N00b question about subnets

BlazeStar · Nov 22, 2014, 6:56 AM

New to pfSense, using 2.1.5-RELEASE (amd64)

I have several type of devices on my network

For example, I have Servers, IP phones, printers and computers

I would like to create the following subnets:

10.0.1.XXX : Computers
10.0.2.XXX : IP phones
10.0.3.XXX : printers
10.0.4.XXX : computers

How do I do that ?

kejianshi · Nov 22, 2014, 7:14 AM

With either vlans or multiple interfaces.
1 vlan per subnet or 1 interface per subnet.

Derelict · Nov 22, 2014, 7:36 AM

Why do you want to separate those functions? What is your desired result?

BlazeStar · Nov 24, 2014, 9:10 PM

Yes I should stated my desired result. Sorry.

I would like to have all my computers in the 10.0.1.XXX range and be configure by DHCP.

Second phase would be to install a proxy + content filter (SQUID + SQUID GUARD)

Those two ranges :
10.0.2.XXX : IP phones
10.0.3.XXX : printers

I would like to disable Internet access and DHCP

Finally, this range :
10.0.4.XXX : computers

I would like to disable DHCP, allow Internet access and bypasse proxy and content filter.

I'm not sure if I should go for VLANS or Interfaces.

phil.davis · Nov 25, 2014, 2:37 AM

If you are happy for (want) all devices to be able to talk to each other on a single LAN, then you do not need to have different actual interfaces. You can just assign static-mapped DHCP for each "known" device to put them in a particular piece of the 1 big subnet. Then leave the "unknown" guest devices in the ordinary DHCP pool.
Then your rules can allow/block differently for the different parts of your 1 subnet.
But that provides no real security - any guest can set an IP address themselves, rather than taking DHCP, and effective put themselves in a "more trusted" part of your subnet/rules.
So you need to decide what is your internal known/trusted network, and what are guests and other public stuff.
I suspect that you will want printers and other local network resources (NAS, your own file server…) on the trusted LAN along with your home computers, so they all just see each other.
Many people would end up with:
LAN - your own home computers, printers, NAS, file server, an AP for your home WiFi.
Guest - and AP for your friends to use, with no (or very controlled) access to LAN and more generous internet access
DMZ - anything you have that provides public services (public web site...)
WAN - 1 or more actual uplinks to your ISP/s

So you might end up with 3,4... interfaces on pfSense. If you have that many physical NICs, then easy. Otherwise you need a VLAN switch also.

Then pick some private address space for each of LAN, Guest, DMZ...