Lan and Vlan for IOT separation



  • Hi,
    I am very novice to the pfsense. Just installed it few days back and I am already loving it. I am still trying to digest as much as I can from the threads. I would like to start using it as soon as I can figure out how can i creater complete separation of my private lan and vlan that I created. Here is my scenerio:

    Hardware:
    Dell Poweredge R-710 (I am planning to use this server for other things as well in addition to running pfsense. For e.g. FreeNas). It has 4 nics.
    Smart web managed Switch: Netgear Prosafe GSS108E
    Routers: Netgear Nighthawk 1750 (for IOT) and Netgear Nighthawk 1900 (For LAN)

    I have a LAN in pfSense with 192.168.30.1/23
    VLAN with 192.168.70.1/23

    Here is my setup:
    WAN (which is also behind Verizon Fios gateway)--> PE-R710 Port#1 (This is my PfSense WAN interface)

    Here is my switch configuration:
    3b5743c4-5976-4569-a59c-76eb0f984d3b-image.png

    abe90912-9f66-42e3-9cfc-58d4d8ac1ef9-image.png

    9af48c8b-672f-47a6-8ed6-2b09f6177a09-image.png

    I have dedicated ports 1-5 for the LAN and ports 6-8 for the VLAN as seen above

    From NIC#2 on R-710, it goes to port#6 on switch (for vlans)
    From Nic#3 on R-710, it goes to port#1 on switch (for LAN)

    Until now, reading at forums and articles, I am at the point where, I can get the IP addresses for both LAN and VLANs and they all can connect to the internet just fine.

    What I would like to accomplish:

    • I would not like web interface to be accessible from VLAN interface

    • I would like to make sure that DNS queries goes always to the pfSense and client can't override it even when they setup on their computer to use different DNS servers (I think I made an attermpt to achieve that by setting up the NAT redirect to 127.0.0.1 but I don't understand it since I simply followed the tutorial. Can someone please confirm it. I will appreciate it)

    • Biggest thing: I would like to isolate my IOT Vlan so that device in LAN can talk to printer, chromecast, Alexa, TV, etc but IOT devices can absolutely have no way to approach my LAN network

    • What other things I can do to tighten up my security?

    • How can I persist the logs and analyze it? Is there any reporting plugin available that can help me achieve that?

    • Is there any way I can automatically get email of my configuration backup OR store it somewhere on cloud on scheduled basis?

    Can someone please help me achieve these based on my situations.
    I have provided series of screenshots below of my setup.

    Thanks a lot.

    Currently I just have pfBlockerNg installed. (I tried pfBlockerNg-devel version but just couldn't make it work.. That is a whole new post for the future.)
    Here is my interface configuration:

    Interfaces:
    b93aaa2c-91ef-4826-9164-9f23fe055a95-image.png

    LAN Interface:
    08bfc29e-7956-4fc9-bd4a-a9dd0b8d5054-image.png

    VLAN Interface:
    75559eec-df51-4cf2-87dd-42774fa85d88-image.png

    Firewall/NAT
    24f90045-2df2-4a89-a2fd-bc374eae8504-image.png

    Firewall/NAT/Outbound
    21a79393-832a-4583-b9b2-c1779c79033e-image.png

    This is my PfBlockerNg Configuration:
    b195fc18-04a0-48a2-be4d-e59a2fb6b182-image.png

    And here are the rules for each interface.
    db1d6183-1097-4dc8-951e-bd8d9fb5e302-image.png

    498f9197-7335-476e-8dd3-47d94bf88a6b-image.png

    f67fe326-6af7-4707-8345-b364e5823bb2-image.png

    d5b81c4d-189e-418e-b3c2-4ff61ce72788-image.png

    Here are my DNSBL feeds:
    cb4b1811-70ad-495f-a7b0-07e5706dedf8-image.png

    I have enabled Easy list and Easy privacy and selected all categories as well

    Here are few of my IPv4 feeds:
    16ada476-82fa-4dc7-9eef-c4c23c727a96-image.png

    DNS Resolver
    e5d19279-0057-4cca-a6a9-9fef5549ed02-image.png

    DNS forwarder is disabled
    No DNS servers are defined in General settings and also on the DHCP server side.


Log in to reply