Blocking LAN access one server

marvosa

You have several options, but I think the most straight forward approach would be to add another interface, put his VPS on a different subnet on that interface, then use the firewall to block access to your LAN.

brigzzy

@marvosa:

You have several options, but I think the most straight forward approach would be to add another interface, put his VPS on a different subnet on that interface, then use the firewall to block access to your LAN.

Thanks for the reply! Do you mean add a different physical interface to the router?

marvosa

Yes… assuming you're using PFsense as your router.

brigzzy

Gotcha. Thanks!

biggsy

Maybe I've misunderstood what you're asking but you could create a DMZ with another vSwitch then connect an OPT interface on pfSense and the VPS's interface to that vSwitch. The only access from the DMZ to the LAN (or the Internet) would be what you allow through rules on the DMZ.

See if this helps: http://doc.pfsense.org/index.php/PfSense_2_on_VMware_ESXi_5#Adding_a_DMZ

brigzzy

@biggsy:

Maybe I've misunderstood what you're asking but you could create a DMZ with another vSwitch then connect an OPT interface on pfSense and the VPS's interface to that vSwitch. The only access from the DMZ to the LAN (or the Internet) would be what you allow through rules on the DMZ.

See if this helps: http://doc.pfsense.org/index.php/PfSense_2_on_VMware_ESXi_5#Adding_a_DMZ

Sorry for the delay, I've been without access to the internet for a bit, just now getting things back in order.

That looks like a great article, and I'm sure I can use some of the information. The main thing I'm going for here is to try to avoid running any more cables to my server room, which is on the other side of the house, which is why I was hoping that VLANs would offer the solution I was looking for.

Thanks :)

Brigzzy

biggsy

I had to re-read your original post and realized that you didn't say your pfSense is virtualized. My earlier response might have been a bit off the mark. Think I did that early on a Sunday morning ;D

If sharing a LAN cable is important maybe a VLAN would be the right way to go. Could you post a rough network diagram?

brigzzy

Please see attached.

Thanks!

![Network Map.png](/public/imported_attachments/1/Network Map.png)
![Network Map.png_thumb](/public/imported_attachments/1/Network Map.png_thumb)

biggsy

So the pfSense machine is located away from the ESXi server?

If that's the ace I think you will need to use a VLAN and probably another NIC in the pfSense machine and in the ESXi server. Both of these would be part of the VLAN and use separate VLAN'd ports on your switches. That would allow the VLAN traffic to run over the same cable as your LAN traffic.

There may be much cleverer ways of doing this but they would probably make running another long cable quite attractive, in terms of complexity. But then, if you're not familiar with setting up VLANs, cabling might still be an easier way to isolate the traffic to and from your friend's VM.

Maybe someone else can come up with a simple solution.

brigzzy

Thanks for the reply again :)

Learning to set up VLANs are not a problem for me, it's a skill I was hoping to learn anyways, however I thought my switches supported VLAN tagging, and it seems they do not, so I think a new hardware order is in my future, haha.

Thanks everyone for all your help :D