Sharing Printer across multiple subnets
-
If you replace your 2 gs1124 with vlan switches. then you would want to config both of them with vlans, the connection to pfsense would be a trunk (ie carries tagged vlan info). the connection to your 2nd gs1124 from your first would also be trunked. then you can put whatever vlans you want on any of those ports on either of those switches. Then yes you could run just 1 vlan on the port conneced to your tplink dumb switch and all ports on that switch would be in that vlan.
You then have to create the vlan interfaces on pfsense.
-
Too far = 1300+ feet of cable run and maybe 3 days to run it given the design of the building.
Ok so adding a new cable is out, but what about the existing (I presume) Fiber?
Is there other traffic on this line that won't coexist or can you not just route it directly into the pfSense box?Adding another NIC to pfSense is typically pretty simple.
The VLAN options johnpoz has mentioned will definitely work as well. -
Ok so adding a new cable is out, but what about the existing (I presume) Fiber?
Is there other traffic on this line that won't coexist or can you not just route it directly into the pfSense box?There is traffic on the second switch as it is part of LAN, I forgot to draw some clients around it.
So lets assume that I am able to connect the fiber to OPT1 of the pfsense, how do I configure pfsense to only allow printer sharing across the interfaces and nothing else really?
-
"how do I configure pfsense to only allow printer sharing across the interfaces and nothing else really?"
With a firewall rule that only allows access to the printers on the port they use, quite often 9100. Depends on the printing protocol you use. Or only access to the print server if using one, etc.
Once you have your network split with either physical network segments, or with the use of vlans. Then you can firewall between these segments and only allow the traffic you want between the 2 networks.
while having a downstream router can work. It is a more complex and less robust setup. Since everything behind the 2nd pfsense would either be behind a nat. Or if not using a transit network to get to it you would have a asynchronous routing issue. If you leverage your 1 pfsense as both your router between your segments and firewall you can allow or block whatever traffic you want between these segments and also to and from the internet for both segments.
there are clearly times where you would want a downstream router, most often when the traffic between these segments makes no sense to send back to your core/edge router. Lots of traffic between them for example. But if natting to these downstream networks you now have to deal with port forwarding vs just simple firewall rules.
Your best, simple solution is to just let your 1 firewall do the routing and firewalling between your networks. The upgrade to vlan capable switches will give you the power to segment your network as you see fit to allow more security and control. Putting all your printers on 1 vlan for example, Maybe your servers on their own segment to control access to them. Maybe even splitting your clients even depending on location or function of them. This way for example if one gets infected with a worm, it would be limited to where it could go, easier to isolate, etc.
The other feature sets of a smart switch will allow for easy track down of devices based upon mac for example. The ability to do igmp snooping, rate limiting, qos, etc. All comes down to how rich of a feature set you get with your new smart/managed switches.
If you have wifi network, with vlan capable switches and AccessPoints will allow you to isolate guest traffic. Isolate even your normal devices on wifi from what they might not need to be able to get too. This can limit exposure in case of unwanted devices learn your wifi password, etc.
Another nice feature of breaking up your network into multiple segments lower the number of devices on the same broadcast domain. This cuts down on noise on your network. Depending on the feature set of your switches you could do private vlans where clients all in the same network can not even talk to each other unless you allow it. This can be great help if a client gets a worm for example, clients rarely really have the need to talk to each other.
Possibility of dynamic vlans where a device automatically joins a specific vlan based upon authentication/identificatioin. This can be very useful when using say IP based phones. Plug a phone into a port and its on your voice vlan, plug a computer into the port and its on your normal data vlan.
The possibilities are almost endless depending on the feature set you get with your switches. It really would be your best bet to take the opportunity to upgrade your network to smart/managed switches. How much money it costs depends really on the port density and the feature set your looking for. Some have very basic features like vlans and the ability to set specific port speed.. Or you could go full bore with a enterprise feature set.. But you can for sure take baby steps and lower budget and just get basic vlan support.
The ability to do monitoring or even control of the switch via snmp, I really could go on and on of the benefits of having a real switch vs just these dumb devices that have a bunch of ports.
-
Yeah ^ what johnpoz said, in the end a single pfSense box invites the KISS principle (a good thing)…..
The way I tend to simplify my rules in a LAN/OPT1 setup is to make sure I set a static IP address for the printer(s) and then simply base my firewall rules on the IP addresses involved.
You just allow or disallow traffic to the printers/devices from the other network involved based on the destination address or network.
On the LAN side you create a rule to allow access to an address (or Alias) for the printer(s).
On the OPT1 side you create a rule that allows traffic from the printer to the LAN network (if necessary).That's a very general idea of how you could setup the rules, it can be fine tuned to specifically allow/disallow Everyone, No one, or just a single or groups of IP addresses as your needs require.
Post some specific examples of exactly what you want to achieve and we can give you better pointers.
In the end you'll find it's really not that tough after all -
thanks for the great reply John, it was a good read and made a lot of sense.
-
Thank you all for great deal of very good info. I am in the process of ordering couple of Smart switches (vlan capable and more). Once I have it all setup, I will post back to update how it is working and all.
Thank you Johnpoz and Divsys for all your help.
-
So what switches did you go with? Enquiring minds want to know ;)
-
I agree Vlan capable switches is the way to go but looking at the diagram you had if you did introduce the second pfsense box you could technically then create a GRE tunnel between the two pfsense boxes …it does not have to be encrypted since it's likely an internal network in your case and then use firewall rules to limit access. Also Avahi can be used at both ends to advertise services across the GRE tunnel so if these printers use AirPlay then iOS devices will be able to find them. This is the setup we use to access printers on different sites of a site to site VPN except we use GRE over IPSec
Sam
-
Don't see why you need a second pfSense box at all if you have a physical link to the second subnet (Vlan or not).
In the end you can either explicitly allow GRE traffic to/from the second subnet on the main pfSense box, or if required build a tunnel for the devices that need it across the link.
