Please help me design a complicated home network

  • Hello,

    I was hoping to request some expert help in setting up my Home Network and pfSense Firewall.  I am a novice to intermediate computer users and have purchased the kindle version of the pfSense book but before I screw up everything I thought I would ask for some help.

    My pfSense firewall is up and operational but my zones are not configured properly as yet.  Today everything is in one zone.  I would like three distinct zones and have built the pfSense computer with 3 extra 1Gb NIC cards.

    (I have included a PNG picture to illustrate my network design)

    Zone 1: Private Network both wired and wireless (WPA protected)

    This zone is my family’s private network, it will have my NAS server, internal computers and all of my family’s devices.  The wireless access point being used is running the native ASUS software and is giving out 192.168.1.x addresses between 150 and 250.

    Zone 2: Public wireless in my home (WPA protected)

    This zone is the public wireless for my guests, it will also have on it all my son's computers and devices and be protected by a pfSense parental control addon of some type.  The wireless access point being used is running the native ASUS software and is giving out 192.168.2.x addresses between 150 and 250.

    Zone 3: Private network for my renter in the basement (WPA protected)

    This zone is for all of my renter’s computers and devices and should not be able to see any of my other equipment in the house.  It is wireless for his convenience since all of his devices are wireless enabled.
    The wireless access point being used here is a LINKSYS running DD-WRT and is giving out 192.168.3.x addresses between 150 and 250.

    Zone 4: Public Web Server and Mumble Server (NOT SHOWN IN THE DIAGRAM is not installed yet)
    I believe I need this zone after reading the pfSense book about security to separate my outward facing servers from my internal network.

    So here is my first round of questions…

    (1) Does anyone see any issues that I have overlooked or have suggestions on the makeup of the network?

    (2) I have all static LAN IP addresses to all 30+ devices in my home given out over DHCP based on MAC address. So for Zone 2 and 3 giving them 192.168.y.2 addresses is not a big deal (where y = zone #), but then do I bridge these two zone interfaces with my network?  That would seem to defeat the purpose of keeping them separated, unless I need some particular firewall rules which I do not properly understand which will give them connectivity to the internet but not the rest of my network.  (Help here is appreciated).

    (3) I would like my public wireless to be able to print on my network printer (which is on my 192.168.1.x Zone 1 network) especially since my son will need to print reports and such for school soon.  I have no idea how to do this without buying another NIC card which I do not have space on the motherboard for and putting the printer on its own zone and bridging to everything, again it seems to be a bad idea.  I guess I could buy a multiport card, but today the printer runs through a switch before pfSense due to its location.

    (4) What parental control software addon is the best?  I saw Dan’s Guardian and a SQUID addon that look like they can do the job?

    (5) I guess I am most confused about bridging and firewall rules that can keep my network safe and secure but share some common devices amongst them without having to purchase a professional firewall.  Also I do not really understand how a VLAN could help me here, though I did think that creating a VLAN for the shared printer might offer the printer to be shared but I am not sure how to configure that.

    Thank you for all of your assistance,


  • Netgate Administrator

    Your picture looks nice but the link is to a thumbnail so it's hard to appreciate it fully.  ;)

    1: Is there any particular reason you are using the wifi APs for DHCP? In my opinion it would be much better to use pfSense for DHCP on each interface. Doing that makes it much easier to keep track of the leases or to hand out static addresses for filtering purposes. All your admin can be done in the one place rather than having to log in to each AP to change things.

    2: Normally you would not bridge them. pfSense will route traffic between them if you have firewall rules in place to allow that so that you can access, say, the AP in zone 2 from a computer in zone 1. The only reason you would bridge the interfaces would be in you had software that needed to see machines in the same subnet. Many media player programs will only look for servers in the same subnet for example.
    By default all traffic from the additional interfaces will be blocked so you will need to add firewall rules to allow traffic that you want. Only the LAN interface has a default allow rule.

    3: You can add a rule to allow traffic from Zone 2 to the printer but no other address. Better, you can restrict that rule to allow access only from specific clients in zone 2 if you have all static dhcp leases.

    4: Squid with Squidguard is a lot more mature (in pfSense at least) but Dansguardian has more/better filtering options.

    5: You could use VLANs to get more interfaces in pfSense without having to add further NICs however I don't believe you will need to. Do your switches support VLANs? Do your APs?


Log in to reply