Architecture questions (VLAN, Wifi, …)
-
I bought the SG2440 (vs the 2200) and a Unifi Pro….I appreciated getting the extra ports later including a seperate interface for mangement. I think the 2440 has a faster processor for Snort, pfBlocker, etc...
If money is the issue you can save a few $$ by getting the smart switch later and go with a 2200...
Regarding the trunks unless I missed a step...I didn't have to "tag" any clients, just the swtitch, Unifi both are VLAN capable and create the tagged VLAN interfaces in pfSense. You can create a non-VLAN interface with the Unifi Pro which also acts as the trunk for your VLANs
I assumed the tagged traffic was separate and VLANS were 90% as safe as a seperate network...I am open to being "schooled"!
-
"No, I only have dumb switches and don't really want to buy smart ones."
That is a pretty "dumb" idea ;) A smart switch that can do vlans can be had for like $30 for an 8 port gig.. Out of the box you can just use it as a dumb switch and never even look at its gui if you don't want too.. But when needed it can do vlans. The cost of entry level "smart" switches is sometimes even cheaper than "dumb" switch… If your buying dumb switches - I would call that DUMB decision ;)
Who said anything about making your wired devices tagged?? If you have a 2nd nic you can plug the AP directly into it.. And create whatever networks you want for wifi via the untagged network which is needed for management of the AP.. Then you can have wifi networks that are on the untagged network or on vlan networks.
"You can create a non-VLAN interface with the Unifi Pro which also acts as the trunk for your VLANs"
Huh?? What are you saying? how would a non-vlan interface be your trunk? You do not set anything on any of the AP them selves for the port.. If the port is connected to swith port, then that switch port has to be configured to allow the specific vlan tags - in cisco world this is trunk port. And there can be 1 untagged network/vlan
On the AP the management IP of the AP itself is untagged... You can create ssid then and put them on tagged (vlans) or if you do not set a vlan ID then they would be untagged and on the untagged network the AP is connected to.
-
Just to clarify my setup…
I have the SG2440,
I use LAN for pfSense management only
I connect the Opt1 interface directly to my Unifi AP with its own IP address 192.168.5.10 (Not a VLAN) but it has its own SSID
I have 2 VLANs set up using the Opt1 as a "Parent interface" (Isn't a parent interface the same as a trunk interface?)
These VLANs are tagged in my Unifi AP with their own IP address 192.168.6.12 and 192.168.7.11
Each of these VLANs broadcast a seperate SSID with their own password
I have a smart switch but don't use it as I have available SSIDs left on my Unifi AP and available nics on my SG2440 for expansionWhile I could have just bought the SG2200, in hind site I am happy with the extra processing power I get with my SG2440 and I have extra Nics for expansion....
I am still refining my rules and other configurations but like the segration I am getting on my network...
-
""Parent interface" (Isn't a parent interface the same as a trunk interface?)"
Never heard the term used like that - but get your meaning now.
"I have a smart switch but don't use it as I have available SSIDs left on my Unifi AP and available nics on my SG2440 for expansion"
Ok - but not sure how those tie together.. If used the smart switch between your pfsense opt1 interface and your AP you could then put wired devices on any of the networks be it untagged native vlan or tagged vlans.
pfsense opt1 – trunk --- smart switch -- trunk --- AP
Of this smart switch you could then have devices on your untagged opt1 network (192.168.5/24 I assume) and wired devices could also be placed on either your 6/24 or 7/24 networks
That was my only point. But if you have no need wired devices on any of these networks your using on your opt1 interface then no you do not need to use it if you want.
-
Thanks Johnpoz…you rule!
-
Ok, I received my 4 port netgate box yesterday so started configuring it with a Unifi AP (single nic).
The architecture I'd like is to have a guest LAN (via SSID) and a private LAN (via wire and SSID).
I started off putting a private VLAN and guest VLAN on the AP with associated SSID's. On PFSense I made a single physical interface have both VLANS. Then I realized that there was no way for the AP to boot and get DHCP off of the private LAN because the AP doesn't tag its management LAN.
So… then I untagged the private LAN and just went with just a guest VLAN. Configured the AP to only have a tag on the guest VLAN. Configured PFSsense to have both an untagged LAN and the guest VLAN on a single physical interface.
Works... but ... the firewall doesn't. It seems like packets get from guest to private and vice versa without hitting the firewall. If I log the accepted packets, the pings don't show up. I've tried blocking incoming and outgoing.
Now I'm wondering if I should go back to two VLANs and then making a small management lan .. but then I realized I'll have the same problem. The guest VLAN will somehow be able to talk to the management untagged LAN.
Suggestions?
I saw a reference in another post (https://forum.pfsense.org/index.php?topic=127861.0) which talks about having another vlan internally? But I don't understand what is going on there.
Additional test:
Put my phone on the guest network with a ping program on it. I can ping a host on the private network even when there are no firewall rules (and I can't surf the web). The default rules should be deny all, right? Somehow I'm bypassing the firewall.
-
So….
I think I got it working. First problem is that on my iPhone ping app, the text is so small I didn't realize it was scrolling showing pings with no responses! Second, it looks like I have to stop pinging for a while and retest or the firewall things it must be some kind of continuous connection.
So, for now on the Guest VLAN I block the Private Network as an outgoing destination. Blocking incoming on the Private from Guest Network still doesn't seem to work.
Is there a way to block everything on Guest that isn't the internet? I'm assuming blocking "!WAN" would only unblock the WAN's specific subnet for my connection.
....and why can I only block outgoing packets from guest -> private, but can't block them on the incoming side on the private network?
-
rrauenza,
Congrats on the new Netgate product…To answer your questions:
-
Here is a good thread that discusses some stricter rules you might consider implementing on your interfaces(https://forum.pfsense.org/index.php?topic=134802.0). It goes into the rules to use on your interfaces to get internet access and "isolation"...to answer your question you likely don't want a "!WAN" rule on any of your interfaces if you want to access the internet with that interface.
-
I suspect you likely have the default "Any, Any" rule on your original LAN which allows this interface access to "all" including your guest interface, web, etc... You can seperate/isolate this interface by replacing the rules with similar rules discussed in the above thread(don't mess with the anti-lock out default rule yet...this prevents you from screwing up and locking yourself out of the pfSense GUI.
-
Consider using a dedicated interface on your Netgate for your AP for AP Administration(No VLAN, seperate SSID, fixed leases for trusted clients only, lock everything else out). Use this interface as the parent for your guest VLAN(You might want to add a IOT device VLAN while your at it for untrusted IOT devices). i.e. LAN=Wired(Maybe admin interface), WAN=Router, Opt1(LAN2)=Unifi AP(parent to all your VLANs)
Some elements that I discovered and helped me when I set up my network are:
- After your Unifi AP is setup you rarely need to touch it (except for changing SSID passwords), I found no value in any of the charts, graphs, etc in the controller...I am able to see leases, restrict access to certain devices in pfsense alone. Maybe consider getting the Unifi App on your phone for basic password changes for your AP. You need the controller for initial VLAN setup but after that its kind of a dumb device.
- I set up a dedicated wired only Interface for pfSense GUI access only for security reasons
- Try to understand the rules on the link above so you understand the how info flows thru your firewall and within the interface, specifically Port 53(DNS), 80(HTTP) and 443(HTTPS) traffic.
- Understand what the DNS Resolver (also called "Unbound") does...while the concept is basic its tricky to setup especially when you add VPN, pfBlocker, OpenDNS(if you choose).
Whats your end goal?
Here is another thread that helped me:
https://forum.pfsense.org/index.php?topic=129517.msg714050#msg714050
-
-
- Consider using a dedicated interface on your Netgate for your AP for AP Administration(No VLAN, seperate SSID, fixed leases for trusted clients only, lock everything else out). Use this interface as the parent for your guest VLAN(You might want to add a IOT device VLAN while your at it for untrusted IOT devices). i.e. LAN=Wired(Maybe admin interface), WAN=Router, Opt1(LAN2)=Unifi AP(parent to all your VLANs)
I think I understand what you're saying here – instead of putting the AP (and probably the cloud key since I think they find each other over UDP broadcasts) on the private lan, make its own subnet and dedicated nic? I considered this, but this is a home network so I'm trying to keep it somewhat simple.
I may be making an IoT network eventually, though... without a vlan switch (I might eventually get the 8 port ubiquity), I'll need to figure out how to have a wired IoT and a wireless IoT. I think that requires bridging a dedicated IoT nic with the IoT vlan.
I'll be looking over your other numbered answers today, too! Thanks for the help!
-
Here is a thread with advice on the AP/Controller setup:
https://forum.pfsense.org/index.php?topic=132080.0Johnpoz, kapara and NogBadTheBad had some awesome advice on how to set up the AP properly so you maintain access…
I am still feeling guilty I can't use/access my controller but after VLAN setup I haven't needed to.
Good luck! When you get ready to expand your functionality reach out again...
-
So I found https://github.com/TKCERT/pfFocus and whipped up a bbcode formatter …
Here's what I actually have configured. (I need to submit the bbcode formatter to the author.)
☱ Outputting to stdout ...
pfSense
Version 15.8System
| Option | Value |
| –---- | –--- |
| hostname | pfSense |
| domain | private.xxx.xxx |
| timeservers | 0.pfsense.pool.ntp.org 1.pfsense.pool.ntp.org 2.pfsense.pool.ntp.org 3.pfsense.pool.ntp.org |
| timezone | America/Los_Angeles |
| language | en_US |
| dnsserver | |Interfaces
| Name | Enabled | Description | Interface | Address | Subnet |
| –-- | –----- | –--------- | –------- | –----- | –---- |
| lan | x | PRIVATE | igb1 | 10.20.20.1 | 24 |
| opt1 | x | GUEST | igb1_vlan1000 | 10.10.10.1 | 24 |
| wan | x | WAN_COMCAST | igb0 | dhcp | |VLANs
| Name | Tag | Interface | Description |
| –-- | –- | –------- | –--------- |
| igb1_vlan1000 | 1000 | igb1 | |DHCP ranges
DHCPd configuration for {lan}(#interfaces "PRIVATE")| Option | Value |
| –---- | –--- |
| enable | x |
| defaultleasetime | |
| maxleasetime | |Ranges
| From | To |
| –-- | – |
| 10.20.20.101 | 10.20.20.254 |Static mappings
| MAC | Address | Hostname |
| –- | –----- | –------ |
| 00:1c:2a:00:4c:64 | 10.20.20.2 | envisalink |
| 80:2a:a8:4f:98:0a | 10.20.20.97 | unifi |
| 90:02:a9:92:7b:42 | 10.20.20.98 | dvr |
| 00:1d:c0:62:01:c0 | 10.20.20.99 | envoy |
| 0c:c4:7a:30:17:f2 | 10.20.20.100 | tendo |DHCPd configuration for {opt1}(#interfaces "GUEST")
| Option | Value |
| –---- | –--- |
| enable | x |
| defaultleasetime | |
| maxleasetime | |Ranges
| From | To |
| –-- | – |
| 10.10.10.2 | 10.10.10.254 |NAT rules
| Disabled | Interface | Source | Destination | Protocol | Target | Local port | Description |
| –------ | –------- | –---- | –--------- | –------ | –---- | –-------- | –--------- |
| x | {wan}(#interfaces "WAN_COMCAST") | any | {wanip}(#interfaces "WAN_COMCAST"):25565-25566 | tcp | 10.20.20.100 | 25565 | Port Foward Minecraft |
| | {wan}(#interfaces "WAN_COMCAST") | any | {wanip}(#interfaces "WAN_COMCAST"):9418 | tcp | 10.20.20.100 | 9418 | Port Foward 9418 (git) to ssh |
| | {wan}(#interfaces "WAN_COMCAST") | any | {wanip}(#interfaces "WAN_COMCAST"):867 | tcp | 10.20.20.100 | 22 | Port Forward 867 to ssh |
| | {wan}(#interfaces "WAN_COMCAST") | any | {wanip}(#interfaces "WAN_COMCAST"):443 | tcp | 10.20.20.100 | 443 | Port Forward HTTPS |
| | {wan}(#interfaces "WAN_COMCAST") | any | {wanip}(#interfaces "WAN_COMCAST"):80 | tcp | 10.20.20.100 | 80 | Port Forward HTTP |
| | {wan}(#interfaces "WAN_COMCAST") | any | {wanip}(#interfaces "WAN_COMCAST"):993 | tcp | 10.20.20.100 | 993 | Port Foward IMAPS |
| | {wan}(#interfaces "WAN_COMCAST") | any | {wanip}(#interfaces "WAN_COMCAST"):1587 | tcp | 10.20.20.100 | 1587 | Port Forward SMTP Auth |
| | {wan}(#interfaces "WAN_COMCAST") | any | {wanip}(#interfaces "WAN_COMCAST"):2525 | tcp | 10.20.20.100 | 2525 | Port Forward SMTP for EasyDNS |Filter rules
| Disabled | Interface | Type | IP | Protocol | Source | Destination | Description |
| –------ | –------- | –-- | – | –------ | –---- | –--------- | –--------- |
| | {wan}(#interfaces "WAN_COMCAST") | | | tcp | any | 10.20.20.100:9418 | NAT Port Foward 9418 (git) to ssh |
| | {wan}(#interfaces "WAN_COMCAST") | | | tcp | any | 10.20.20.100:22 | NAT Port Forward 867 to ssh |
| | {wan}(#interfaces "WAN_COMCAST") | | | tcp | any | 10.20.20.100:993 | NAT Port Foward IMAPS |
| | {wan}(#interfaces "WAN_COMCAST") | | | tcp | any | 10.20.20.100:1587 | NAT Port Forward SMTP Auth |
| | {wan}(#interfaces "WAN_COMCAST") | | | tcp | any | 10.20.20.100:2525 | NAT Port Forward SMTP for EasyDNS |
| | {wan}(#interfaces "WAN_COMCAST") | | | tcp | any | 10.20.20.100:80 | NAT Port Forward HTTP |
| | {wan}(#interfaces "WAN_COMCAST") | | | tcp | any | 10.20.20.100:443 | NAT Port Forward HTTPS |
| x | {wan}(#interfaces "WAN_COMCAST") | | | tcp | any | 10.20.20.100:25565-25566 | NAT Port Foward Minecraft |
| | {lan}(#interfaces "PRIVATE") | reject | inet46 | | any | {opt1}(#interfaces "GUEST") | |
| | {lan}(#interfaces "PRIVATE") | pass | inet | | {lan}(#interfaces "PRIVATE") | any | Default allow LAN to any rule |
| | {lan}(#interfaces "PRIVATE") | pass | inet6 | | {lan}(#interfaces "PRIVATE") | any | Default allow LAN IPv6 to any rule |
| | {opt1}(#interfaces "GUEST") | reject | inet46 | | any | {lan}(#interfaces "PRIVATE") | |
| | {opt1}(#interfaces "GUEST") | pass | inet | | any | any | |
| | {opt1}(#interfaces "GUEST") | pass | inet6 | | any | any | |Syslog configuration
| Option | Value |
| –---- | –--- |
| enable | x |
| logall | x |
| logfilesize | 1048576 |
| nentries | 100 |
| remoteserver | 10.20.20.100 |
| remoteserver2 | |
| remoteserver3 | |
| sourceip | |
| ipproto | ipv4 |☰ Successfully outputted pfSense config as bbcode.