How to isolate LAN nodes

cubits · Mar 7, 2023, 5:33 PM

Hi, I am new to netgate and using pfsense+. Following is my network architecture:

What I am trying to achieve is to block communication between the nodes at the bottom (192.168.10.x). At the same time, I want to allow specific VPN nodes to communicate with the LAN nodes, and between the LAN nodes on a case by case basis, but basically remain blocked if not allowed.

I tried giving a firewall entry to block between two nodes, and still they can communicate. What is the best solution I can get for this case?

lnguyen · Mar 7, 2023, 5:38 PM

@cubits Using a managed switch and employing Private VLAN on the ports you want isolated.

https://kb.vmware.com/s/article/1010691

cubits · Mar 7, 2023, 5:40 PM

@lnguyen is Cisco SG-220 26 port switch a managed one?
https://www.cisco.com/c/en/us/support/switches/small-business-220-series-smart-plus-switches/series.html

lnguyen · Mar 7, 2023, 5:40 PM

@cubits Read the KB I added to my post

cubits · Mar 7, 2023, 5:42 PM

@lnguyen ok, thanks much. I need a coffee to understand it. I will get back if I have anymore queries.

stephenw10 · Mar 7, 2023, 7:42 PM

@cubits said in How to isolate LAN nodes:

is Cisco SG-220 26 port switch a managed one?

Yes. You can separate those segments with VLANs using that switch.

cubits · Mar 8, 2023, 4:35 AM

@lnguyen I read the KB article and looks like it is for installations with vCenter server. But I dont have vCenter server and just have ESXi servers. Does that mean, what I am trying to achieve is not possible with that?

stephenw10 · Mar 8, 2023, 7:06 AM

You can still configured VLANs on the vswitches and pass those to the real switch. Then pass them all to pfSense to filter between them. Each VM could then be in a different subnet and you can filter to/from them as required.

cubits · Mar 11, 2023, 7:50 AM

@lnguyen @stephenw10
I tried everything I could, but could not get it working. I created a port group with VLAN id 10 in ESXi:

Then I attached a VM's NIC to this VLAN:

In my CISCO SG-220 switch, I added VLAN as:

Ensured that the interfaces are trunk:

And then, I enabled VLAN tagging on the respective ports:

And finally, I have the pfsense with the VLAN as:

with an interface as:

with DHCP server enabled as:

But, still, I do not get an IP address dynamically inside the VM.

What is the best way to troubleshoot this?

lnguyen · Mar 11, 2023, 4:44 PM

@cubits Where is your VLAN10 tag on the Cisco switchport for the uplink to the pfSense firewall?

stephenw10 · Mar 11, 2023, 5:07 PM

Yes, which port is which there?

cubits · Mar 11, 2023, 6:22 PM

@lnguyen @stephenw10 that did the trick, thanks much for helping me out, it was GE25 on which pfsense upstream cable was in.