Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Separate public domains from internal traffic?

    Scheduled Pinned Locked Moved General pfSense Questions
    3 Posts 3 Posters 395 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mricecool
      last edited by

      Hi!

      Im currently in the process of setting up a server with my pfsense router, and I have a question regarding security on the network.

      I have a few domains for example: a.com, b.com and c.com. And I'm concerned that that those domains could be hacked and then expose the rest of my private LAN. Its probably not an good idea from the beginning to run private stuff and public stuff on the same network.

      I have a CISCO SG200 smart switch that can handle VLAN FYI.

      I have attached a image that represent the infrastructure.

      export-2.png
      export-2.png_thumb

      1 Reply Last reply Reply Quote 0
      • ?
        Guest
        last edited by

        Im currently in the process of setting up a server with my pfsense router, and I have a question regarding security on the network.

        If security will be the real concern I would assume to realize it with a real DMZ zone where ports are opened and protocols
        will be forwarded and this can be really nice secured as well with the usage of snort or suricata as IDS on top of this.

        I have a few domains for example: a.com, b.com and c.com. And I'm concerned that that those domains could be hacked and then expose the rest of my private LAN.

        Well this is the real use case to set up a DMZ to seperate the both net structures inside of one network. One is
        connected to the Internet directly or perhaps cut off by using a proxy such as squid too and the other network
        part is absolutely on the safe side and real cut off by the firewall rules and NAT.

        Its probably not an good idea from the beginning to run private stuff and public stuff on the same network.

        I would be aware of doing so. But for a home set up "anything is able to go with" because there will be not often a so hard
        security need as at productive networks as well.

        I have a CISCO SG200 smart switch that can handle VLAN FYI.

        Set up a VLAN for the PCs and one for the Server and all is fine.

        I have attached a image that represent the infrastructure.

        Me too.

        mricecool.jpg
        mricecool.jpg_thumb

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          I would agree good idea to isolate such devices from the rest of your network.

          Either via physical different network or sure vlan switch can isolate them.. Your prob going to to want to adjust the firewall rules on your dmz interface so that the dmz can not talk to your other networks (lan) unless the lan has started the conversation..

          Or you could pinhole some things into your other networks.  For example if you want to be able to print stuff from these server you might allow that..

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.