Home setup, need VLAN?



  • Hello people,

    Until now i still not put pfS to work so now i have time to start but need advice how to do this.

    Guests should be separated so i think i need VLAN to make that work.
    The HP switch can do that but ive never configured VLAN before. Do i need two VLANs or is one VLAN for Guests enough?
    Also i want to prevent file sharing and the like on the network.

    Or is there a easier/better way to do this?




  • If your guests are connecting via wifi, you could try client isolation. It prevents clients from seeing each other over the wifi network but would still allow them to see wired hosts on the same LAN. Judging from your diagram you have only a Linux box and printer physically connected, so you could firewall the Linux machine to prevent connection from any of your wireless guests.

    http://www.howtogeek.com/179089/lock-down-your-wi-fi-network-with-your-routers-wireless-isolation-option/



  • @muswellhillbilly:

    If your guests are connecting via wifi, you could try client isolation.

    Thanks, will read it.

    still allow them to see wired hosts on the same LAN.

    I prefer them being "isolated" and controlled as much as I can or is possible.

    So I also plan to use pfBlockerNG, Squid and Snort because now Im involved in a legal case, which sucks, and want to prevent it to happen again. One of "the boys" did something that law didnt like.


  • LAYER 8 Global Moderator

    since your using 2 different wifi AP, they do not need to support vlans, if your switch does then your good to go and yes you can put your different wifi on their own networks with pfsense a firewall between those networks and any other networks be it local or internet.

    That port connected from your switch to pfsense lan would just be trunked, you would have your native untagged network that your lan is on and then tag the 2 networks your different wifi are on and create to 2 vlan interfaces on pfsense with those tag id.



  • Thanks,

    Reading about VLAN`s now and I think I start understanding the basic.

    support vlans, if your switch does

    Yes, it does.

    a firewall between those networks

    Good.

    your native untagged network that your lan is on and then tag the 2 networks

    The WiFi Home can be part of the untagged native network, 192.168.20.0/24?

    And then put WiFi Guests in 192.168.30.0/24?

    Or do I need two VLAN`s? 192.168.20.0/24 and 192.168.30.0/24
    Not clear to me yet…

    Thanks.



  • Still reading but I think terminology is killing me.

    On the HP switch there is trunk only for link aggregation, on Cisco it seems to be different.
    Reading around a bit can be confusing.
    HP tagged means trunk on Cisco, so it seems.

    The WiFi Home can be part of the untagged native network, 192.168.20.0/24?
    And then put WiFi Guests in 192.168.30.0/24?

    ???


  • LAYER 8 Global Moderator

    Yes your wifi home network can be on the same network as your wired devices 192.168.20/24  this network does not have to be tagged.  Then just tag your guest network.



  • So I have succeeded.

    The next is to firewall it and start with, pfBlockerNG, Squid and Snort.
    In what order it would be best to install those packages?

    Maybe the pictures will be helpful for others:

    Thanks.





  • LAYER 8 Global Moderator

    Why do you want/need squid and snort?  Do you have kids your trying to filter from porn with a proxy?  Are you going to spend the hours needed to filter out the noise snort is going to create?  If your ging to turn on snort I would for sure only put it in monitor mode until you have the rule base tweaked.. Its going to generate loads and loads of noise…

    You really don't need to show your excluded vlans that are not assigned.. Is a given that the other vlans are not allowed in a access port that is only has 1 vlan untagged.



  • Yeah, maybe I don`t need snort but squid has antivirus included, I like that idea  :)

    Do you have kids your trying to filter from porn with a proxy?

    Not necessarily, the main is goal is preventing file sharing (and antivirus), that`s a problem in this country.

    You really don't need to show your excluded vlans that are not assigned

    The switch did it by default, I only clicked port 2 and 8 and it started working  :)

    Thanks.


  • LAYER 8 Global Moderator

    Talking about your drawing you don't need to stated excluded on the other vlans, its a given.

    Antivirus of what?  Files you download - do you not have a virus scanner on your machine that would scan anything before you ran it anyway?  Your talking about clamav right?  How exactly is proxy going to stop file sharing?  This is a home setup..  Who are you wanting to no do file sharing?  Tell them not too - are they kids that don't listen?



  • I did not "stated excluded", it did it by default  :)
    It does not allow me to have Untagged on the same port…?
    If I change it to Untagged in VLAN30 then in VLAN1 it automatically change to Excluded.
    But it`s working as is, is there any misconfiguration then?

    I think having extra Antivirus on pfS does not harm?
    Machines do have their own Avast.

    Who are you wanting to no do file sharing?

    It should not be allowed because it`s illegal here and I cannot be sure that the kid and friends listen.
    And most of the time I'm working when they come here after school.
    I live near the border of two countries, country 1 have lawyers sniffing the net (so I found out the hard way which sucks), country 2 there is no real problem. Most friends of the kid come from country 2 and have that software installed, sharing in the background.

    If you know a better way to protect from this….


  • LAYER 8 Global Moderator

    Dude how did it the drawing you create do it by default??  Yes I understand the switch sets those as excluded my point was that there is no point in showing that on your drawing because it is a GIVEN!!!  That all other vlans are excluded.

    As to harm, I don't know do you count a performance hit as harm?

    File sharing your talking about p2p? Torrents? So your putting in proxy and blocking all other access to the internet that does not go through the proxy?  Just installing squid doesn't stop all the other access..



Log in to reply