Network advice



  • I would like some advice on my network setup.
    This is my idea:

    Database/File Server
                                                                          |-PC_a 1
                                            |–-----Swhitch 1----|-PC_a 2
                                            |                            |-...
                                            |                            |-PC_a 10
                                            |
    -ADSL Router (bridge)---PFSense (Squid, Snort, ...)
                                            |
                                            |                            |-Web/Mail Server          |-Pc_c 1
                                            |                            |-WiFi Network ----------|-Pc_c 2
                                            |-------Swhitch 2----|-VoIP Phone 1              |-...
                                                                          |-VoIP Phone 2              |-Pc_c n
                                                                          |-Print Server 1
                                                                          |-Print Server 2
                                                                          |-PC_b 1
                                                                          |-PC_a 2

    I need
    1-acess control;
    2-content filtering;
    3-Comunication from network a to network b and c;
    4-Network b and c can be the same;
    5-Allow same protocols from b/c to a (remote desktop);
    6-Internet access to Web/Mail Server.

    Is this the best way?
    What packages should I use?

    Thanks



    1. What do you mean by "access control" - that's a catch all phrase that means different things to different people
    2. Squid and Squidguard can do this
    3. Basic networking, pretty trivial
    4. Yes if you bridge the interfaces, but I'd then question why you're separating them physically.  Note that you'll need a much higher specification host than otherwise as all broadcasts as well as LAN b to c traffic will transit the pfSense host.  There's probably a smarter way to do that.
    5. That's just firewall rules, but makes me wonder even more why you're separating them physically
    6. Yes - but you should put them in a DMZ, not in a shared network

    IMO this is far from the "best" way, based upon what little information you've provided.  Right now my recommendation would be to have at least 3 LANs:

    a) DMZ for Web/Mail server
    b) VOIP devices
    c) All others

    At a pinch merge (b) and ©, though ideally split (c) into 2 networks, one for desktops and WiFi and one for servers.



    1. What do you mean by "access control"

    Restrict internet access.

    1. Yes if you bridge the interfaces, but I'd then question why you're separating them physically.  Note that you'll need a much higher specification host than otherwise as all broadcasts as well as LAN b to c traffic will transit the pfSense host.  There's probably a smarter way to do that.

    This was not a question. Since I don't have an Access Point, I'm thinking in using my ISP wirless router whith the network cable on the lan side.

    1. That's just firewall rules, but makes me wonder even more why you're separating them physically

    I don't know if this is the best way. I might have some shares on the Lan a with no password. I thoght that this was a way to give them some protection.



    1. In general yes, but your question is still too general (are you talking about restricting all protocols, just HTTP, what)

    2. You can still link the wireless router to the same physical network as the other wired devices - I do just that.  Bridging has a performance impact.

    3. Protection from what?  If you don't trust the users on network © that much I'd repeat my recommendation that you put all desktops on their own network and all servers on another.  Note that you really, really, really shouldn't have shares without any security if you don't 100% trust every user who may ever have access to your network and have robust anti-malware protection in place.



    1. In general yes, but your question is still too general (are you talking about restricting all protocols, just HTTP, what)

    For now was thinking in HTTP and P2P

    1. You can still link the wireless router to the same physical network as the other wired devices - I do just that.  Bridging has a performance impact.

    That was my idea. Sorry if I was confusing you.

    1. Protection from what?  If you don't trust the users on network © that much I'd repeat my recommendation that you put all desktops on their own network and all servers on another.  Note that you really, really, really shouldn't have shares without any security if you don't 100% trust every user who may ever have access to your network and have robust anti-malware protection in place.

    This is a store where I have the office PC's and software, but I sell LCD's, an the new ones have WiFi. By providing internet for those devices I don't want to compromise my office network.



    1. HTTP is easy - Squid and Squidguard or a similar solution.  P2P is very hard and there is no simple solution.  Blocking all outbound ports by default and only opening those required (and ideally forcing all clients to connect through a proxy) will go a long way to stopping it.

    2. In that case I'd strongly recommend you have one (physical) network for the office network and another for the "customer" zone (with WiFi).  The "customer" network should be filtered off from everything but DHCP, DNS and the proxy server.



    1. HTTP is easy - Squid and Squidguard or a similar solution.  P2P is very  hard and there is no simple solution.  Blocking all outbound ports by default and only opening those required (and ideally forcing all clients to connect through a proxy) will go a long way to stopping it.

    P2P It's not a very important metter, if I maket a bit harder than for the user it's enuf for now.
    I'm thinking on using Squid and forcing the use of the proxy. Wich authentication method you would use? Captive Portal, Local to Squid, Radius?

    The "customer" network should be filtered off from everything but DHCP, DNS and the proxy server.

    What do you menan by "filtered off"?

    1. In that case I'd strongly recommend you have one (physical) network for the office network and another for the "customer" zone (with WiFi).

    In wich network would you put the Web Server, VoIP and Print Server?



    1. From the office side I'd say simply forcing Squid should be enough, you can look at the Squid and DHCP logs to find anybody wasting time.  On the "customer" side that's up to you - Squid with authentication or Captive Portal.

    2. Only able to access the DHCP, DNS and proxy services on the pfSense interface.

    3. As I said at the start, I'd put the Web Server in a DMZ and VOIP ideally in it's own network.  If the print server needs to be accessed from both networks then put it in the DMZ too.  Very simply - the "customer" network should have no access to anything on the "office" network and the "office" network shouldn't access anything on the "customer" network.  Put all shared services on a shared network.



  • So, you would create 4 LANs;

    a)office;
    b)custumers;
    c)DMZ - Web/Mail Servers, Print Servers;
    d)VoIP.

    Will Squid work on the custumers and office LANs at the same time, or I have to put it on other machine?

    Thanks for your help and time. ;)



  • Yes - that's the best from a security perspective IMO.

    Squid will work on multiple interfaces.  You can configure authentication to be required and then have one (or more) networks whitelisted so they don't have to authenticate.



  • One last question.

    If I, for some reason (work from other place, …) , need to access to one of my office PC or the Database Server from the Internet or from the WiFi network how should I do it?



  • Done "right" I'd recommend the use of a VPN (OpenVPN, IPsec or PPTP), then you can run anything (such as RDP, Remote Desktop Protocol) and have whatever access you want.

    As a fallback you could simply run RDP without a VPN, but that would require exposing RDP on every host on all networks to the untrusted one, which I'd not recommend.



  • I'll try the VPN.

    If the wiki isn't enough, I'll came back to the forum.

    ;D


Locked