Nested Pfsense over vlan - design and sanity check
-
Network Diagram:
I have two networks one is a 192.168/24 and the other is a 10.42/24 range each with a pfsense instance that I would like to intentionally keep isolated. The goal is to basically dmz or forward many ports from the 1st instance to the 2nd pfsense instance so it almost act independently. I would also like traffic isolated between the two networks. The networks are connected via one cable between two switches. A l3 juniper switch is in the 192.168 range and a ubiquiti 3 switch is in the 10.42 subnet. The uplink port on the 2nd switch (ubiqiuti) tags all traffic incoming traffic from the 192.168 range with vlan 999. All other traffic in both networks is untagged. I don't want to tag the default network to keep it simple. Pfsense also gets 1 cable and it expected wan on vlan999 and then leaves everything else untagged. I set this all up as in the diagram and I'm a bit concerned because I checked the "Block Bogon Traffic" box expecting it to break everything and it still works. I'm not sure how I'm able to ping a target from the 10.42 lan to the 192.168 lan. I have an allow all out rule from the lan but wouldn't that rule prevent the pingresp?
Will this work?
How can I test isolation well between the two networks?
Any recommendations on a forwarding strategy ? vip, dmz, haproxy ect.. -
@ashtonianagain that drawing doesn't make a lot of sense as drawn.
Is that 10.42.0.1 the Lan IP of downstream pfsense, what is its wan IP that is on the 192.168.1/24 network?
You have some network on your juniper switch vlan 999, that is in this 10.42.0 network, how is that routed to your upstream pfsense? On your juniper? So now your using 192.168.1 as transit..
You should connect your downstream router to your upstream via a transit network (no hosts on it).. this makes it very easy to isolate just on your upstream firewall.
-
@johnpoz Thanks for the reply and time.
The 10.42.0.1 is the lan ip, the wan ip is 192.168.1.100. The downstream switch just tags all incoming traffic from the upstream switch as vlan 999. The only device that is theoretically also on vlan 999 is the downstream pfsense wan interface. Does that answer the routing thing? There are no other hosts on vlan 999. Which I think would make that a transit network?
-
@ashtonianagain said in Nested Pfsense over vlan - design and sanity check:
Which I think would make that a transit network?
Just because you tag it on the switch as 999 on 1 interface, but not another, but its still 192.168.1.. And you have hosts on this network.
Which means to stop something on your 10.42 network from talking to something your 192.168.1 network you have to block it there. Now since your natting and and if you don't do any port forwards 192.168.1. couldn't talk to 10.42 unless you did a port forward, and you would be asymmetrical if you didn't do host routing on the 192.168.1.x device. And the downstream router would also be blocking source traffic from rfc1918 anyway.
Its a convoluted setup to be sure.. Just create a transit network on your edge pfsense, say 172.16.0.0/30 and put your downstream router wan on this network..
Here this is how you setup downstream routers.
