Separate specific machine and control access.
-
Here is my situation.
I have 3 buildings that are all connected to the same network and all machines are on one subnet. A the moment all machines can talk to all other machines on the network as expected. I have one particular machine that I want to restrict access to. My thinking is to put this machine on another subnet (vlan?) and then be able to specifically specify which I.P addresses on the main subnet can cross over to the new subnet to be able to talk to this machine. I understand that you need a managed switch for this to work. My problem is that the pfsense box is in one building and the file server that I need to restrict access to is in another building. These are connected via a wireless bridge. So with this scenario I can't put a switch in the same building as the pfsense box because of the wireless bridge. Can I put the switch in the building with file server?
Otherwise is it possible to tell pfsense to assign the file server to the other subnet based on its MAC address without the need for a switch? Then tell pfsense to only route traffic from the main subnet to the file servers subnet only if the IP address is allowed? If I do it this way would all the machines local to the same building as the file server then be routed thought the wireless network? This would not be ideal.
Or, does anyone have any other solution that I have not thought of to restrict access to this file server. I know this is a bit long winded and I would really appreciate some help here.
The file server is an Unraid box.
Thanks for taking the time to read my post.
-
I don't believe unraid has built in software/host firewall? But it does have user level access controls of the shares. Is this not enough security?
For example file servers in a company don't normally firewall off users, they just don't give them permissions to shares they are not suppose to have access to.
-
Thanks for the reply. You can protect the shares but I would like to close it off entirely. I may have other machines other than unraid that I would like to separate this way too.
-
Well if your going to want to isolate more of your network in the future - then I would suggest moving towards smart/managed switches.
But switches that support vlan on both sides of your wireless bridge and you shouldn't have any issues - your wireless bridge just passes all info it sees right. So this would contain your vlan tagging. Can you just bridge your trunked connection as another way to put it.
Wireless bridge does not seem like a great way to connect buildings to me - what is the speed of this connection? Users in the other building all sharing wireless link sounds slow to me for internet access. And then now your going to have users coming the other way for file access?
