Looking for some advice on vlan setup

Pfsense-user-36504151

here is a synopsys of my setup:

cable modem
                            |
                    Netgear Router (10.x.x.x)
                    |              |    (10.5.x.x)
        48P Cisco 2950      PFSense w/ OpenVPN
              |                      |    (192.168.0.x)
      Internal Network      24P Cisco 2950
                                        |
                                      ESXi5 Server (192.168.0.x)
                                      |              |
                                    VMs          VMs
                            192.168.1.x      192.168.2.x

I want to give access to my lab to certain people but keep them off of my internal network. Would this design do that? I also want to block all traffic leaving the lab, would this effect the vpn traffic? I dont want one of these users to hack another machine from my network.
I wanted some opinions on the best way to setup my vlans. How can I achieve this network layout? Should I trunk the Cisco port and setup the vlans on the ESXi server? How would I go about configuring PFSense?

NOTE: OpenVPN and the 192.168.0.x network is working.

Thanks for your help.

dhatz

Apparently you'll be doing double NAT.

Do you really need the Netgear router at the edge ? I'd consider replacing it with a pfSense box (physical or virtualized).

Pfsense-user-36504151

I could replace it with a pfsense box however if I ever switch to verizon fios i would need to use their router to keep my tv service. Is a double nat a bad thing? i just need the clients to be able to connect via vpn, which they already can.

johnpoz

Im with dhatz, I would nix the netgear and even run the pfsense vm.

As to switch to fios, so just run their gateway they give you in bridge mode.  Quick google finds lots of info on doing that – pfsense can still be the edge router, there is not reason to double nat, you can create as many vlans you want with pfsense to firewall between your segments.

Pfsense-user-36504151

Thank you guys for your help. Its a pain to reconfigure everything, but if it is best for my network then I will have to do. I will use the netgear as a wireless ap connected to the pfsense.

matumbo

So your VMs is the lab you want to access? Does your VPN allow access to your internal network as it is now?
I am not sure that you would have to alter your setup nor that you need any vlans for what you want.
If you connect to PFsense through OpenVPN you could deny the traffic from reaching your internal traffic by blocking any vpn-traffic that wants to go out the "Wan interface" of PFsense and only allow it to go to the Cisco switch. And if you don't want to allow traffic from your lab to reach your internal network, you could block access for traffic originating from the PFsense router to reach your internal network.

You could do this in a couple of ways, it all depends on what access requirements you have and if you need any traffic from the PFsense router to access your internal network.