Business Scenario for 6 port setup suggestions
-
Hello,
Can I ask for some professional opinions on the setup of the pfsense mini appliance with 6 NICS?
I'm wondering how someone with experience would allocate the basic interfaces and why.
I know there are different needs, business practices, etc... but just some general ideas would help.
Based off common needs variables like:
Corporate users
maybe contractors, temps, interns, visitors
Thinking about Phones, badge/security/access
WIFI/Wireless, VPN, etc...
and how you might choose your setup for the 6 NICS, and what you might put on each one on top of that or inconjunction like : Virtual IP's/ VLANS, etc...to get the most logical use out of your setup.
I am very interested in what professionals would do, I also do not want to keep tearing down and rebuilding so I am trying to find out before-hand and continuing on with more detailed setup and training.
I do have automated backups running and have been doing a manual backup before making changes.
Currently, I have the all 6 NICS assigned, WAN w/default 2 rules, DMZ Doing and giving DHCP Addresses to client hosts, and Captive Portal w/Vouchers working.(I have not figured out how to isolate networks with dhcp servers to only give out IP to specific hosts. I am assuming VLANS which I have not started learning yet)
The other 5 nics have: ICMP/DNS/80/443 from their subnet2any, except the DMZ Captive portal which has ipv4/any/any because I have not figured out what least ports to open to get it to work correctly. ( User Error I am sure)
Sorry for the long question but I tried to give you enough information on the first go around so you have a bone to work with.I know there are multiple issues I mentioned, but the allocation of the 6 NICS is my main question in this post.Thank You, Wayne
-
@burlinwa A layout of the corporate structure and how departments, users, contractors, temps, interns and visitors interact on the network would help to know which department belongs in the DMZ, etc.
You will definitely want IDS/IPS with paid subscription. For Contractors, do you want them on a secure blockchain, etc? Then phone system on dedicated Sip Trunk with proprietor or open source platform, the type of business operation should be specified...your really asking a mouthful, indeed. The easiest part will be visitors WIFI use as it will be isolated from the company network. If I were you, I would contact Netgate directly for the professional help.
-
@nollipfsense Thank you for the reply Nolli.
Yes, quite a mouthful, I know. I really just wanted some thoughts from people that have experience with pfsense.
I'm not building an actual pay-to-play infrastructure.
I wanted to glean some wisdom from others who have already built something that works in a corporate environment.
I'm not trying to "Tinker with pfsense"
I have purchased 2 Udemy courses and 2 books, but still I find documentation 
and training is not as detailed or pervasive, as let's say Microsoft SCCM, imaging, etc... Which Desktop Support and mass deployments is more my current forte and skills.
I just wanted to get a visual on how people with experience in networking and pfsense might lay out their plan with a 6 nic appliance.
Someone experienced should be able to let me know in 1-2 paragraphs what I am asking though.
It's not a concrete answer or an "official network and design architect" answer I am looking for so I do not have a reason to contact Netegate support.
-
@burlinwa Imo your design approach is back to front. I suggest you start with the requirement then work back to the hardware required. For example
- What device classes and how many of each device class need to be connected?
- What bandwidth is required between local devices?
- What bandwidth between different device groups?
- What WAN bandwidth?
- What down time is acceptable. What redundancy will you need to achieve the reliability requirement.
- What is your organisations policy in in-house vs contracted services.
-
@patch Patch, thank you for this information and it makes sense and seems like the needful thing to do before a deployment.
You saw through my long-winded request and got to a root answer and deciphered what I needed to know or was trying to ask.
I'll copy and keep these questions as a checklist to make sure I have these types of questions answered.
I have just a home lab, and NO Network Load per-say, but the principles are useful and solid info. -
@burlinwa said in Business Scenario for 6 port setup suggestions:
I have just a home lab
For that
- Whatโs the peak bandwidth to each LAN/WAN-> ie do you need lag to achieve that given the NICs you have.
- What network isolation / separate LANs do you need to implement that.
- For just switch ports, use a dedicated switch
-
@patch said in Business Scenario for 6 port setup suggestions:
I suggest you start with the requirement then work back to the hardware required.
Yup, that^.
Though if that's not fully known I would probably go with using two ports a as LAGG to a switch and then add VLANs as required.
Use the other ports for WANs and maybe local management.Steve
-
@stephenw10 Stephen / Patch I think I have some basic info now. I'll keep the documenting/requirements info for needed information and try learning more about devices/bandwidth calculations, etc...
Based on your tips I'll try out 4 ports ( Wan(locked down except a port forward to webserver), Lan, Dmz, VOIP), and 2 in a lagg.Captive portal and VPN but have not figured that part out yet.
I'm also trying to find out about NAC Network Access Control and getting user and device certificates installed on domain join or login via pfsense. We use NAC at the plant I work at and it really appears to be a great tool to use to limited what can be done by users without those certificates installed.
I think traffic shaping will definitely help the VOIP ( There is no traffic or load as I can only be on a few systems at a time, unless I can find some type of website or service that sends mock traffic)
if I can get it to work, I'll have set up a hyper-v SCCM / Domain DC deployment lab (About 3 servers and 5 workstations) connected to Azure and AAD, and Freepbx is on hyper-v as well. -
@burlinwa said in Business Scenario for 6 port setup suggestions:
Thinking about Phones, badge/security/access
@burlinwa said in Business Scenario for 6 port setup suggestions:
and 5 workstations)
Glad to have gotten the conversation started. First, I thought it was some top secret corporate mission with the retina biometric security entry access...now I know it's a five person driven team.
