SMB network advice - what next?



  • I am looking for suggestions both general and specific on network design and implementation. We have a small business developing machine learning software with about 5-10 people on staff. I am doing the IT infrastructure work, but trying to keep it simple so that I can devote more time to writing software.

    The current goals are:

    • keep the LAN secure from outside attack
    • manage user authentication
    • serve internal machine name/IP lookups (DNS/BIND)
    • provide remote access (openVPN)
    • manage shared assets: storage, printers, etc.
    • Support Windows, OSX, and Linux computers with mostly Linux/Unix infrastructure.
    • support future network uses, for example, small-scale IoT testing,

    any other servers (web, aws) are currently hosted offsite.

    In general it would be great to read about best practices for network setup. I feel like this is not very complicated (for an experienced software developer) and yet there are zillions of products and services and I can spend all day reading about stuff much less implementing it.

    On specifics, I just set up a pfSense box for OpenVPN remote access and it is just inside the Comcast business router which also is a Wifi access point. the VPN is only accepting incoming connections on the LAN port, so UDP 1194 is port forwarded from the Comcast router. It is not doing any other firewall or user/host/network management tasks, but it certainly could. I read a lot about minimizing attack surface so I was reluctant to put too much on this computer but it's already sitting inside the Comcast router. Outbound traffic is using the Comcast router and not going through the pfsense appliance. We do have a static public ip address, and I am planning to put this on the WAN port of the pfsense but so far I haven't needed it.

    I was planning to stand up a FreeIPA server for user PKI/Certs and DNS management, but haven't started. It seems smart to keep that on a separate server than one that is accepting inbound traffic (again this is currently just openVPN), but if we had any other inbound needs I would expect to route them to the pfsense firewall.

    • Is there any benefit to routing all traffic through pfsense (would need another wifi router, but no big deal)
    • Does it make sense to keep the pfsense appliance only on the LAN?
    • If the pfsense appliance stays on the LAN is it better to run other authentication and dns services on it rather than setting up FreeIPA?
    • Assuming the previous answer was no (for reasons of security and modularity), what other useful things should I be doing on the pfSense appliance
    • I haven't given any thought to VLANs or managed switches or any kind of internal LAN traffic partitioning. How do I know when these become important?


  • Answers to your goals:

    • keep the LAN secure from outside attack - That's what pfSense is designed to do!
    • manage user authentication - It can do that, either using local user DB, RADIUS server, or LDAP (AD) server as back-end (it is not a replacement for AD)
    • serve internal machine name/IP lookups (DNS/BIND) - Yup it can do that too
    • provide remote access (openVPN) - Check! It can authenticate against the aforementioned user authentication mechanisms
    • manage shared assets: storage, printers, etc. - Not sure what you mean by that, but don't recommend installing other non-security related tools on pfSense.
    • Support Windows, OSX, and Linux computers with mostly Linux/Unix infrastructure. - Unsure what you expect
    • support future network uses, for example, small-scale IoT testing, - Yup does that too, when you're ready consider segmenting with VLANs. (You will need managed switches)

    Answers to your other questions:

    • Is there any benefit to routing all traffic through pfsense (would need another wifi router, but no big deal)
      Does it make sense to keep the pfsense appliance only on the LAN? Yes! Do route all your traffic through it, that way you have one point of control, and one point of logging. If you're concerned about single point of failure, you can run pfSense in HA
    • If the pfsense appliance stays on the LAN is it better to run other authentication and dns services on it rather than setting up FreeIPA? Yes! Do use pfSense for DNS, there are numerous options available that can meet most requrements
    • Assuming the previous answer was no (for reasons of security and modularity), what other useful things should I be doing on the pfSense appliance If you really must, but you'd just be creating more work for yourself, and you did say you wanted to spend more time writing software 😃
    • I haven't given any thought to VLANs or managed switches or any kind of internal LAN traffic partitioning. How do I know when these become important? When compliance or regulatory bodies dictate that you should, that might even be starting from your initial deployment. It is generally good practice to isolate your WLAN from your LAN just as it is to isolate your VoIP network from the LAN; maybe you have some super secret IP that you want to keep prying eyes out of.


  • @awebster said in SMB network advice - what next?:

    It is generally good practice to isolate your WLAN from your LAN just as it is to isolate your VoIP network from the LAN; maybe you have some super secret IP that you want to keep prying eyes out of.

    Thanks for all the tips. I am going to put the Comcast router into bridge mode and pass all traffic through pfSense. Can you be more specific about how should the WLAN be kept separate. Basically we have laptops on Wifi and we need to access compute machines on the ethernet LAN, mostly with SSH and file sharing. Currently they are on the same /24 subnet but assuming I separate that, I still need to have connectivity, so I'm not sure what kind of isolation is possible or what you mean.

    Thanks



  • You can certainly isolate access to only certain hosts and not others.
    In addition, you can choose what protocols, for instance, you could allow SMB access to your file server, but not allow RDP.
    SSH is a bit trickier since you can tunnel other protocols through it, so you might need to disable that functionality on the SSH server first.


Log in to reply