Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    What do you think about this setup? mainly security

    Scheduled Pinned Locked Moved General pfSense Questions
    8 Posts 2 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M Offline
      mrbitsdd
      last edited by

      Hey,

      I'm planning to setup a mobile office solution.
      I've somewhat written out the following scenario and wondered if this solution is secure enough?

      Laptops are connected by 4G or wifi, use openvpn connection with a 2 factor authentication to gain access to our office network, then use remote desktop.

      At our work we now have 2 strictly seperate networks, as you can guess: an office network and a internet network. They are in no way connected to each other.
      After our internet router i would add a pfSense firewall connection with the 1st network port, then use the 2nd network port to connect it to office network.

      Attachement add just for illustration purposes.
      Connect.png
      Connect.png_thumb

      1 Reply Last reply Reply Quote 0
      • johnpozJ Offline
        johnpoz LAYER 8 Global Moderator
        last edited by

        what is the point of router 192.168.0.1?  That is where pfsense should go.  Then sure you can have as many network segments on the private side as you want/need.  You can firewall between these networks.

        What are these device on the 192.168.0?  Are those office computers.. Do they want/need to talk to the 10.10.10 network?

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • M Offline
          mrbitsdd
          last edited by

          router 192.168.0.1 provides internet access for a limited amount of computer throughout the building, but also provides us with wifi (access points)
          office computers are in the 10.10.10 network and have no connection towards the internet or any computer/device on 192.168.0 (-> image but without the connection between router and pfSense and pfSense itself)

          so we have office computer which are on the internet network and office computer on internal network, networks are serperated and can't communicate with each other

          1 Reply Last reply Reply Quote 0
          • johnpozJ Offline
            johnpoz LAYER 8 Global Moderator
            last edited by

            So your wifi can not talk to your office stuff, like use a printer.. Its just a guest network

            So why would you want office computers not to talk to each other - where are the servers?

            In your setup why would 10.10 computers not have access to 192.168?  Out of the box pfsense would nat 10.10 to 192.168 and sure they would be able to access that just fine.  Now 192.168 would not be able to access 10.10 stuff.

            If you can not give pfsense public IP then sure you can put it behind a nat router dmz, etc.  But all your other networks be them wireless/wired should just be segments off pfsense.

            If for any reason you have any desire for your 2 networks to talk to each other your going to have issues with asymmetrical routing or you going to have to be natting and or port forwarding, etc..

            this would be a simple common network, be it work or your home, whatever.  If you can not put public on pfsense you would use whatever network that isp router is natting too as just a transit network.  No devices/wifi would be on this devices network.  It would be just a transit to pfsense.  This gives you simple setup with most control.  If you need something to talk to something else you can allow it.  If you want them all to not talk and just have internet then you could set that up too.

            Putting pfsense as a downstream router behind a non transit network nat or no nat is not optimal for control or maint, troubleshooting.  For sure pfsense can be a downstream router/firewall in any network, if your here asking for help, use of a downstream router is prob not ideal setup.

            typnet.jpg_thumb
            typnet.jpg
            withbehindnat.jpg
            withbehindnat.jpg_thumb

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • M Offline
              mrbitsdd
              last edited by

              sorry think i'm explaining it wrong:

              10.10.10 is our office internal office network, has dozens of computers, printers, servers,… this is where all the work gets done
              it was the only network for years at our office (that's right zero internet connectivity)

              after a while it was decided that some ppl would need internet access, so office got an internet connection and added some computers -> 192.168.0 network, hence 2 seperate networks
              this was later extended by placing acces points ( all internet is on 192.168.0 network )
              some computers have usb printers on the 192.168.0 internet network, let's just say there's not alot going on there but it's still needed for some things

              but "everything" happens on the 10.10.10 network, which has enough computers, printers, servers,..

              1 Reply Last reply Reply Quote 0
              • johnpozJ Offline
                johnpoz LAYER 8 Global Moderator
                last edited by

                And maybe I am not being clear?  Its bad setup, sorry it is..

                You have access to pfsense, why would you not leverage it as it was meant to be used?  You can then keep exactly as you want for access, be it between segments or to the internet, etc. or allow for access that would make sense, etc.

                Putting pfsense as a downstream router with devices on what should be a transit is just bad networking..  Doesn't have to be pfsense.. Having a downstream router on a non transit network is bad design..  From the internet to your 10 network should be a transit be it a double nat or not.  You have devices on that transit 192.168 - this is bad design..

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • M Offline
                  mrbitsdd
                  last edited by

                  @johnpoz:

                  And maybe I am not being clear?  Its bad setup, sorry it is..

                  You have access to pfsense, why would you not leverage it as it was meant to be used?  You can then keep exactly as you want for access, be it between segments or to the internet, etc. or allow for access that would make sense, etc.

                  Putting pfsense as a downstream router with devices on what should be a transit is just bad networking..  Doesn't have to be pfsense.. Having a downstream router on a non transit network is bad design..  From the internet to your 10 network should be a transit be it a double nat or not.  You have devices on that transit 192.168 - this is bad design..

                  you don't need to say sorry i'm here to listen, if it's bad then it's bad, it be dumb of me not to listen after asking for advice  :)

                  if you have to ask things like:

                  where are the servers?

                  then i did a bad job at explaing in the start  ;)
                  with previous post i just wanted to elaborate on how things came to be and are right now

                  i will follow your advice, think i'll start with a small virtual lab to see what i can do with pfSense
                  really thx for your feedback!

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ Offline
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    So your only wifi is this isp device/wifi router at 192.168.0.1?

                    Is that your device or isp device?  What is the make or model?  What are you running pfsense on?  How many interfaces do you have, can you add more - do you have a smart/managed switch, can you get one?

                    More than happy to help you take your network to the next level from setup to security, etc. etc.  While in larger networks sure you can have "downstream" routers - they will always be connected via a transit network.  Such a small setup makes no sense to get that complicated.  But you really should take your wifi and put it behind your control, ie pfsense.  Use of actual AP with vlan support would allow you to move to say wpa enterprise vs I am guessing your just using psk currently.

                    This would allow you to have a work wifi network that could allow full or more secure access to say printer, or certain file share where could access presentations while in conf room or something, etc. etc..  Skies the limit to what you can do with a basic good setup.

                    pfsense, smart switch and ap with vlan support can go really really far..  From home/smb to enterprise..

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.