Best Way to Achieve this?
-
I have PFsense running 1 lan 1 wan.
Everything is on the same subnet. I want t to secure the network moving some components to another subnet.
I have a CCTV system and a Cloud (Next Cloud)m I would like to have both of these on different subnets, this way if these get compromised my main network will be separate.
From my understanding I would need to setup Vlans for each subnet along with a reverse proxy for my nextcloud (since port 80 is already being used)
I have Windows as being my DCHP but was hoping I the new VLANS I setup would use PFSENSE as the DHCP server ONLY for the Vlans. Is this possible to have windows handle DCHP simultaneously with pf sense?
I have looked at several videos online on how to setup VLANS but when I go into DHCP Server I don't see the new vlans I created there, which I expected was required to setup the subnet addresses, currently I never was using this because Windows was handling the requests.
Any tips would be appreciated
-
@nambi said in Best Way to Achieve this?:
along with a reverse proxy for my nextcloud (since port 80 is already being used)
What?? Don't waste time with that. Get yourself a domain and then use Let's Encrypt/Certbot to get a wildcard SSL cert and then config your Nextcloud to use 443.
General consensus seems to be let AD handle DNS and DHCP. You can forward your AD DNS to pfSense if you like.
VLANs have nothing to do with DHCP specifically, other than that they appear as an interface for DHCP to listen and serve on just like with a physical interface. You can have multiple DHCP servers as long as they don't overlap in their scopes, but it is not recommended since you will run into problems like DHCP registration with DNS.
While Netgate doesn't have a specific VLANs video, the well-respected Lawrence Systems does so you might want to look at that.
-
Thanks for the help. to administrate if I have something else using 443 would I then need to use the reverse proxy?
Should I be using Vlans for this? Would VLANS give me the added security encase I was ever compromised?
-
@nambi said in Best Way to Achieve this?:
if I have something else using 443 would I then need to use the reverse proxy?
That's one way. You could also reconfigure the web listen port for one of your servers to some other port. I tend to avoid using a reverse proxy because its extra complexity with potential issues that I'd rather avoid.
Also yes, VLANs give you network separation as if they were physical interfaces. You always want to provide a gap between front-facing services and your LAN so that any exploited servers aren't used as a stepping stone to taking over your network.