Very basic VLAN Setup (newb question)
-
Hello,
I have 3 NICs. I want to setup my network so I have 2 different networks: we'll name one network "public" and the second network "restricted".
xl1: WAN
xl0: public
re0: restrictedI want both networks to be completely separated from each other. Computers on the public network should not know the restricted network exists and computers on the restricted network should not know the public network exists. I might want to have a printer on the restricted network available to both networks.
Both NICs will be attached to cheap switches which will be attached to computers. A few ports will be forwarded to a few computers on the public network, and a few different ports will be forwarded to the private network.
So… what's the best way to set this up? Do I need to use VLANs or will basic firewall rules be sufficient? I originally thought I needed VLANs and one NIC per VLAN, but I am no longer sure if this is the case... I guess I'm just confused as to what to do next. There isn't much documentation on VLANs in the wiki, and trying to search the forums have left me a little more confused then when I started.
Thanks
-
Unless I've missed something, you have no need for VLANs. Configure your "public" network as the pfSense LAN network and your "restricted" network as pfSense OPT1. Default firewall rules will separate the LAN and OPT1 networks and you can enable access between OPT1 and LAN as required by adding firewall rules.
VLANs would be useful if you had more networks you wanted to keep separate than you have physical interfaces. A particular example might be trying to do what you describe but using a small form factor computer with only two LAN interfaces and no expansion capability.
-
Thanks for clearing that up. Out of curiosity, I saw in another thread that you need a special VLAN capable switch to use VLANs. Is this true, or is it possible to just tag a packet based on its MAC address? For example, lets say I had 2 devices, 01:01:01:01:01:01 and FF:FF:FF:AA:AA:AA, both plugged into the same switch. Can I assign one of those devices into the public VLAN and one into the restricted VLAN using pfSense?
-
Thanks for clearing that up. Out of curiosity, I saw in another thread that you need a special VLAN capable switch to use VLANs. Is this true,
Generally but not necessarily.
or is it possible to just tag a packet based on its MAC address? For example, lets say I had 2 devices, 01:01:01:01:01:01 and FF:FF:FF:AA:AA:AA, both plugged into the same switch. Can I assign one of those devices into the public VLAN and one into the restricted VLAN using pfSense?
No, thats not how it works. If VLANs are enable in pfSense then incoming traffic on the corresponding physical interface(s) must be already tagged with the VLAN ID (this would normally be done by a VLAN capable switch).
A common use of VLANs would be a VLAN capable switch which adds VLAN ID tags to incoming traffic on specified ports and strips out the VLAN ID tags on outgoing traffic. For example, switch port 1 is configured as a "trunk port" (connected to a pfSense NIC with VLANs enabled) belonging to VLANs 10 and 20, switch ports 2 and 3 are configured as belonging to VLAN 10, port 4 is configured as belonging to VLAN 20. The switch will add VLAN ID 10 to traffic from port 2 and 3 and VLAN ID 20 to traffic from port 4. Because ports 2 and 3 are on the same VLAN they can communicate directly. Because ports 2 and 4 are on different VLANs they cannot communicate directly but MIGHT do so through pfSense if pfSense is configured to allow that.
-
Thank you for taking the time to explain it… I think I get it.
So VLANs provide the features I wanted, but it is really just a lot more complex way of doing things than is necessary for my situation? I assume the added complexity is so that you can easily change the VLAN that a port is connected to without physically moving the Ethernet cable to a different switch... is that all a VLAN really does? I'm just curious BTW, I plan on adding an OPT1 network and going with what you suggested.
-
It might help to look at http://en.wikipedia.org/wiki/Vlan
This article mentioned Cisco software to assign VLAN IDs based on source MAC address so my earlier answer to your question about that facility wasn't entirely true. I haven't seen an equivalent facility on the cheaper and smaller VLAN capable switches I have looked at.
-
Thanks for the info.
I have set up my router with the three NICs.
WAN: xl1
LAN: re0 (restricted)
HOMELAN: xl0LAN gets DHCP address from 192.168.10.10 - 192.168.10.255
HOMELAN gets DHCP addresses from 192.168.1.10 - 192.168.1.253I've set up my firewall rules like so:
LAN:
Rule 1:
Rule: Block (I tried reject too - not sure which one to use)
Proto:Any
Source: HOMELAN Subnet
Port: Any
Dest: Any
Gateway: Any
Schedule: [blank]Rule 2:
Rule: Allow
Proto:Any
Source: LAN net
Port: Any
Dest: Any
Gateway: Any
Schedule: [blank]HOMELAN:
Rule 1:
Rule: Block (I tried reject too - not sure which one to use)
Proto:Any
Source: LAN Subnet
Port: Any
Dest: Any
Gateway: Any
Schedule: [blank]Rule 2:
Rule: Allow
Proto:Any
Source: HOMELAN net
Port: Any
Dest: Any
Gateway: Any
Schedule: [blank]However, I can still ping a box on the LAN network from a box on the HOMELAN network but not vice-versa. Any idea why this is?
-
Block quietly discards packets, Reject returns a response to the sender.
Firewall rules are applied to incoming packets.
Thus, your HOMELAN rules probably should be:
Rule 1:
Rule: Block (I tried reject too - not sure which one to use)
Proto:Any
Source: Any
Port: Any
Dest: LAN subnet
Gateway: Any
Schedule: [blank]Rule 2:
Rule: Allow
Proto:Any
Source: HOMELAN net
Port: Any
Dest: Any
Gateway: Any
Schedule: [blank]The rules are processed in the order they appear on the screen. First rule that matches a packet terminates rule processing.
-
This worked. Thank you.