Please help with correct PfSense usage



  • Hello.

    I am not sure how best to use PfSense in the below (2) diagrams.
    I am attempting to divide LAN and Internet traffic in hardware as much
    as possible, and the plan is to use 2 nic interfaces for each workstation…
    eth0 = LAN Only, eth1 = Internet Only

    http://www.kwamsook.com/pub/NETWORK-Public.png ...(Current Network)
    http://www.kwamsook.com/pub/NETWORK-Public-Firewall.png ...(possible Pfsense placement)

    OS - All Debian amd64 Testing
    Switch - Layer 3 port based Managed

    The Machines in the diagrams...
    192.168.100.11 (eth0) Internet Only
    192.168.100.10 (eth1) LAN Only

    Questions;
    1. Do I need another router or switch to acomplish my objectives ?
    2. Did I plan the PfSense (firewall) diagram correctly ?
    3. Should I use the PfSense firewall for all (eth1) interfaces for Internet access ?

    Thank you for your time.



  • @Sensimilla:

    I am attempting to divide LAN and Internet traffic in hardware as much as possible, and the plan is to use 2 nic interfaces for each workstation… eth0 = LAN Only, eth1 = Internet Only

    There is no need for two interfaces, one is enough. Workstations can communicate directly through the switch. If they need to go "off LAN" they send their traffic to the router. This is standard IP networking.

    @Sensimilla:

    http://www.kwamsook.com/pub/NETWORK-Public.png …(Current Network)
    http://www.kwamsook.com/pub/NETWORK-Public-Firewall.png ...(possible Pfsense placement)

    pfSense can act as the router; no need for a separate router.

    @Sensimilla:

    Questions;
    1. Do I need another router or switch to acomplish my objectives ?
    2. Did I plan the PfSense (firewall) diagram correctly ?
    3. Should I use the PfSense firewall for all (eth1) interfaces for Internet access ?

    1. No. (Unless I misunderstood your requirements or there is something you haven't told us about.)
    2. Looks fine to me but not clear why you would have a separate router.
    3. No need for the separate interfaces for internet access.



  • Thank you for your answers.

    Reason for router…
    I'm trying to avoid relying on the switch 100 percent to do keep Internet and LAN
    traffic separate, and thought the router would provide an extra layer of security also.

    I don't understand how you use 'only' one interface to achieve physical separation
    of LAN/Internet... are you thinking of separating traffic in the switch only ?

    Isn't using 2 interfaces more secure?

    Thank you again for your analysis.



  • It would help me if you gave some details on what kind of security you are looking for and why you think you need it. In particular, it is not obvious to me that it would be more secure to have LAN traffic on separate interfaces from internet traffic, but I don't know what you are trying to accomplish (or prevent) so I can't judge if having the separate interfaces will accomplish what you want to do.

    An example: putting security screens over the windows of my home may make my home more secure against intruders who are prepared to break windows to gain entry, but it doesn't make my home any more secure against people who are prepared to punch a hole in the wall.



  • Thank you for your example wallabybob.
    My use of the word 'security' is to provide the proposed network with more
    than one layer in case the firewall gets compromised.

    You nice people in these forums are the experts I know, and your advise
    will be extremely helpful. I was hoping I would be able to obtain more than one
    approach to the diagrams I've linked to increase/harden the network.

    I'm guessing it's difficult to advise me with so many alternatives available.
    I'm experiencing some frustration in that I thought the diagrams would
    be enough to illustrate what I am trying to do to give the experts a clear idea
    where I am going wrong.

    If I understand you correctly,

    • get rid of the router
    • don't use 2 eth interfaces
    • use the switch and firewall for everything

    If I wished to harden your recommendation,
    what would you alter to provide a 2nd layer of security in case the firewall gets compromised ?

    regards.



  • Please take a look at http://forum.pfsense.org/index.php/topic,30534.0.html

    Cry Havok's reply captured the essence of my feeling about this topic. I don't think I can help until you ask some very specific questions with clearly specified requirements. "2nd layer of security" is not specific enough for me.

    I appreciate this might be an area that's very new to you. Perhaps somewhere to start would be to explain how you think "divide LAN and Internet traffic in hardware as much as possible" (from your original post) will enhance your security. Then (maybe) you could outline what system attacks you want to protect yourself from.

    I could probably make a case that loss of power is a potential threat to your computer systems and you should therefore install a UPS (Uninterruptible Power Supply) and generator. I have no idea whether or not loss of power poses a "significant threat". I have no no idea if you consider other computer users on your LAN a security threat. I have no idea if you have worries about legal liability for theft of confidential data stored on your LAN. etc etc



  • wallabybob, I'm sure no one wants to read another noob vs. guru thread.
    Thank you for you attempt but you are not producing any
    alternative productive suggestions, please move on and allow another to answer.

    Is there someone else here who could see through my lack of
    experience with pfSense and skilled enough in asking me specific questions
    tailored to my experience level in order to recommend a solution ?.

    Is there anyone else on this board that can please answer my questions ?

    Can someone else please help?

    Thank you much.



  • nm!




  • Dude…  You need to be more specific about what YOU WANT.

    The only difference between the 2 diagrams is:

    pfSense WAN is switched to a private Class A subnet.

    Your VOIP and wireless is on the same subnet behind a separate firewall.

    Now for the million dollar question:  How is that related to adding a second NIC on your workstation?

    If you just want to segregate traffic between LAN and WAN, then by all means, do it.  The caveat is:

    1. The workstation(s) don't know better as to which link to send LAN traffic until you manually define the metric on each NIC for each workstation.

    2. There is no added security.  Any workstation that is compromised will be able to traverse BOTH networks.

    Now, back to the additional firewall thing.  You don't need this.  You can:

    a)  Add a NIC to the pfSense box and set it to the Class A subnet.  Set your firewall rules to allow no communications between the 10.x.x.x and 192.x.x.x subnet.  This effectively allows internet access for the 2 subnets but not between the 2 private LANs.

    b)  Use 2 VLANs on an existing NIC, one for LAN, one for LAN2.  Your switch can most definitely handle this.

    On the router being compromised.  I've not heard of this on pfSense but it may be possible.  Odds are against it due to the small market share AND most of these breaches have got to do with badly configured firewall rules or plain ignorance of warning signs - you're screwed with any other firewall in-between anyway if this is the case.



  • Thank you all for your advise and time.

    [SOLVED]

    Best wishes.


Log in to reply