General Guidence In Setting Up A Multi-vLan Network
I’m hoping I can get some advice on the best practices of segmenting my network into various vlans. Currently I have everything running under one network (192.168.170.1/24) with the following infrastructure:
pfSense is running on an older Lenovo desktop with a 4 core Intel Core i5-2400 CPU @ 3.10GHz with 16 GB ram. The desktop has an integrated Intel NIC and additional 4 port Intel NIC card. The wan is connected directly to a Verizon ONT (no modem) with a 1 GB up/down connection.
I have two 8 port GB switches, the first is a dumb Netgear G5608, and the other is a D-Link DGS-1100-8 managed vlan switch.
Primary Server – This is a Microsoft AD Server and functions in 2 primary capacities. First is as a host for SOHO business applications (CRM, accounting, etc.) and a media center for my home. And second it hosts a Virtual Machine that provides Remote Desktop Services for my business that an offsite user accesses over a site-to-site OpenVpn tunnel. The server has 2 NICs which are in bridge mode.
Unifi AC-Pro – acts as an access point to the network for wireless devices.
Offsite computer – needs access to the Virtual Machine on the Primary Server to connect to the Remote Desktop Services.
Laptop1 – Needs access to everything. This is my machine.
Phones, Tablets and Laptop 2 –Only need access to the internet, Laptop 2 is wife’s works computer. One of the tablets needs to communicate to a specific port on the primary server to access the media server.
TIVO – DVR and media streamer for the TV, needs access to the internet only.
VOIP Phones – needs access to the internet only.
Printers – there are 2 of them. Ideally the Primary Server, Virtual Machine, Laptop 1&2, tablets and phones would have access to at least one of them. For example, I could segment 1 printer for AD server use and the other for general network use.
I’m running the following services on pfSense:
pfBlocker – both for IP and DNS blocking
DHCP – for the whole network including AD clients.
DNS – using Unbound in default mode to root servers, except AD clients are routed to Primary Server through DHCP DNS settings then forwarded by Primary Server to pfSense.
OpenVPN Server – provides site-to-site VPN for remote worker (offsite router is also pfSense), and an additional “Remote Warrior” VPN into the network. I would like to set up the “Remote Warrior” in two ways, first as a general VPN where I could route internet traffic through pfSense (for example an offsite tablet so it can get the protection of pfBlocker) and second, full access by Laptop1 so that I can administer the network if offsite.
OpenVPN client – connection to a VPN provider for outgoing WAN.
My primary goal is to try to better segment the network for security and could use some general guidance on how to best accomplish segmenting the network. Things that come to mind that I’m in the dark about is to what extent is it better to create multiple vlans or would it be better to just assign some of the NIC interfaces to different subnets? When would it be better to have the managed switch handle the subnets as opposed to pfSense?
This is my first foray in to vlans so I’m looking for general guidance and direction so I can focus my efforts in trying to better understand the direction to go in setting up the network.
Thanks for your input.
You don't really need vlans, just separate lans. :)
You already have 5 lan interfaces, and since one should be dedicated to the wan, you can have up to 4 segmented lans to play with, without any vlans.
If you need more that that, then the dlink switch in 802.1p mode can provide even more segmented lans.
But I think 4 is enough.
Lets say 4 zones, business, leisure, guest/wifi/printers/phones, and??
Of course things get complicated if for example you want wifi access to he business segment from wifi for some devices, but not for guests, or we don't want the missus to have fb access (god save us).
You should strive to have devices having common internet requirements on the same lan, so you can leverage pfblockerng et al better.