Achieve segmentation: multiple subnets or VLAN(s)?
-
Hi,
I'm a newbie, both to the forum and pfSense. But, being used to the standard retail routers, I'm really impressed by this masterpiece of open source software.
Due to confusion I'm using this post as a last resort and I seek for your help. I've been reading for three days straight and my mind is a little ddos'ed by this new (and sometimes contradictory) information given by various help sites, forums and so forth.
My setup:
- Debian server with a dozen virtualboxes (running slim WinXP clients).
- several workplace PCs running linux distros
- pfSense box with three NICs (2x 3Com 3C905C-TX and 1x Intel Pro/1000)
- Netgear level 2 unmanaged switch GS602 v2
- Dual WAN with the ADSL modems attached to the 3Com 3C905C-TX
Example:
ADSL A –--> 3Com 3C905C-TX (xl0) ----> pfSense
ADSL B ----> 3Com 3C905C-TX (xl1) ----> pfSense
physical linux clients, Debian server (with vboxes on it) ----> Netgear ----> Intel Pro 1000 (LAN) ----> pfSenseMy goal:
- seperating/segmenting the virtualboxes from the workplace hosts
I call it "segment" since I don't know how else to name it. The goal is just to lock the vboxes into their own network/subnet or VLAN being able to communicate through ADSL B to the outside world but not being able to communicate to the workplace PCs. Currently all the clients are on the same subnet 192.168.1.0/24.
I tried creating a VLAN, assigning the VLAN to a new interface and configuring it static to 192.168.2.1 with DHCP enabled on both the "normal" LAN and the new interface called VBOXNET. Although the first DHCP was told not to allow unknown clients, the second DHCP didn't hand out leases. Even with manual IP config to that network 192.168.2.0 no connection has been established (ping, tracert).
I also read that it's possible to use as subnet mask of 26 or 27. By the time I did that, no communication between my workplace PC and the LAN interface of pfSense was possible WHILE using the Netgear switch. A direct connection between workplace PC and pfSense box worked flawlessly. I suspect that the switch can't handle the packets correctly though I read that such a "stupid" MAC based switch doesn't even know the difference between different subnets.
While writing this an idea comes to mind: Leaving the vboxes within the 192.168.1.0/24 but denying them access to and from the workplace PCs by assigning firewall rules. But I think this variant is the most work intensive and the least flexible for future expansion / modification.
Thank you all in advance!
-
to use vlan your switch needs to support it. In other words, it needs to be a managed switch.