Getting extra nic worth it ?
-
Hi,
Im new to pfSense and am wanting to learn more about it so i can secure my home network better. Also im quite interested in how the technology works.
For my home network I have a basic isp modem/router which I cant replace. Ive turned off everything possible on it. Behind the router I have a server with w10 and hyperv running pfsense and a server 2016 trial.
So far I have setup pfsense with 2 virtual nics using hyperv. Security wise im not sure if an extra physical nic + switch for my server would benefit security in the network, if it does why ?
Would it be worth the money since pfsense is running on the same physical machine as my dc/fileserver ?
Thanks!
-
I'm not sure how you are doing NAT right now, using 1 physical interface? Using VLANs?
-
I have setup hyperv with 2 virtual switches. One on 172.x.x.x for lan, the other to 192.x.x.x where my wan is at. Seems to work..
-
I have setup hyperv with 2 virtual switches. One on 172.x.x.x for lan, the other to 192.x.x.x where my wan is at. Seems to work..
I'm still not sure what your network layout is, what nics you have or what you are trying to do.
I'm imagining: [ ISP CPE ] – [ Hypervisor Box NIC 1] – [ pfSense NIC 1 ] – [ pfSense NAT ] – [ pfSense NIC 2 ] – [ Hypervisor Box NIC 2 ] – [ Switch / Your Lan / Whatever ]
-
What you thought is right. That is what i currently have. It is working but i would like to know what the benefit would be switching over to physical nics.
-
What you thought is right. That is what i currently have. It is working but i would like to know what the benefit would be switching over to physical nics.
So you already have 2 physical NICs and they are connected to the 2 virtual switches? In that case you probably won't see much benefit from adding more interfaces.
What you probably should do is measure what line rates you get.Example:
- iperf between outer subnet and inner subnet on the physical ingress and egress ports
- iperf between pfSense LAN (virtual) and physical LAN (so one iperf instance on pfSense, and one on a LAN box)
if you get good NAT speeds, you probably don't need to change anything, if you get bad NAT but good LAN-LAN, you probably need to tweak your settings, but if you get bad LAN-LAN and bad NAT, you may need better interfaces indeed.
What network cards are you using at this moment?