What do you think about this setup? mainly security
-
Hey,
I'm planning to setup a mobile office solution.
I've somewhat written out the following scenario and wondered if this solution is secure enough?Laptops are connected by 4G or wifi, use openvpn connection with a 2 factor authentication to gain access to our office network, then use remote desktop.
At our work we now have 2 strictly seperate networks, as you can guess: an office network and a internet network. They are in no way connected to each other.
After our internet router i would add a pfSense firewall connection with the 1st network port, then use the 2nd network port to connect it to office network.Attachement add just for illustration purposes.
-
what is the point of router 192.168.0.1? That is where pfsense should go. Then sure you can have as many network segments on the private side as you want/need. You can firewall between these networks.
What are these device on the 192.168.0? Are those office computers.. Do they want/need to talk to the 10.10.10 network?
-
router 192.168.0.1 provides internet access for a limited amount of computer throughout the building, but also provides us with wifi (access points)
office computers are in the 10.10.10 network and have no connection towards the internet or any computer/device on 192.168.0 (-> image but without the connection between router and pfSense and pfSense itself)so we have office computer which are on the internet network and office computer on internal network, networks are serperated and can't communicate with each other
-
So your wifi can not talk to your office stuff, like use a printer.. Its just a guest network
So why would you want office computers not to talk to each other - where are the servers?
In your setup why would 10.10 computers not have access to 192.168? Out of the box pfsense would nat 10.10 to 192.168 and sure they would be able to access that just fine. Now 192.168 would not be able to access 10.10 stuff.
If you can not give pfsense public IP then sure you can put it behind a nat router dmz, etc. But all your other networks be them wireless/wired should just be segments off pfsense.
If for any reason you have any desire for your 2 networks to talk to each other your going to have issues with asymmetrical routing or you going to have to be natting and or port forwarding, etc..
this would be a simple common network, be it work or your home, whatever. If you can not put public on pfsense you would use whatever network that isp router is natting too as just a transit network. No devices/wifi would be on this devices network. It would be just a transit to pfsense. This gives you simple setup with most control. If you need something to talk to something else you can allow it. If you want them all to not talk and just have internet then you could set that up too.
Putting pfsense as a downstream router behind a non transit network nat or no nat is not optimal for control or maint, troubleshooting. For sure pfsense can be a downstream router/firewall in any network, if your here asking for help, use of a downstream router is prob not ideal setup.
-
sorry think i'm explaining it wrong:
10.10.10 is our office internal office network, has dozens of computers, printers, servers,… this is where all the work gets done
it was the only network for years at our office (that's right zero internet connectivity)after a while it was decided that some ppl would need internet access, so office got an internet connection and added some computers -> 192.168.0 network, hence 2 seperate networks
this was later extended by placing acces points ( all internet is on 192.168.0 network )
some computers have usb printers on the 192.168.0 internet network, let's just say there's not alot going on there but it's still needed for some thingsbut "everything" happens on the 10.10.10 network, which has enough computers, printers, servers,..
-
And maybe I am not being clear? Its bad setup, sorry it is..
You have access to pfsense, why would you not leverage it as it was meant to be used? You can then keep exactly as you want for access, be it between segments or to the internet, etc. or allow for access that would make sense, etc.
Putting pfsense as a downstream router with devices on what should be a transit is just bad networking.. Doesn't have to be pfsense.. Having a downstream router on a non transit network is bad design.. From the internet to your 10 network should be a transit be it a double nat or not. You have devices on that transit 192.168 - this is bad design..
-
And maybe I am not being clear? Its bad setup, sorry it is..
You have access to pfsense, why would you not leverage it as it was meant to be used? You can then keep exactly as you want for access, be it between segments or to the internet, etc. or allow for access that would make sense, etc.
Putting pfsense as a downstream router with devices on what should be a transit is just bad networking.. Doesn't have to be pfsense.. Having a downstream router on a non transit network is bad design.. From the internet to your 10 network should be a transit be it a double nat or not. You have devices on that transit 192.168 - this is bad design..
you don't need to say sorry i'm here to listen, if it's bad then it's bad, it be dumb of me not to listen after asking for advice :)
if you have to ask things like:
where are the servers?
then i did a bad job at explaing in the start ;)
with previous post i just wanted to elaborate on how things came to be and are right nowi will follow your advice, think i'll start with a small virtual lab to see what i can do with pfSense
really thx for your feedback! -
So your only wifi is this isp device/wifi router at 192.168.0.1?
Is that your device or isp device? What is the make or model? What are you running pfsense on? How many interfaces do you have, can you add more - do you have a smart/managed switch, can you get one?
More than happy to help you take your network to the next level from setup to security, etc. etc. While in larger networks sure you can have "downstream" routers - they will always be connected via a transit network. Such a small setup makes no sense to get that complicated. But you really should take your wifi and put it behind your control, ie pfsense. Use of actual AP with vlan support would allow you to move to say wpa enterprise vs I am guessing your just using psk currently.
This would allow you to have a work wifi network that could allow full or more secure access to say printer, or certain file share where could access presentations while in conf room or something, etc. etc.. Skies the limit to what you can do with a basic good setup.
pfsense, smart switch and ap with vlan support can go really really far.. From home/smb to enterprise..