Dividing access



  • Simple question, but I wanted peoples opinions. If I want to divide access is it better to use multiple NICs and create multiple networks or use firewall rules to create access rules to divide access?


  • Netgate Administrator

    Access to what from what?
    Multiple NICs/subnets is almost certainly better though. Trying to divide a set of clients on the same subnet with firewall rules can easily be by-passed.

    Steve



  • What about using VLANs? I'm not very familiar with VLANs which is why I'd go with having more NICs, but would it be easier (or just as easy) to divide access the way separate NICs do but with VLANs?

    I've also seen access points with multiple SSID capabilities, but my thought there is that they are still going through the same NIC on pfSense thus they have to be in the same subnet don't they or can they be divided into subnets somehow, but don't we again get into a situation of it become easily by-passed to gain access to the other subnets/SSIDs??

    Thanks!



  • @broncoBrad:

    I've also seen access points with multiple SSID capabilities,

    I these APs assign the different SSIDs to different VLANs then pfSense can have a distinct VLAN interface for each SSID and then firewall rules should control access between the distinct wireless LANs.



  • To preface this, I have been doing networking a LONG time, and actually know it quite well.

    To answer your question, I need a lot more information about what you are trying to divide, and from how many people.  As an example, Vlan vs discreet nics;  A vlan can be busted out of and you can see all traffic, as well as load on one is (to some extent) load on all.  But you can not do trunk ports on discreet nics…


Locked