VLANs, Routing, and Network Setup



  • Hello everyone.  I'm relatively new to the networking field, and I figured as a cool project I would build out my home network.  Below is a picture of how I plan to have it laid out logically, and then I will explain a bit more and ask my questions.

    Internet
                                                               |
                                                               |
                                                          pfSense –--- DMZ 172.31.1.0/24
                                                               |
                                                               |
                                                ------ Cisco 3750 ------
                                               |               |           |
                                               |           Wireless         |
                                               |   192.168.2.0/24       |
                                           Services                       LAN
                                      192.168.3.0/24           192.168.1.0/24

    Okay.  So I plan to have my Internet connection come in from my ISP, and hit their equipment (in my case a Verizon ONT).  From the ONT, I am going to have the WAN connection come into a pfSense firewall.  My firewall has 3 NICs in it - WAN, LAN, and DMZ.

    Now, for the DMZ I plan to have the connection go into a Cisco 2900 series switch.  The DMZ will host my web, email, and DNS server(s), as well as any other test external systems.  I may just use a VMware server, and make these all virtual, not sure yet.

    The internal network I plan to have broken down into 3 segments - LAN, Wireless, and Services.  The internal gateway will be a Cisco 3750 that I will have broken up into the appropriate VLANs.  The Services network will house my jump server, NAS, domain controller, and any other servers that run network services.  The LAN and Wireless are just that.

    It was my original intent to not have the Wireless able to communicate with the LAN, only externally, within its subnet, and to Services.  I figured this would be more secure, but thinking about it, if a system is compromised, they could in theory get to the rest of my network through Services anyway.  Thoughts?

    I plan to not allow the DMZ to talk to internal, and vice versa.

    Now, my big question(s):

    • My 3750 is capable of doing static routing.  Do I keep the routing on the 3750, then just point a default route of 0.0.0.0 up to the firewall?  Or, do I keep the 3750 as a switch, then trunk up to the firewall and let that handle the routing?

    • Based on my IP scheme, the link between the 3750 and the firewall, that would need to be in its own subnet/VLAN for transit correct?  So I should make that for example 10.10.10.1/30?

    • If I do trunk up from my 3750 to the firewall, I know I would need to set the switch mode to trunk on the Cisco, then enable all VLANs.  On the firewall, I'm guessing I would go to Interfaces > Assign > VLANs and create the VLANs off my LAN interface.  Then under Interface Assignments, create new interfaces for each VLAN, and in the dropdown menu select the appropriate VLAN bound to my LAN NIC?  Once I do that, then do I have to go under each NIC and setup an IP for the VLAN, as I'm guessing then my hosts would use that IP as their gateway?

    Sorry if these seem like noob questions, I'm self-taught so some of the practical application is tough for me.

    Thanks in advance for the help.



  • Nobody has any suggestions?

    I guess what I'll do is experiment.  I'll have the switch do the routing, and then just have a default route pointing to the firewall.  In my mind, this is more appropriate.  And, this way I'll create the VLANs and their IPs on the switch, and use that as the gateway, rather than building them all on the firewall.

    As for keeping the wireless from accessing the LAN, if I really dont want this I just wont put in a route for that segment.

    Now, regarding the transit segment between the switch and firewall … I'm assuming that would have to be a separate subnet and VLAN to prevent routing loops and such if I decide to make things redundant.  Does that sound correct?

    Thanks



  • Your plan seems to make sense to me.
    Just remember to NOT use the interface holding the VLANs for anything other than that, e.g. don't assign it an IP/subnet itself.

    I would move the routing between subnets to pfSense and not let the Cisco do it. But that's related to the fact that I know how to do it within pfSense and wouldn't know about the Cisco. And I have all traffic control in one place. On the negative side I have additional traffic on the NIC holding the VLANs which in your setup is handled by the Cisco.


Locked