Securing home network with SG-2220
-
Hello,
I'm thinking of getting an SG-2220 for my home network and have a few questions please. I think some of them are extremely basic, but I'm a networking novice and so would appreciate confirmation or clarification/correction.
Anticipated network hardware:
ADSL modem -> SG-2220 -> 8-port Gigabit switch -> wifi access point 1 -> wifi access point 2 (for guests?)
1. Is it possible to restrict LAN and internet connectivity to only certain devices connected to the switch and wifi access points? (Via MAC address?)
2. I'm thinking wifi access point 2 would be for guest internet access, where they can only get internet access and not access any of the other devices on wifi access point 1 or the switch; is this possible? Alternatively, would it be possible to achieve the same effective result with only one access point, where only certain devices would be allowed to send/receive from other devices on the home network but all devices would have internet access?
Edit: I just remembered the SG-2220 has wireless options; could I achieve the same result using its own wifi?
3. I'd like to run a couple of internet-accessible services on a home computer (webserver and mumble server). I only want the associated ports to be reachable on that particular computer - not other devices. Can I configure pfSense so that all incoming traffic on certain ports (80, 443, etc.,) only get routed to a certain computer attached to the switch (which is attached to the SG-2220), whether using IPv4/NAT or IPv6/no NAT?
4. Also, can I effectively isolate this internet-accessible computer from my other computers (in case of compromise via website software, for example), perhaps with the exception of port 22 for SSH access from one or two of my other computers? (And is this a fairly safe/sensible approach? The SG-2220 has just the one LAN interface.)
5. I'm considering connecting to my VPN service (OpenVPN) from the SG-2220 rather than from particular computers, so that all devices' communications via the internet go through the VPN. (Mainly for general privacy.) Am I right in thinking that this is practical, and that, for example, when one of my computers’ requests a web page the response will get back to the right computer, through the VPN service and SG-2220?
(By the way, the reason hosting a website, etc., could be possible even if the whole network is connected to the internet via the VPN service is that our VPN provider offers port forwarding through the VPN. So I can have traffic to, for example, example.com:9742 (the VPN provider's server) forwarded to our home on port 443.)
5a (added in edit). Is it possible to restrict all traffic to/from the internet to the VPN, preventing DNS leaks and non-VPN protected traffic?
6. Alternatively, when the SG-2220 is connected to the VPN service, is it possible to have only certain computers on my home network talk to the internet through the VPN, or must they all be connected via the VPN? (An alternative would be to connect only certain computers to the VPN service via OpenVPN on each computer, but I am limited to a certain number of VPN connections.)
Thanks!
-
Hi,
I can answer for what I know.
You should do everything through the firewall rules.
1. Yes. Only by IP address (also grouped in alias).
2. Yes, if the switch supports VLANs.
5. Yes.
5a. Yes.
6. Yes. Routing only the affected computers to the VPN gateway.
I think there will be no problems about number 3 and 4, although it's better to wait for someone more experienced.
-
Thanks for your reply!
2. I'm thinking wifi access point 2 would be for guest internet access, where they can only get internet access and not access any of the other devices on wifi access point 1 or the switch; is this possible? Alternatively, would it be possible to achieve the same effective result with only one access point, where only certain devices would be allowed to send/receive from other devices on the home network but all devices would have internet access?
Edit: I just remembered the SG-2220 has wireless options; could I achieve the same result using its own wifi?
2. Yes, if the switch supports VLANs.
Regarding using VLANs for isolation, I think I heard that VLAN-based separation/isolation is not as secure as using separate interfaces because the VLAN tag on the end of each packet can potentially be faked. Is that right, or is a VLAN means of separating groups of devices reliable in this situation?
Does the SG-2440 have four separate interfaces (one for WAN, other three for LANs in my case), or are all/some of the ports on the same interface?
3. I'd like to run a couple of internet-accessible services on a home computer (webserver and mumble server). I only want the associated ports to be reachable on that particular computer - not other devices. Can I configure pfSense so that all incoming traffic on certain ports (80, 443, etc.,) only get routed to a certain computer attached to the switch (which is attached to the SG-2220), whether using IPv4/NAT or IPv6/no NAT?
4. Also, can I effectively isolate this internet-accessible computer from my other computers (in case of compromise via website software, for example), perhaps with the exception of port 22 for SSH access from one or two of my other computers? (And is this a fairly safe/sensible approach? The SG-2220 has just the one LAN interface.)
I think there will be no problems about number 3 and 4, although it's better to wait for someone more experienced.
Okay, thanks. I would have thought that 3 in particular is something basic for pfSense as it seems similar to what a typical NAT router does when it forwards ports.
By the way, I've started watching this Comprehensive Guide To pfSense 2.3 video series which seems helpful, and I think I'm going to learn a lot and hopefully find out more about things related to my questions.