules for each group. You can use separate physical interfaces for each group (but your slots are all in use so you might need to replace a single port card by a dual port card to get the additional interface) or you can use VLANs to get distinct "virtual" interfaces over a single physical interface. If you use VLANs you will need at least a small VLAN capable switch. Where I live small VLAN capable switches are available for under the local equivalent of US$100.
Given that you aren't allowing significant traffic between group A and group B you should see any significant performance difference between the two options.
What do you mean by this?
Sorry, it should have read … you should NOT see any significant …
If your superiors are not prepared to fund someone for the three hour trip and are not prepared to wait 30-45 days for your current supplier to provide and are not prepared to authorise an "exception" to get suitable equipment sooner and want the solution "now" then they are not serious about the security.
To get the security you appear to need you require either an additional port or the VLAN capable switch.Which do you suggest, VLAN switch or additional port?
Whatever best suits you. Extra port means you don't have a extra switch to manage. VLAN switch give you a bit more expansion capability than an extra port.
There is another post that looks like my problem. http://forum.pfsense.org/index.php/topic,39654.0.html
@Nachtfalke:Hi,
not sure how this works in pfsense but I think there is an option "Virtual IP". I think this could help you (if you do not have/like tuj use VLANs)
A variant of Stephen's suggestion that was rejected earlier because it provided inadequate security.
-
A variant of Stephen's suggestion that was rejected earlier because it provided inadequate security.
Please expound this one.
What difference will it make? -
The very low security option would be something like this:
Assign a second virtual interface to the LAN interface. This interface will have different subnet.
Then you assign your 'lan B' group to use this subnet.
However any seperation betwen the two subnets relies on your clients not manually changing their IP. I guess you could lock down the client computers using windows security policy or equivalent.The VLANs with no switch would be similar. You would have to set the VLAN number on each client such that they would only see packets tagged with that number.
Steve
-
I see. The effect is now clearer on me using stephenw10's method.
Sorry for being so ignorant, but what I don't get is the how-to or the step-by-step process to make this one. ??? ???
@stephenw10:Assign a second virtual interface to the LAN interface. This interface will have different subnet.
Then you assign your 'lan B' group to use this subnet.Correct me if I am wrong (I know I'm wrong ;D), are these the steps to do stephenw10's suggestion?
1. In my pfSense box, go to Interface>(assign)>VLANs>add.
2. Create a VLAN with LAN as the parent interface.VLAN tag as 2.
3. I don't know what's the next step. -
You shouldn't be doing this! :P
I've never done it even read about doing it with VLANs. I was just speculating if it might be theoretically possible.However after you have setup the additional VLAN interface and configured it's IP address and subnet then you should go to a client computer and try to set the VLAN tagging to match. I don't know how you would do that though.
You are then in the situation where you have both tagged and untagged traffic on the same interface which can result in problems.
It's an interesting exercise but you probably won't end up with a working configuration.
Steve
-
hahaha… that is what I'm thinking. hahaha
I thought you're going to give me a HOW-TO. ::) hahaha
Anyway, I'll try to experiment with this and maybe (maybe), I can solve my problem.(cross-fingers on both hands and feet).hahaha
THANKS A LOT FOR SHARING YOUR THOUGHTS/IDEAS. I've learned a lot from this.
-
Well.. I would continue with vlan capable switch and put this to side for waiting period. What kind of client devices you're having over there?
should you need also vlan capable wireless also?!?For a good practice you could draw couple of images: "What do I have now" and "What I want to achieve with changes"
Send those drawings us to view and the we might be able to give you precise enough answers for your investments
-
In case you're crazy enough to try this! Here's some instructions for WinXP:
http://www.formortals.com/implementing-vlan-trunking/
I think you need the right network card and probably Win XP Pro. It doesn't work on my one remaining Win XP Home machine. Here's something for Ubuntu if your using that:
http://ubuntuforums.org/showthread.php?t=703387If you added a VLAN interface on your LAN and then setup all your Group A clients to use it it would be very unlikely that any machine in group B would every connect to it. There would be nothing to stop a group B user from connecting (unless you have the machines locked down) it's just not something any normal person would look for. It's such an unusual network setup. However security through obscurity is not any real sort of security! ;)
It would still require all of your group A machines to be VLAN compatible.
Steve
-
Another idea that could be done without additional hardware:
Why not connect ALL users to the guest network and install an OpenVPN or IPSec client on the production machines.
…ok, if you have infrastructure they need to access (like servers...) then it's not the best idea. That has to be connected to a physical segment. Unless you're using VMs everywhere. -
I like that idea. Why could the server not be connected to pfSense via internal VPN also?
Perhaps you could run a VPN server on your LAN server machine instead and simply restrict access to it that way. Come to think of it there must be any number of ways you could restrict access to the server via authorisation.Steve
-
Now your making my brain bleed. ???
I will post tomorrow my setup for everyone's better understanding. Sorry if my posts were a little bit ambiguous.
The only reason that I want to separate Group B from A is to restrict B in accessing the file server in A.
All devices in B are wireless while in A are both wired and wireless. -
to restrict B in accessing the file server in A.
Access policy on the server? Pretty much standard in every server software I can think of.
VPN Clients:
- Make everyone a guest.
- Allowed users/PCs tunnel into your restricted network via an IPSec or OpenVPN tunnel.
That's how road warriors typically access resources back in the company. In your case just without the road. :D
-
Okay now we're going to make different kind of decision.
Do we manage acl in- firewall/router
- switches (vlan dividing)
- servers(ntfs kind of restrictions or fileshare restrictions)
- antivirus softwares
-
Sorry for the late reply. Here's my network diagram.
I want to separate Groups E and G from the rest of the network. I thought it was a simple job. ;D
