Sharing Printer across multiple subnets
-
Thank you for reply Johnpoz,
I am trying to work with the wiring in place.
The main pfsense box is physically quite far from the segregated network (Switch2). So in between I have a switch (Zyxel GS-1124A) I don't think it is VLAN capable unfortunately. I have updated the diagram to show the true network. Please see attached.
As for connecting the second switch to the second interface on the main Pfsense, they are physically too far, the run would not be feasible.
 -
Those switches are like what circa 2006 ;) Yeah they are unmanaged.. Don't you think its time to maybe update them.. Get something with vlan support..
How far is this run?? You can get some new smart switches with fiber support for pretty cheap.. My sg300 have 2 combo ports where you could do fiber.. I notice you have a tplink switch.. So if your ok with that brand they sell their fiber converter for $50
http://www.amazon.com/MC200CM-Converter-1000Mbps-multi-mode-mountable/dp/B003AVRLZISo couple of them, and length of fiber and your good..
If your going to actually go with downstream router.. since you don't seem to have the ability to do vlans, and have distance issues then since you wouldn't be able to come up with a transit network natting would be your best option. So while yes you can share stuff with stuff off your first router to stuff behind pfsense #2 you would have to NAT and port forward.
It would really behoove you to get some vlan capable switches to be honest.. I show the zyxel gs 1910-24 for under $200 which is a smart switch and does vlans. And has support for sfp, maybe you could just move the ones your using to this switch, etc.
-
What if I replace the second ZyXel switch with a smart VLAN capable switch, would that be ok or do I need all switches to be VLAN capable? (my knowledge of VLANs is very limited, I've never implemented them :-[ )
-
You might get away with changing switch1 to a VLAN capable device and then drive a fiber converter off one of its ports.
Realistically if you're going fiber anyway why don't you just install a Fiber NIC in your pfsense box (or drive a converter). That would give you full control of both networks in the cleanest fashion.
What is the actual distance we're talking, how far is "too far"?
-
As divsys mentions replacing the fist switch connected to pfsense that allows vlans would allow you to run vlans off that switch to downstream dumb switches. With this downstream dumb switches all being in the same vlan.
I am also curious to what is too far as well.. Ethernet can run 300 feet, thats a pretty long way.. If you need more than fiber is always an option.. As I showed you with the 50$ converters, and the cost of the fiber it can be done on the cheap if need be.
-
Thank you for the reply guys.
Too far = 1300+ feet of cable run and maybe 3 days to run it given the design of the building.As per my diagram attached, if i change both switches connected to Pfsense to VLAN capable switches, would I then be able to implement VLANs on VLAN Switch#2 and plug the Dumb Switch #1 into it, would I then have to configure VLANs on VLAN Switch#2 only or VLAN Switch#1 and then VLAN Switch#2?
Thank you
 -
If you replace your 2 gs1124 with vlan switches. then you would want to config both of them with vlans, the connection to pfsense would be a trunk (ie carries tagged vlan info). the connection to your 2nd gs1124 from your first would also be trunked. then you can put whatever vlans you want on any of those ports on either of those switches. Then yes you could run just 1 vlan on the port conneced to your tplink dumb switch and all ports on that switch would be in that vlan.
You then have to create the vlan interfaces on pfsense.
-
Too far = 1300+ feet of cable run and maybe 3 days to run it given the design of the building.
Ok so adding a new cable is out, but what about the existing (I presume) Fiber?
Is there other traffic on this line that won't coexist or can you not just route it directly into the pfSense box?Adding another NIC to pfSense is typically pretty simple.
The VLAN options johnpoz has mentioned will definitely work as well. -
Ok so adding a new cable is out, but what about the existing (I presume) Fiber?
Is there other traffic on this line that won't coexist or can you not just route it directly into the pfSense box?There is traffic on the second switch as it is part of LAN, I forgot to draw some clients around it.
So lets assume that I am able to connect the fiber to OPT1 of the pfsense, how do I configure pfsense to only allow printer sharing across the interfaces and nothing else really?
-
"how do I configure pfsense to only allow printer sharing across the interfaces and nothing else really?"
With a firewall rule that only allows access to the printers on the port they use, quite often 9100. Depends on the printing protocol you use. Or only access to the print server if using one, etc.
Once you have your network split with either physical network segments, or with the use of vlans. Then you can firewall between these segments and only allow the traffic you want between the 2 networks.
while having a downstream router can work. It is a more complex and less robust setup. Since everything behind the 2nd pfsense would either be behind a nat. Or if not using a transit network to get to it you would have a asynchronous routing issue. If you leverage your 1 pfsense as both your router between your segments and firewall you can allow or block whatever traffic you want between these segments and also to and from the internet for both segments.
there are clearly times where you would want a downstream router, most often when the traffic between these segments makes no sense to send back to your core/edge router. Lots of traffic between them for example. But if natting to these downstream networks you now have to deal with port forwarding vs just simple firewall rules.
Your best, simple solution is to just let your 1 firewall do the routing and firewalling between your networks. The upgrade to vlan capable switches will give you the power to segment your network as you see fit to allow more security and control. Putting all your printers on 1 vlan for example, Maybe your servers on their own segment to control access to them. Maybe even splitting your clients even depending on location or function of them. This way for example if one gets infected with a worm, it would be limited to where it could go, easier to isolate, etc.
The other feature sets of a smart switch will allow for easy track down of devices based upon mac for example. The ability to do igmp snooping, rate limiting, qos, etc. All comes down to how rich of a feature set you get with your new smart/managed switches.
If you have wifi network, with vlan capable switches and AccessPoints will allow you to isolate guest traffic. Isolate even your normal devices on wifi from what they might not need to be able to get too. This can limit exposure in case of unwanted devices learn your wifi password, etc.
Another nice feature of breaking up your network into multiple segments lower the number of devices on the same broadcast domain. This cuts down on noise on your network. Depending on the feature set of your switches you could do private vlans where clients all in the same network can not even talk to each other unless you allow it. This can be great help if a client gets a worm for example, clients rarely really have the need to talk to each other.
Possibility of dynamic vlans where a device automatically joins a specific vlan based upon authentication/identificatioin. This can be very useful when using say IP based phones. Plug a phone into a port and its on your voice vlan, plug a computer into the port and its on your normal data vlan.
The possibilities are almost endless depending on the feature set you get with your switches. It really would be your best bet to take the opportunity to upgrade your network to smart/managed switches. How much money it costs depends really on the port density and the feature set your looking for. Some have very basic features like vlans and the ability to set specific port speed.. Or you could go full bore with a enterprise feature set.. But you can for sure take baby steps and lower budget and just get basic vlan support.
The ability to do monitoring or even control of the switch via snmp, I really could go on and on of the benefits of having a real switch vs just these dumb devices that have a bunch of ports.
-
Yeah ^ what johnpoz said, in the end a single pfSense box invites the KISS principle (a good thing)…..
The way I tend to simplify my rules in a LAN/OPT1 setup is to make sure I set a static IP address for the printer(s) and then simply base my firewall rules on the IP addresses involved.
You just allow or disallow traffic to the printers/devices from the other network involved based on the destination address or network.
On the LAN side you create a rule to allow access to an address (or Alias) for the printer(s).
On the OPT1 side you create a rule that allows traffic from the printer to the LAN network (if necessary).That's a very general idea of how you could setup the rules, it can be fine tuned to specifically allow/disallow Everyone, No one, or just a single or groups of IP addresses as your needs require.
Post some specific examples of exactly what you want to achieve and we can give you better pointers.
In the end you'll find it's really not that tough after all -
thanks for the great reply John, it was a good read and made a lot of sense.
-
Thank you all for great deal of very good info. I am in the process of ordering couple of Smart switches (vlan capable and more). Once I have it all setup, I will post back to update how it is working and all.
Thank you Johnpoz and Divsys for all your help.
-
So what switches did you go with? Enquiring minds want to know ;)
-
I agree Vlan capable switches is the way to go but looking at the diagram you had if you did introduce the second pfsense box you could technically then create a GRE tunnel between the two pfsense boxes …it does not have to be encrypted since it's likely an internal network in your case and then use firewall rules to limit access. Also Avahi can be used at both ends to advertise services across the GRE tunnel so if these printers use AirPlay then iOS devices will be able to find them. This is the setup we use to access printers on different sites of a site to site VPN except we use GRE over IPSec
Sam
-
Don't see why you need a second pfSense box at all if you have a physical link to the second subnet (Vlan or not).
In the end you can either explicitly allow GRE traffic to/from the second subnet on the main pfSense box, or if required build a tunnel for the devices that need it across the link.
