Network layout and firewall/Internet blocking

  • I have a customer that wants to unplug from the Internet. This doesn't work because of the VoIP system and a single pc needing connected to the internet.

    I thought I could isolate blocked computers from the internetq by adding a 3rd nic to a pfSense router and block the Internet on that interface only. That way I wouldn't have to manage individual computers and ip addresses. Leave a single pc and VoIP system on the original LAN interface. I could even place all the VoIP phones on the blocked side because they would still be able to connect w/ the VoIP main system behind the firewall.

    ?? Is this doable or am I over thinking this thing.

    Oh, I have two 16 port switches. Would plug a single pc and VoIP system all going to the unblocked LAN interface and the other Poe  switch could handle everything else plugged into the blocked LAN interface.

    Edit -

    Pfsense router w/ 3 Ethernet connections
    Interface 1 - wan
    Interface 2 - LAN1 (unblocked to the Internet)
    Interface 3 - LAN2 (blocked to/from the Internet)
    Most likely add wireless by way of AP

    And will the two LANs talk to each other? Through the router?
    The whole purpose in this is future added equipment…..just decide Internet or no Internet and plug into the appropriate switch.

    thanks in advance.......78-)

  • I guess you have to options:

    1. You could divide your Lan into Vlans and in that case you only need 2 NICs(Lan and Wan). This would give you logical NICs that you could manage almost as a physical NIC although it's all in one interface. You could set up rules in the firewall to block one of the Vlans from Internet access and permit the other one. You could also block traffic going between the Vlans. You need a Vlan capable to switch to do this and a Lan NIC that supports 802.1Q tagging.

    2. You could use two Lan NICs(as you said) and just put up a rule in the firewall to block Internet access for one of the Interfaces and allow for the other one. You can block traffic between the Interfaces if that is what you want or just permit a certain typ of traffic.

    Keep in mind that you need a separate network/subnet for each Interface/Vlan.

    As a side note It's not recommended to put a PC on the same network as VOIP as it is a security vulnerability. It would be prefered to have VOIP on a seperate NIC or Vlan if you care about security of the VOIP-calls.

  • thanks matumbo for the input. I am not so clever w/ the vlans yet, but very interested.

    was not even thinking about security on the Voip side. haven't even heard there could be a problem. The voip stuff is not my responsibility. It was just installed on my lan. Is the security issue going to cause me a problem on my computer hardware side or it just a separate beast?

    thanks again in advance…....78-)

  • The first thing you need to check is if your switches support 802.1Q or Vlan Trunking/Tagging. If they don't support that you can't use vlans for your setup. You can also check if your NIC on pfsense supports 802.1Q. If it does and your switch supports is as well, then you could move into planning on how to set it up.

    The security vulnerability with Voip on the same network as computers is that someone could eavesdrop on the phonecalls if they are connected to the same network. It won't affect your hardware.

Log in to reply