Multi-LAN PfSense Setup - Technical Brick Wall Hit By Simpleton
Forgive me... not sure this is in entirely the right category.
It's been a LOT of years since I was messing with a home/SOHO pfsense set up - a terrific testament to the fact that with the exception of an OS upgrade corruption on my PCEngines Alix Dual LAN appliance which I quickly got used a serial cable and some serious step by step to get up and running again, it has run for ten years without issue.
I noticed latterly that the Alix box is now a hardware limitation in the version of pfSense that I can run, and that it isn't getting better for age and so I splashed a little cash and got a Watchguard XTM 5 flashed with an up-to-date pfSense which I'm now manually copying settings across to from the Alix with the purpose of retiring the Alix to a satellite office that I've just set up for my business (regulatory requirement) where it will just run a very basic SOHO network connected to a wireless broadband router.
As I've been setting up the new pfSense box I've been thinking about expanding (thanks to more LAN ports than before) and thus tidying up some of the function in my home/SOHO network, removing wireless access points here and there and having dedicated WIFI & Mesh 'Nodes'.
And this is where it all falls apart.
I've got the Watchguard XTM 5 running PFSense.
I've got an interface (em0) connected to a fibre modem for the WAN connection - same connection that has been brought across from the ALIX. This works just fine. Settings are the same, setup is the same and it's tested and works.
I've migrated across the 'LAN' interface( X.X.1.0) and all the rules and such like from the ALIX to (em2) a dedicated port which is then Cat6 Cabled to a 24 port Gigabit Switch. It also seems to work perfectly and will substitute directly for the ALIX setup.
I've also migrated across my second LAN which we'll call 'SERV' (X.X.2.0), and all the rules, etc. This subnet hosts a couple of appliance 'servers', a mail server and a VOIP server which, through the configured rules, are secured with very specific port forwarding. I won't begin to claim that I understand how every interaction between the SERV and the LAN subnets work, I had help configuring them which is no longer available (my friend died) and I only understood the basics, though I am willing and would like to learn more.
Where I come unstuck, a little bit, is at this point... I've done a lot from memory and a lot of copying what came before, and have managed to create and assign several additional interfaces, set their IP's and configure them for DHCP. And then come to a grinding halt.
The two critical additional interfaces pertain to wireless networks.
Previously what I had was two separate wireless networks (one for TV and media streaming, the other gaming and general wireless computing) using two separate wireless routers set to access point mode.
As the number of wifi devices in the house has increased, the limited throughput of cheap routers in access point mode is apparent not to mention older, slower wifi technology, and not powerful enough to give good coverage in the house.
So... I've got a Linksys WRT32X which will run wireless for the gaming and I've got a Tenda MW5 MESH kit to cover the house in wifi for media streaming.
And on the Watchguard I've now added these two extra interfaces as subnets with DHCP.
They are MESH (X.X.3.0 - em3) and WIFI (X.X.4.0 - em4)
I preferred the idea of the separated subnets because of the potential for dealing with the traffic on the subnets in 'blocks.' For example, at the moment I am running VPN on several of our media streaming devices but had considered the possibility in the future of assigning the VPN at the router level. I similarly use a VPN on the laptops/tablets but a different provider, so thought about that VPN also being installed at the router level. As an additional thought, I wondered (since I receive clients at the SOHO) about the possibility of an additional GUEST wifi network which was also independently VPN'd but which had no access to the other networks, but that's further down the line.
I've pretty much gotten as far as being chuffed to bits that all these subnets work, and they all connect their respective clients to the internet. But then I thought about how they should also be able to connect to and be connected to by clients on the other networks.
For example, my QNAP was originally on the LAN and the wireless access points were also on the LAN, albeit each was assigned a specific DHCP pool, and as a result they were all able to use the QNAP NAS, and the QNAP NAS was able to see all devices on the subnet...
How do I get those subnets talking directly to any or all of the other subnets?
This is where my memory of what I first did with the ALIX (actually, a custom modified PC with three NICs before that) falls apart.
I'm generally aware that NAT and port forwarding and firewall rules can route that access on an IP address (or alias), or indeed a subnet level - but does it need to be that intricate?
How should I view VLANs? Is there a way to make MESH and WIFI bridges on to LAN somehow? And then to make WIFI bond with SERV while never granting MESH that access?
Presumably I can add that third GUEST subnet using it's own wireless access point and it will simply exist in isolation from the other subnets by default?
What are VLANs? Do they tidy this issue up in any way by reducing the number of rules and NAT's and such between subnets?
Would a kind soul be able to help me with this exercise, please?
I'm nobody on this site, struggling myself but reading all posts I can to try and learn where possible. I read yours but honestly wouldn't know where to start with all that info.
I'm in a similar scenario with a huge network design task in front of me. It's not my main area of expertise by a long shot and I've had to split it up into tiny tasks and fight each one separately, inch by painful inch.
Maybe the other guys can see the big picture in your post but I think perhaps you would have better luck if you stripped down your post to more specific questions. I think I've made this mistake myself in several posts which just don't get much response. I can feel your pain; just think maybe shorter more specific questions might get you further on here.
Just my take so you at least get one response.
well, I didn't find any issue from your work, and you have some basic routing and switch problems. I will try to make it simple...
nat isn't for routing, nat is to prevent private networks to expose on public internet which cannot route private address, and nat is used to allow private networks to access public internet.
port forwarding is used to provide private services to public networks.
vlan is used for separate networks, vlan can't communicate with other vlan directly, they communicate by routing.
so, in your work, nat is used on wan port which replaces source (private network address) to public address, then the public address know how to transmit back.
port forwarding is like someone access your public address port 80, which is HTTP, then your firewall forward the request to the server in your private network
in your private network, your firewall performs like a router, who knows every network, so if an address from LAN want to access an address in SERV, then it will forward the packet to the gateway of the LAN, which is your firewall LAN address, then the firewall know where next-hop is, it will forward the packet to SERV network.