How to split LAN into two? - Jikjik101's network

Metu69salemi

Well.. I would continue with vlan capable switch and put this to side for waiting period. What kind of client devices you're having over there?
should you need also vlan capable wireless also?!?

For a good practice you could draw couple of images: "What do I have now" and "What I want to achieve with changes"

Send those drawings us to view and the we might be able to give you precise enough answers for your investments

stephenw10

In case you're crazy enough to try this! Here's some instructions for WinXP:
http://www.formortals.com/implementing-vlan-trunking/
I think you need the right network card and probably Win XP Pro. It doesn't work on my one remaining Win XP Home machine. Here's something for Ubuntu if your using that:
http://ubuntuforums.org/showthread.php?t=703387

If you added a VLAN interface on your LAN and then setup all your Group A clients to use it it would be very unlikely that any machine in group B would every connect to it. There would be nothing to stop a group B user from connecting (unless you have the machines locked down) it's just not something any normal person would look for. It's such an unusual network setup. However security through obscurity is not any real sort of security!  ;)

It would still require all of your group A machines to be VLAN compatible.

Steve

jahonix

Another idea that could be done without additional hardware:
Why not connect ALL users to the guest network and install an OpenVPN or IPSec client on the production machines.
…ok, if you have infrastructure they need to access (like servers...) then it's not the best idea. That has to be connected to a physical segment. Unless you're using VMs everywhere.

stephenw10

I like that idea. Why could the server not be connected to pfSense via internal VPN also?
Perhaps you could run a VPN server on your LAN server machine instead and simply restrict access to it that way. Come to think of it there must be any number of ways you could restrict access to the server via authorisation.

Steve

jikjik101

Now your making my brain bleed. ???

I will post tomorrow my setup for everyone's better understanding. Sorry if my posts were a little bit ambiguous.

The only reason that I want to separate Group B from A is to restrict B in accessing the file server in A.
All devices in B are wireless while in A are both wired and wireless.

jahonix

@jikjik101:

to restrict B in accessing the file server in A.

Access policy on the server? Pretty much standard in every server software I can think of.

VPN Clients:

• Make everyone a guest.
• Allowed users/PCs tunnel into your restricted network via an IPSec or OpenVPN tunnel.
    That's how road warriors typically access resources back in the company. In your case just without the road.  :D

Metu69salemi

Okay now we're going to make different kind of decision.
Do we manage acl in

1. firewall/router
2. switches (vlan dividing)
3. servers(ntfs kind of restrictions or fileshare restrictions)
4. antivirus softwares

jikjik101

Sorry for the late reply. Here's my network diagram.
I want to separate Groups E and G from the rest of the network.  I thought it was a simple job.  ;D


wallabybob

@jikjik101:

I thought it was a simple job.  ;D

It can be. If you have lots of time you can spend instead of cash a number of other possible solutions could be explored.

Its a nice diagram but I find the text difficult to read even when magnified.

Based on the diagram I would recommend you consider only the following two options:

1. Replace one of the existing pfSense NIC by a multiport card, connect one card port to the existing switch (this becomes the pfSense LAN port) and connect another to a suitable sized (number of ports) switch (new switch to the configuration) and move groups E and G to that new switch.

2. Purchase a suitable sized VLAN capable switch, configure two VLANs on existing pfSense LAN interface, one VLAN for your existing LAN, one for the combined group E and G. On your VLAN capable switch configure the two VLANs, configure one switch port for connection to your existing LAN interface, one port for connection to the existing switch and other ports for connection to groups E and G.

If you want future flexibility go with 2) (for example, its easy to add a another VLAN so group E could have different firewall rules from group G). You might be able to save a little bit (unlikely to be much) by going with option 1

This might be a good time to recall the proverb "the devil is in the detail". The costs will be significantly affected by the number of computers in group E. If its two then a cheap 5 port VLAN capable switch will be sufficient. If its 24 then you will need a rather more expensive VLAN capable switch. The way you have drawn the diagram suggests there might be more switches than you have shown in which case implementing either solution might require new cabling which might be a non trivial installation task.

Its simple in concept.

jikjik101

Sorry for the diagram. You can check it here: http://i49.photobucket.com/albums/f297/jikjik101/NewNetworkDiagram-pfsense3.jpg

I want to use this one: Intel Pro/1000 MT Quad Port Server Adapter PWLA8494MT1000 (Intel 82546EB processor) http://www.ebay.co.uk/itm/NEW-Intel-PRO-1000-Quad-Port-Server-Adp-PWLA8494MT-/170262023800 of which my pfsense box is : Dell Vostro 220 Mini Tower http://www.dell.com/us/dfb/p/vostro-220/pd#TechSpec @wallabybob:

1. Replace one of the existing pfSense NIC by a multiport card, connect one card port to the existing switch (this becomes the pfSense LAN port) and connect another to a suitable sized (number of ports) switch (new switch to the configuration) and move groups E and G to that new switch.

I'm confused with Number 2. Please see attached picture if I understand correctly your suggestion sir.

.jpg)
.jpg_thumb)

Metu69salemi

You got it right.

wallabybob

@jikjik101:

I'm confused with Number 2. Please see attached picture if I understand correctly your suggestion sir.

You understand.

You diagram suggests group G has an access restriction schedule while group E doesn't. It could be convenient to put group E and group G on separate interfaces so you can use firewall rule schedules on group G.

jikjik101

@wallabybob:

This might be a good time to recall the proverb "the devil is in the detail". The costs will be significantly affected by the number of computers in group E. If its two then a cheap 5 port VLAN capable switch will be sufficient. If its 24 then you will need a rather more expensive VLAN capable switch. The way you have drawn the diagram suggests there might be more switches than you have shown in which case implementing either solution might require new cabling which might be a non trivial installation task.

Just some clarifications sirs. If for example I have 20 computers in group E and another 20 computers in group G, does it mean I need atleast a 40-port VLAN switch? Can't I use a normal switch to connect all my clients behind Group G and E?

Thanks for all your input. Maybe I am going to change the title of this thread to jikjik101's network, because I think I need more of your expertise to help me build my network in a sound technique and more appropriate methods.

Every now and then, some problems arise in my network and I am going to post it here so that I can access it easily. I hope the moderators don't mind if I am going to "own" this thread. ;D

.jpg)
.jpg_thumb)

jikjik101

This is ONE of the concerns of my network.  ;D

As you can see, I have three ISPs and they are in load balance mode. But I cannot "stabilize" my ISP1 and ISP3. The connections are so erratic that it becomes so hard to connect to the internet. Unlike my ISP2, the connection is so stable and so I just use the failover mode with ISP2 in tier 1 and both ISP1 and ISP3 in tier2.

If I assign my whole network in using just one ISP, it is stable.

I already tried the following:
1. Assign an ISP as default gw
2. Not assigning a default gw
3. Check the "allow default gw switching"
4. Uncheck the "allow default gw switching"
5. Set each GW with maximum and minumum latency % base on its RRD.

I have squid, squidguard, lightsquid, lusca-cache, havp, vnstat2 and bandwidthd.

I cannot fully utilize all my ISPS, it seems ISP2 is doing the hardwork. >:( and the rest are just easy-go-lucky ISPs. :-X


stephenw10

With those rules and gateways I would expect almost all traffic to using be using ISP2, and it is.
This is because most of your traffic is caught by the first rule as it's web traffic. Only non-webtraffic is reaching the second rule where it is shared between ISP1 and 3 as they are both in the same tier.
You need to change the gateway to loadbalance on the first rule if you want to see the traffic more evenly distributed.

There is no need (or harm) to use tier5 in your load balancing rule. The importance of each connection is relative within the gateway and not related to the other gateways. If you had all three at tier1 it would be the same. The same applies to your failover3 gateway.

You can use a normal switch behind your VLAN switch to connect your clients.

Steve

wallabybob

@jikjik101:

Maybe I am going to change the title of this thread to jikjik101's network, because I think I need more of your expertise to help me build my network in a sound technique and more appropriate methods.

Every now and then, some problems arise in my network and I am going to post it here so that I can access it easily. I hope the moderators don't mind if I am going to "own" this thread. ;D

You might find it more workable to have as few topics as possible per thread: that is make a new thread for a new issue.

@jikjik101:

If for example I have 20 computers in group E and another 20 computers in group G, does it mean I need atleast a 40-port VLAN switch? Can't I use a normal switch to connect all my clients behind Group G and E?

Maybe I've missed something. The 40 is from 20 in group E + 20 in group G? But your diagram shows group G as WiFi clients connecting to an Access Point. The AP would use one port on a switch (VLAN or non-VLAN). The 20 computers in group E would use 20 ports in a switch (because they are shown as using wired connections) unless they are connected to another switch.

jikjik101

@stephenw10: sorry for not being clear. The fw and gw pictures that I posted are my current setup as a solution to my erratic loadbalance on ISP1 and ISP3. That is only to utilize my my ISP1 and ISP3 because they are not stable if I use the LoadBalance gw.

You are correct that my webbrowsing enters ISP2 and the rest to my Failover GWs. That is my current setup. i forgot to disable the first two rules when I took the screenshots.

But the erratic connection that I am talking about is when I use the LoadBalance gw and disabling the first two fw rules leaving this one alone active:

• • • • • LoadBalance none

I only use the default LAN rule with LoadBalance as gw, disable/remove other rules except the Anti-lockout but same results.

@wallybob:

The way you have drawn the diagram suggests there might be more switches than you have shown in which case implementing either solution might require new cabling which might be a non trivial installation task.

I remove some switches in the diagram because I don't find it essential for the network diagram. sorry, my bad.

The 40 is from 20 in group E + 20 in group G? But your diagram shows group G as WiFi clients connecting to an Access Point. The AP would use one port on a switch (VLAN or non-VLAN). The 20 computers in group E would use 20 ports in a switch (because they are shown as using wired connections) unless they are connected to another switch.

Actually I have more than 200 computers behind Group E and Group G. Group G atleast 100 WiFi clients and Group E another 100 both Wired And WiFi clients.

You can use a normal switch behind your VLAN switch to connect your clients.

I think stephenw10 already answered my clarification regarding a LAN switch behind a VLAN switch.

I'll go back to my concern, I use the default LAN fw rule with LoadBalance as my gw, leaving my LAN rule as follows:
*  *  *  LAN Address  22 * * Anti-Lockout Rule
                                                80
  *  *  *  *  *  LoadBalance  none    Default allow LAN to any rule

But I cannot utilize my ISP1 and ISP3 because they just suddenly drop my connection, or worse they cannot get the maximum bandwidth even if I bombarded my system with lots of video streaming.

stephenw10

Your ISPs 1 and 3 both use a wireless connection. They are likely to have high latency. When you are trying to loadbalance all three what you see in the logs?
It's very possible that they are being removed from the loadbalancing gateway due to the latency becoming too high or packet loss.

Steve

jikjik101

All my ISPS are wireless.
ISP1 is using a grid antennae
ISP2 is using radio tower
ISP3 is using satellite dish

My syslog is clear of any disconnections from any ISP except if there is a high network utilization.

What I don't understand is for example I'm downloading a torrent, I can see all my ISPs as being used due to high traffic. The only difference is that my ISP2 has a steady traffic, but my ISP1 and ISP3 shows very minimal or "erratic" connection. See the attached picture please.

stephenw10

In your diagram you show some infrastructure in the network of ISP2 between you and the radio link section. I would guess that ISP2 is limiting your connection speed in that infrastructure such that you are never seeing the limit of what the radio link can achieve and hence any variation in speed. The other connections, ISP1 and 3, are subject to error checking and additional network overhead caused by a wireless connection.

Steve