Simulating multiple routers within Pfsense
-
Summary
I'm a newb to both networking and Pfsense. I have a basic understanding of how to get Pfsense to work as a router but would like to learn how to simulate multiple pseudo-routers within Pfsense. (i.e. each potentially with their own virtual WAN, LAN, DHCP server, VPN, NAT, DNS, Snort, pfblocklist, proxy server, etc… the LANs potentially either chained together or isolated from one another).
Setup
My Pfsense server has 2 physical ports that I use for 2 distinct WANs (each connect to internet but via a different connection). If also has 4 additional physical ports I use for LANs (each with their own IP range). The LAN ports in turn connect to a 24 port switch divided into different port based VLANs. Depending which switch port I plug in my PCs, decides which network I connect to.
Questions:
1. What I'd like to do is configure my Pfsense server so the different LANs are also completely segregated from one another internally within pfsense (i.e. so I can access a WAN but can't ping or access PCs on different LANs). Is this best done through firewall rules, and/or by setting up VLANs within Pfsense, and/or some other method?2. How does one chain different networks together within Pfsense similar to router x connecting to WAN port of router y (i.e. so that PCs on pseudo-router x can't ping LAN of pseudo-router y but PCs on pseudo-router y can ping PCs on pseudo-router x LAN)
3. How does one force a LAN segment to use a specific WAN port? (i.e. so instead of using a default WAN port it uses only WAN port I specify and can't access other one)
(I've included an attachment of theoretical network)
-
Simulating multiple routers is not something that pfSense is designed to do. If you really need to do that I would suggest multiple pfSense VMs.
1. Yes you can do that and yes do it with firewall rules. You can use VLANs also but you'd still need to seperate them with firewall rules.
2. See above.
3. You can do this with policy based routing. Set a firewall rule on the LAN interface you are routing and set the gateway in the advanced options. All traffic caught by that rule will exit using the WAN gateway you specified.
Steve
-
Simulating multiple routers is not something that pfSense is designed to do. If you really need to do that I would suggest multiple pfSense VMs.
I previously tried Proxmox and it seemed to work fine. Then I read that using any sort of virtualization means a performance hit. greater power consumption, and additional potential security vulnerabilities. It seemed an unnecessary extra layer for a server that was going to run a single guest vm so I ended up installing pfsense directly on hardware instead. However, if there is no workaround method to simulate multiple routers within pfsense… is there open source barebones VM software you'd recommend that's known to work well with Pfsense? (I have an atom based server so there is no hardware support for virtualization)
Before trying VM option again, you mentioned I can use firewall rules as alternative to segment and route networks, a few of questions come to mind,
a. What's the difference between a hypothetical virtualized router and using Pfsense ? (e.g.home routers have NAT, gateway, VLAN, VPN, etc.. just like Pfsense – which allows for multiple instances of these features)
b. Are there any drawbacks to using PFsense's firewall rules to do the routing? (e.g .Performance, reliability, security, etc…)
c. Can I use firewall rules to chain gateways, proxies, and vpns? (e.g. Create multiple virtual LANs each with their own proxy, subnet, VPN client, and physical WAN port while being isolated from one another)
-
Damn it! I just wrote a long post and then my logion expired and I lost it all. ::) There's got to be a Firefox pluggin that can save me from this for the thousandth time. >:(
So, much shorter:a: There are many differences but please clarify what we are comparing here.
b: Routing uses the pf process anyway. Specifying a gateway to use instead of the system routing table does not slow things.
c: No. You would need multiple routing engines running or some way of changing the connections it's working on. pfSense is not setup to do that. The fact that you are asking this question makes my wonder if you have fully understood what pfSense is about.
Steve
-
Damn it! I just wrote a long post and then my logion expired and I lost it all. ::) There's got to be a Firefox plugin that can save me from this for the thousandth time.
This is off topic but since you've been gracious enough to provide feedback – here's a FF plugin I use to recover forms
https://addons.mozilla.org/en-US/firefox/addon/lazarus-form-recovery/If you use windows you might also want to consider using Ditto. It's an opensource searchable multi-paste clipboard that runs in background. When I've typed up something long I simply highlight and Ctrl-C it into Ditto's clipboard memory. If I need to later recover, I just click on the Ditto icon in notification tray and it lists my last few copies. (just click on it to place an old one back into current windows clipboard memory)
http://ditto-cp.sourceforge.net/If on Linux, there are a bunch of alternatives that offer similar functionality
http://alternativeto.net/software/ditto/?platform=linuxThe fact that you are asking this question makes my wonder if you have fully understood what pfSense is about.
I'm a newb. I'm trying my best not to set fire to my home Probably still not phrasing things correctly. I'm using a router analogy simply because that's what I'm familiar with. There is no actual requirement to have simulated multiple routers only to accomplish some tasks that using multiple routers can achieve. (in particular isolating and chaining networks)
I'm going to do a bit more reading and break this down to smaller more manageable chunks. To get started… how would I create two networks within Pfsense that are completely isolated from one another? (i.e. different dns, different wan, different network, can't ping one another)
e.g.
LAN0
connected on WAN side to switch 1
physical nic re0 is set as WAN interface
physical nic igb0 is set as LAN interface
has DCHP server on LAN interface which connects to switch 2
pcs connected to switch 2 are routed through re0 WAN interfaceLAN1
connected on WAN side to switch 3
physic nic re1 is set as WAN interface
physical nic igb1 is set as LAN interface
has DCHP server on LAN interface which connects to switch 4
pcs connected to switch 4 are routed through re1 WAN interface
(note: All switches are actually one switch that has been partitioned with port based VLAN on switch) -
So, yes, you can do that using firewall rules with policy routing. The only thing I see there that would be a problem would be separate DNS. Why would you want separate DNS though?
Incidentally you could also do that by passing all 4 VLANs to pfSense via a single connection and route between them directly. You could use several physical connections in a LAGG between the switch and pfSense to offer some redundancy.
Steve