Newbie - multiple LANs



  • Hello,

    I am new to pfsense, and pretty new to networking generally. Many thanks in advance for your help and graciousness.

    I am trying to setup a secure networking using a pfsense box as router/firewall. My pfSense box has 4 nics. Here's what I'm going for:

    [MODEM]–-[pfSense]–-[IoT Router]–-[stupid insecure stuff like cameras]
                          \  \–-----[Media Router]–-[Smart TV, Guests]
                            \–-------------[Secure Router]–-[laptops, NAS]

    Security is my primary concern and although I'm aware there are probably better ways to do things, my goal right now is to get something stupid simple setup now that I can have some confidence in security and learn more as I go along. To that end, I image these 3 routers as entirely isolated from eachother. That said, if you have advice, I'm open to it.

    I was able to easily setup a connection on the Media router as the first LAN, but am confused about what's needed to get everything working the rest of the way. Can anyone point me to the most network naive way to set up pfSense so that each router can auto-detect and connect OR have a clear to follow static approach to setup?

    I currently have the Media Router setup with Static IPv4 and Track Interface for IPv6 (tracking WAN). I'm confused about whether I should have "Block private networks" or "Block bogon networks" checked, and I'm also confused about whether or not I need to setup a Gateway. Any guidance is much appreciated.



  • Why do you need three extra routers when you have a pfSense box?


  • Galactic Empire

    @Ip:

    Why do you need three extra routers when you have a pfSense box?

    Exactly 3 vlans, block access to the laptops, NAS vlan from the Smart TV, Guests & stupid insecure stuff like cameras and just allow access out to the internet.

    You'll need a switch supporting vlans one also supporting POE will be a plus.

    https://forum.pfsense.org/index.php?topic=134449.msg737516#msg737516



  • The setup I described uses hardware I already have, which was the main advantage.

    Since I'm trying to separate traffic for these devices…would it be easier for a newb with little knowledge to have a setup that contains traffic to each interface, or easier to setup traffic to be contained via VLAN? To clarify, I don't really understand what a Gateway is, whether its better to use StaticIPs or DHCP, what various firewall rules mean and whether they are truly doing what I think they are doing...I'm trying to learn all of these things, but I also want to have a secure setup today and have limited time.

    To that point, I don't want to mooch off other people's time...I'm just not sure where to start. I imagine that what I'm trying to achieve is pretty common and that there is a straightforward configuration I could be using. I had trouble finding that configuration. Can you point me in the right direction?


  • Galactic Empire

    Using the routers you have you'll have a double NAT on each of the subnets and 4 differnet devices to manage firewall rules on.

    You won't be able to have individual rules on the pfSense router for individual devices sat on the 3 LANS as pfSense would only see 3 IP addresses ( the wan interface of the other routers )

    You'll also need to have static routes pointing to the 3 subnets on your pfSense router.

    How many ethernet ports does your pfSense router have ?

    TBH you're asking for trouble doing this and you can buy a managed switch for peanuts, they only get pricey when you start looking for ones with POE.


  • Rebel Alliance Global Moderator

    " they only get pricey when you start looking for ones with POE."

    Even with POE they are not all that expensive, depending on how many POE ports you need and how much total power you need to be able to provide.. The GS1900-8HP from Zyxel on amazon is $109..  Does 70W total..  You can get a GS1200-8HP for $70, etc.

    What are you using for these downstream routers?  Some soho wifi router?  You could use them as just AP and switch ports and then use pfsense to route/firewall between your network segments without having to have these downstream devices routing and or natting..  This would be way easier setup.



  • This all makes sense. Thank you.