Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Is this a good network architecture/configuration that makes good/secure sense?

    Scheduled Pinned Locked Moved General pfSense Questions
    6 Posts 3 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      imthenachoman
      last edited by

      I want to spend time planning on the front-end so I avoid head-aches down the road.

      I just need a second set of eyes on what I am thinking to make sure it makes sound sense, if I am missing something, or if I am over-complicating.

      What I Have

      • FIOS
      • pfSense box
      • 8 port Unifi PoE switch
      • Unifi 6 Lite AP
      • FIOS wifi 6 router (spare; free; not being used; I'd like to use it unless there is a reason I shouldn't)
      • Intel NUC as home server with some internet accessible Docker containers (https, Plex, etc...)
      • personal desktop
      • work desktop
      • SmartThings HUB
      • Roku
      • personal laptop
      • personal phones
      • IoT devices

      How I Plan To Connect Everything

      • FIOS ONT to WAN port on pfSense
      • LAN port on pfSense to 8 port Unifi PoE switch
      • 8 port Unifi PoE switch to:
        1. Unifi 6 Lite AP for Roku, personal laptop, personal phones, and IoT devices
        2. FIOS wifi 6 router for guest devices
        3. SmartThings HUB
        4. Intel NUC
        5. personal desktop
        6. work desktop

      VLANs

      • servers - VLAN 10
        • Intel NUC
      • computers - VLAN 20
        • personal desktop
        • work desktop
        • home SSID from Unifi 6 Lite AP
          • Roku
          • personal laptop
          • personal phones
      • IoT - VLAN 30
        • SmartThings HUB
        • IoT SSID from Unifi 6 Lite AP
          • IoT devices
      • Guest - VLAN 40
        • FIOS wifi 6 router with guest

      Rules/Policies I Think I Need

      • port forward DNS queries back to pfSense for all VLANs
      • block all IPv4/IPv6 traffic on WAN, any protocol, any source, any destination
      • port forward specific WAN ports (HTTPS, Plex, etc...) back to Intel NUC on servers VLAN
      • Guest and IoT VLAN should have no access to any other LAN/VLAN
      • Only computers VLAN should be able to access pfSense with anti-lockout for pfSense
      • port forward any NTP time lookups back to pfSense
      • allow pinging FROM servers and computers VLANs
      • allow WAN traffic on specific ports for all VLANs
        • this will be specific to each VLAN
        • for example:
          • servers will need to use random ports for the services it runs
          • computers should only have a few like HTTP/HTTPS
          • similar for IoT and Guest
      • limit inter VLAN communication
        • computers should be able to reach anything
        • servers should probably not be able to reach anything
        • servers should only allow access on specific ports from specific devices in computers
      • ???

      ​

      How does this all look? Any glaring issues I am not seeing? What about any more rules/policies I need that I am missing?

      Any advice/perspective/experience is appreciated. TIA!

      H NogBadTheBadN 2 Replies Last reply Reply Quote 0
      • H
        heper @imthenachoman
        last edited by

        most of it seems fairly do-able to me....

        personally i wouldn't bother to give it too much thought for a home network - you can always change it as you go.
        in an enterprise environment it's much more difficult to make big design changes afterwards because of the scale & potential downtime

        1 Reply Last reply Reply Quote 0
        • NogBadTheBadN
          NogBadTheBad @imthenachoman
          last edited by NogBadTheBad

          Put ALL your SSIDs on the Unifi 6 Lite AP and trunk all the required VLANs to it.

          It's one less Wi-Fi channel you need to worry about.

          Andy

          1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

          I 1 Reply Last reply Reply Quote 0
          • I
            imthenachoman @NogBadTheBad
            last edited by

            @heper said in Is this a good network architecture/configuration that makes good/secure sense?:

            you can always change it as you go.

            Sure, but I want to try to get as much right on the front so I don't have to keep mucking with it. Time is hard to come by -- especially with a kid on the way -- which is why I want to do it now cause I don't think I will have time later.

            @nogbadthebad said in Is this a good network architecture/configuration that makes good/secure sense?:

            Put ALL your SSIDs on the Unifi 6 Lite AP and trunk all the required VLANs to it.

            I want to make sure my home SSID (VLAN 20) is operating at peak since I only have 1 Unifi 6 Lite AP for my entire ouse (albeit a small house).

            So would 3 SSIDs on the Unifi 6 Lite AP be better or 2 SSIDs on the Unifi 6 Lite AP and one on the FIOS router?

            NogBadTheBadN 1 Reply Last reply Reply Quote 0
            • NogBadTheBadN
              NogBadTheBad @imthenachoman
              last edited by NogBadTheBad

              @imthenachoman How much traffic are you expecting from in/out from your IOT network?

              It will be quite small, unless you’re streaming Netflix, etc ...

              Also if you need to extend your coverage you can just add another AP.

              I have 5 SSIDs on my Unifi AC Pro.

              Andy

              1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

              I 1 Reply Last reply Reply Quote 0
              • I
                imthenachoman @NogBadTheBad
                last edited by

                @nogbadthebad said in Is this a good network architecture/configuration that makes good/secure sense?:

                Also if you need to extend your coverage you can just add another AP.

                Hoping to avoid buying another AP. I will try it with all 3 SSIDs on my Unifi.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.