Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Lan and Vlan for IOT separation

    Scheduled Pinned Locked Moved Firewalling
    1 Posts 1 Posters 463 Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A Offline
      andy22
      last edited by

      Hi,
      I am very novice to the pfsense. Just installed it few days back and I am already loving it. I am still trying to digest as much as I can from the threads. I would like to start using it as soon as I can figure out how can i creater complete separation of my private lan and vlan that I created. Here is my scenerio:

      Hardware:
      Dell Poweredge R-710 (I am planning to use this server for other things as well in addition to running pfsense. For e.g. FreeNas). It has 4 nics.
      Smart web managed Switch: Netgear Prosafe GSS108E
      Routers: Netgear Nighthawk 1750 (for IOT) and Netgear Nighthawk 1900 (For LAN)

      I have a LAN in pfSense with 192.168.30.1/23
      VLAN with 192.168.70.1/23

      Here is my setup:
      WAN (which is also behind Verizon Fios gateway)--> PE-R710 Port#1 (This is my PfSense WAN interface)

      Here is my switch configuration:
      3b5743c4-5976-4569-a59c-76eb0f984d3b-image.png

      abe90912-9f66-42e3-9cfc-58d4d8ac1ef9-image.png

      9af48c8b-672f-47a6-8ed6-2b09f6177a09-image.png

      I have dedicated ports 1-5 for the LAN and ports 6-8 for the VLAN as seen above

      From NIC#2 on R-710, it goes to port#6 on switch (for vlans)
      From Nic#3 on R-710, it goes to port#1 on switch (for LAN)

      Until now, reading at forums and articles, I am at the point where, I can get the IP addresses for both LAN and VLANs and they all can connect to the internet just fine.

      What I would like to accomplish:

      • I would not like web interface to be accessible from VLAN interface

      • I would like to make sure that DNS queries goes always to the pfSense and client can't override it even when they setup on their computer to use different DNS servers (I think I made an attermpt to achieve that by setting up the NAT redirect to 127.0.0.1 but I don't understand it since I simply followed the tutorial. Can someone please confirm it. I will appreciate it)

      • Biggest thing: I would like to isolate my IOT Vlan so that device in LAN can talk to printer, chromecast, Alexa, TV, etc but IOT devices can absolutely have no way to approach my LAN network

      • What other things I can do to tighten up my security?

      • How can I persist the logs and analyze it? Is there any reporting plugin available that can help me achieve that?

      • Is there any way I can automatically get email of my configuration backup OR store it somewhere on cloud on scheduled basis?

      Can someone please help me achieve these based on my situations.
      I have provided series of screenshots below of my setup.

      Thanks a lot.

      Currently I just have pfBlockerNg installed. (I tried pfBlockerNg-devel version but just couldn't make it work.. That is a whole new post for the future.)
      Here is my interface configuration:

      Interfaces:
      b93aaa2c-91ef-4826-9164-9f23fe055a95-image.png

      LAN Interface:
      08bfc29e-7956-4fc9-bd4a-a9dd0b8d5054-image.png

      VLAN Interface:
      75559eec-df51-4cf2-87dd-42774fa85d88-image.png

      Firewall/NAT
      24f90045-2df2-4a89-a2fd-bc374eae8504-image.png

      Firewall/NAT/Outbound
      21a79393-832a-4583-b9b2-c1779c79033e-image.png

      This is my PfBlockerNg Configuration:
      b195fc18-04a0-48a2-be4d-e59a2fb6b182-image.png

      And here are the rules for each interface.
      db1d6183-1097-4dc8-951e-bd8d9fb5e302-image.png

      498f9197-7335-476e-8dd3-47d94bf88a6b-image.png

      f67fe326-6af7-4707-8345-b364e5823bb2-image.png

      d5b81c4d-189e-418e-b3c2-4ff61ce72788-image.png

      Here are my DNSBL feeds:
      cb4b1811-70ad-495f-a7b0-07e5706dedf8-image.png

      I have enabled Easy list and Easy privacy and selected all categories as well

      Here are few of my IPv4 feeds:
      16ada476-82fa-4dc7-9eef-c4c23c727a96-image.png

      DNS Resolver
      e5d19279-0057-4cca-a6a9-9fef5549ed02-image.png

      DNS forwarder is disabled
      No DNS servers are defined in General settings and also on the DHCP server side.

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.