VLAN vs Dual LAN for Home Business
I have a new 6-port QOTOM box and just installed pfSense.
I'm running a home-based business - three high-end workstations are associated with my business. Security on these business machines is of great concern. The home side of my network is equipped with the usual assortment of media servers (PLEX, Squeezecenter, etc.), security cams (made in China), WiFi devices, NAS, etc. I have a CISCO unmanaged switch and Ubiquiti EdgeSwitch Lite at my disposal; WiFi is a Ubiquiti AP.
I'm planning to set up VLANs, but before doing so I wondered if it's better to segregate my business machines to a separate LAN port on the router and run a VPN on it. Or should I just run one LAN and be smart about my VLAN setup?
pfSense is new to me and I'm a networking noob. I'm gaining a huge benefit from this forum and other great pfSense tutorials. Many thanks the experts who contribute a ton of great information for those on the learning path.
It's not clear how the VPN might fit into this. Are you planning to route all the traffic from the workstations over a VPN?
If the question is which is more secure separating subnet using VLANs or different NICs then using different NICs wins. But there's not much in it! Correctly configured VLANs can be considered secure.
However you have 6 ports so what else are you going to do with them?
Also the additional complexity of using VLANs makes it more likely a configuration error might happen, especially if this is not something you do often.
Yep - was going to push all workstations through a VPN.
Your observation reflects my concern over goofing something in setting up the VLANs. For a noob like me this is complex stuff, especially when I have to set up inter-VLAN connections, firewall rules, etc. I took a simplistic view that if I put my business machines in a dedicated LAN I'd have a better chance regarding security since it would be a simple network with far fewer devices.
I agree with that decision. Especially since you have NICs available.
VLAN interfaces are treated exactly like any other in pfSense so once you have the switch configured and the VLANs added in pfSense it would be no different. But you can experiment with VLANs later, no need to try to do everything at once.
New to networking users always confuse vlans and interfaces.. You do understand you could run native networks on your interfaces in pfsense while if they are connected to the same switch you will have to setup vlans in the switch to keep the traffic isolated.
You could have multiple vlans on your switch and uplink them all native untagged to pfsense, this would be common setup if you want don't want to hinder bandwidth for intervlan traffic.
If you don't want to create any vlans and just use dumb switch, etc.. Then you need to make sure your networks stay completely isolated with different switches for each network. But since you mention your home side with china camera's and other iot and services I would prob isolate these sorts of devices into their networks/vlans.. If your going to want to run multiple wifi networks via your unifi AP then yeah your going to have to setup vlans in your switch and AP, but pfsense with multiple interfaces need know know anything about them and would just see them as untagged networks.
@stephenw10 - taking things one step at a time is very appealing since the firehose is open full at this point.
@johnpoz - my business machines don't really need WiFi which saves me having to worry about the AP. Taking advantage of the available router ports and just sticking my business PCs on the dumb switch is as simple as it gets. On the home network side, I need VLANs to isolate those cams and IOT devices, and will need a few SSIDs on the AP as well. I'm still working my way through the inter-VLAN tutorials, but I do see a limited need for some of this traffic. I got the Ubiquiti switch and AP based on my best understanding of their ability to handle this.
Thanks for walking me through this!
Vlans are really dead simple once you understand how they work via tagged and untagged. So yeah your switch and AP can do them sure - if you want to keep your work side on their own network via different switch that is easy enough as well - but you will have to firewall correctly.. The default lan is any any, when you create optX interface be it physical nic on pfsense or vlan its not going to have any rules.. So depending which network is where and what you want to be able to talk to each other your going to need to correctly setup the firewall rules be it you vlan the connections into pfsense or use native on physical interfaces.
@johnpoz When I installed pfSense on the new router I created two interfaces... I had read on the basic firewall page that OPT interfaces have no rules and forgot that - thanks for setting me straight and waking me up. Firewall rules are scary but I'm getting there.