Lan and Vlan for IOT separation
andy22 last edited by
I am very novice to the pfsense. Just installed it few days back and I am already loving it. I am still trying to digest as much as I can from the threads. I would like to start using it as soon as I can figure out how can i creater complete separation of my private lan and vlan that I created. Here is my scenerio:
Dell Poweredge R-710 (I am planning to use this server for other things as well in addition to running pfsense. For e.g. FreeNas). It has 4 nics.
Smart web managed Switch: Netgear Prosafe GSS108E
Routers: Netgear Nighthawk 1750 (for IOT) and Netgear Nighthawk 1900 (For LAN)
I have a LAN in pfSense with 192.168.30.1/23
VLAN with 192.168.70.1/23
Here is my setup:
WAN (which is also behind Verizon Fios gateway)--> PE-R710 Port#1 (This is my PfSense WAN interface)
Here is my switch configuration:
I have dedicated ports 1-5 for the LAN and ports 6-8 for the VLAN as seen above
From NIC#2 on R-710, it goes to port#6 on switch (for vlans)
From Nic#3 on R-710, it goes to port#1 on switch (for LAN)
Until now, reading at forums and articles, I am at the point where, I can get the IP addresses for both LAN and VLANs and they all can connect to the internet just fine.
What I would like to accomplish:
I would not like web interface to be accessible from VLAN interface
I would like to make sure that DNS queries goes always to the pfSense and client can't override it even when they setup on their computer to use different DNS servers (I think I made an attermpt to achieve that by setting up the NAT redirect to 127.0.0.1 but I don't understand it since I simply followed the tutorial. Can someone please confirm it. I will appreciate it)
Biggest thing: I would like to isolate my IOT Vlan so that device in LAN can talk to printer, chromecast, Alexa, TV, etc but IOT devices can absolutely have no way to approach my LAN network
What other things I can do to tighten up my security?
How can I persist the logs and analyze it? Is there any reporting plugin available that can help me achieve that?
Is there any way I can automatically get email of my configuration backup OR store it somewhere on cloud on scheduled basis?
Can someone please help me achieve these based on my situations.
I have provided series of screenshots below of my setup.
Thanks a lot.
Currently I just have pfBlockerNg installed. (I tried pfBlockerNg-devel version but just couldn't make it work.. That is a whole new post for the future.)
Here is my interface configuration:
This is my PfBlockerNg Configuration:
And here are the rules for each interface.
Here are my DNSBL feeds:
I have enabled Easy list and Easy privacy and selected all categories as well
Here are few of my IPv4 feeds:
DNS forwarder is disabled
No DNS servers are defined in General settings and also on the DHCP server side.