VLANS AND PFSENSE



  • I am new to the Pfsense Forum and this will be my first post. So hi everyone :)

    I have setup pfsense in a business environment. We are running Pfsense on a HyperV Server. This is our current setup:

    1. HyperV Server (VM: DC (DHCP and DNS), two Virtual App Servers and Pfsense virtual machine)
    • The server has 8 network ports available
    • 4 Nics are running in a Team, 1 Nic is assigned to the Host and 1 is assigned to the WAN
    • All VMs use the same virtual switch (The servers are set on VLAN 20)
    1. PFSense (Is assigned two interfaces, one for LAN and one for WAN)
    • The LAN uses the same vswitch as mentioned above and it was configured as a trunk port 0,0-70 through powershell
    1. I have created several VLANS and asigned them to the Parent interface LAN
    • VLAN 10 - Management
    • VLAN 20 - Trusted Network
    • VLAN 30 - Printers
    • VLAN 40 - GUEST
    1. We also have a MPLS network for two of our branches. The cisco router for the MPLS is configured with an IP on the LAN interface and we have static routes for each of the branches configured on Pfsense

    2. Cisco Switch

    • I have configured the 4 ports that the physical nics of the HyperV team connect to as Trunk.
    • The port that the cisco router (MPLS) connects to is configured in Access Mode only
    • All other ports are configured to the required VLANs
    1. TP link Unmanaged Switch
    • This is only for VLAN 20

    I think I have covered most of the setup.

    Before this setup got to where it is I had Pfsense on its own box and we had no VLANS or Cisco Switch.

    Some of the features I wanted from Pfsense was to use Squid, Squid Guard, and for VPN purposes)

    At the moment my rules for each of the interfaces are to allow everything. The important thing was to get the main setup working properly and then add in more rules to block certain access on each of the VLANS.

    I have everything up and running but since we introduced the above setup I have come across a few problemas that I believe are related to DNS.

    I followed a guide to get Squid and Squid Guard setup with Safe searching for google, youtube etc and block certain pages by category. At the moment I have squid disabled because I had problems where everynow and then I would have to restart Pfsense or Unplug the fiber converter that brings in the internet to get internet again. Where I start noticing that things dont seem to be configured correctly is the following:

    1. We have clock machines in our HO and one of the branches. I can connect to the branch clock machine but connecting the local one gives problems everynow and then. Sometimes it connects sometimes it doesnt, sometimes it takes really long. The clock machine is connected to VLAN 20.
    2. We also have a free version of PRTG. Some hosts it finds with the HOSt name, others only with IP.

    Going back to the pfsense setup. I created a nat port forward rule for DNS on IP 127.0.0.1 and this configured on the LAN interface. I have DNS resolver enabled and set to all on the Interface and outgoing interface. When looking at the logs on the rule created on the LAN interfae I only see traffic from the MPLS network. This looks correct. Do I need to configure NAT port forward for the VLAN interfaces as well. When I do this I start getting more problems.

    All the VLANS get DHCP from the DC and I have configured DNS settings on there. On the DHCP server each VLAN has the router set so for example VLAN 10 has this set as the gateway 10.0.1.1 (VLAN Network 10.0.1.0/24), the domain is set and the DNS serves all point to the DC server.

    I want to restrict access to Internet on VLAN 20 and the MPLS network through Squid. The Management interface will be mainly open. The GUEST will only have access to the Internet but also be restricted through Squid. The idea with the Printer VLAN was to Block internet access to the Printers.

    I would like to get some feedback and suggestions on the current setup and what I am looking at doing.

    Thanks