Private game server behind pfsense



  • Hi all, been searching the forums for suggestions but have come up pretty dry.
    I'm building a private server for a popular MMO. I want it completely isolated from all my LAN traffic. If I get a 3rd network card for the server, what more would I need to do? Can someone give me a heads up into the proper starting point?

    thanks



  • If you're isolating it physically, then you'll need a 2nd switch in addition to that 3rd NIC.

    Otherwise, you can add a managed switch and use VLANs.



  • It''s literally as simple as adding a firewall rule to that interface that blocks traffic to LAN.



  • @marvosa said in Private game server behind pfsense:

    If you're isolating it physically, then you'll need a 2nd switch in addition to that 3rd NIC.

    Otherwise, you can add a managed switch and use VLANs.

    The only device on the network is the game server, there will not be any other devices. What do I need the 2nd switch for? The setup, I thought, would be as simple as a network cable from the opt1 interface to the server PC.

    @kom said in Private game server behind pfsense:

    It''s literally as simple as adding a firewall rule to that interface that blocks traffic to LAN.

    Thank you, didn't know if I should take it to another level. Just wanted security by isolation and wasn't sure if there was more I should/could do


  • Netgate Administrator

    You should just be able to connect the server directly if you don't need any other devices on that subnet. Unless it's not using Gigabit Ethernet (unlikely) in which case you might need a cross-over cable.

    If you only have incoming connections to the server you don't necessarily need any rules on the OPT1 interface, all traffic from the server is blocked. However you will probably need the server to fetch updates etc so it will need rules to allow it to reach DNS and external IPs at least. Simply by omitting any rules that allow access to LAN though it will be isolated.

    Steve



  • Yeah there will be incoming connections to the server, I just wanted to ensure that there's no way a curious player could find their way into my personal LAN. I added a rule for the OPT1 interface (the server) to allow all protocols to any destination, then added another rule that simply blocks all source traffic from OPT1 to LAN. Does that sound right?


  • Netgate Administrator

    That will work as long as the block rule is above the pass rule.

    Steve



  • @stephenw10 Fortunately I was able to figure that out. Any other security suggestions? Thanks for the help



  • @bumzag said in Private game server behind pfsense:

    @marvosa said in Private game server behind pfsense:

    If you're isolating it physically, then you'll need a 2nd switch in addition to that 3rd NIC.

    Otherwise, you can add a managed switch and use VLANs.

    The only device on the network is the game server, there will not be any other devices. What do I need the 2nd switch for? The setup, I thought, would be as simple as a network cable from the opt1 interface to the server PC.

    @kom said in Private game server behind pfsense:

    It''s literally as simple as adding a firewall rule to that interface that blocks traffic to LAN.

    Thank you, didn't know if I should take it to another level. Just wanted security by isolation and wasn't sure if there was more I should/could do

    Why do you need a 2nd switch? You will want a 2nd switch for a proper design. Without it, you leave that segment of your network without a switched fabric.

    Can you plug your server directly into the OPT1 NIC, technically yes, but PFsense isn't a switch and shouldn't be used as one. Trying to leverage the PFsense NIC's as switches can lead to performance issues.


  • Netgate Administrator

    You don't need a switch if there are only two hosts in the segment, there is no switching to be done. IMO at least.

    I wouldn't use a switch there.

    Steve