Multi-Gateway rather than multi-wan
-
Hi all,
I have a 4-port pfsense device and a pretty simple flat network.
I want to set up multiple gateways on the network and have different devices connect to different gateways that will have different configurations on them.
NOTE: only a single WAN linkWHY? you might ask...
I have kids who are coming of age for using devices... the simple answer...
so essentially I have everyone on the same network. I want to configure two nics on the pfsense to have 2 different IP addresses - let's say 192.168.1.1 and 192.168.1.2 and then assign IP addresses to kids devices that will have .2 as a gateway and have more restrictions and filters in place for what they can access through .2 as opposed to having pretty open access on .1
I have an unmanaged switch so without buying a new switch I don't have vlan options...
there is no need for kids' devices to access any other devices on the network.
It seems like a pretty simple ask...
Just to add - the kids devices are wireless and while my UniFi AP's can handle vlans - again I don't actually have a managed switch at this point so would prefer not to spend more.
also open to creative solutions - like what if I run 2 x /25 instead of /24 and then have kids on 1 network vs the other for adults... would that need vlans?
-
@atevet
I think to create new gateways you have to have a service like a VPN to go out to, However instead of setting up a separate gateway you might first investigate whether your ISP offers a filter service for your children's traffic... problem is they will filter your traffic also.you could install pfblockerng and use it to strictly filter/restrict your kids LAN and still have everything going out the WAN.
Or purchase a vpn service, however I would reverse the usage. I would suggest your traffic go out the VPN service and their's go out the WAN since you will have the ISP to back up your restrictions and filters i.e. a call from your ISP about such and such movie being downloaded illegally at your IP.
-
@atevet so far I've put in the new device and turned it on. At this point I think I'll be able to manage everything using a single network, statically assigned IPs for the kids' machines, and rules that manage content for those. I'm new to this but the journey has started :)
I've also installed pfblockerNG, Snort, and some monitoring plugins... how bad could it be lol -
@atevet Seems like a recipe for asymmetric routing. Why not just separate the two using two subnets?
-
@SteveITS interesting - but if I have dedicated wifi access points (the ubiquiti devices) won't I need vlans to manage 2 networks? I already have to different SIDs - one for the kids - if the networks are going to be split and the UAP is on network 1 for example, would it still be able to serve requests on network 2?
-
@atevet
I am not sure you want to use 2 different NICs for LAN on the Pfsense side. If you cross networks then you will have slow bridging. It is best to have WAN or WANs and 1 LAN for your firewall.In the Cisco world you just add a second IP address on the 1 interface and run 2 networks off the same interface, ethernet port, so 1 NIC. You don't need multiple ports. If you want to route fast then that is what a layer 3 switch was built for. If you have a really fast CPU and low traffic load then you can get away with using a router. At some point you cross a line where a layer3 switch will be faster.
I run multiple gateways using a layer 3 switch. All my local routing is performed by my Cisco layer 3 switch. It can route all my networks at wire speed. Then my layer 3 switch routes all traffic to pfsense as it is the default route. My gateways all point to my layer 3 switch.
-
@atevet
What have you decided on your setup? Is it working the way you want? -
so far I've got the single network set up with static addresses for most devices and some others using dhcp.
I've created a grouping - for example KIDSDevices so I can use single rules to apply to them.
I did start going down the proxy path with the squid packages - I thought at least if I can send the kids info via the proxy that I'd be able to get a better view of what's being accessed and then block as needed, however I also found out that the squid packages are being deprecated so there's probably no point going down that path to have to come up with a new solution later on right?
I think it would have been doable to force the kids down the proxy path while keeping access open for everything else.
so right now I still don't have a good way to view what's being accessed nor a way to block.
I've put in NTOPNG to try and get some visibility but I don't think it necessarily provides enough data or an easy way to view it (not an expert here).
I'm also considering putting in external log analysis but also not my forte -
@atevet
What you are doing sounds good. Yes you should be cautious creating networking around packages which are planned to be deprecated.The package pfBlockerNG > DNSBL > DNSBL Category has two lists - shallalist (Wrong, shallalist is no longer online) and UT1 which give quite extensive choices to block content without having to do a lot of investigation.
Also: pfBlocker in Python mode has an imho oddly named Python Group Policy section to exclude IPs from DNSBL - allowing the adult devices to go around the above lists.