PfSense on large home network (What do you run on your Home Network)
I had been running smoothwall hence why my pf Sense box is still known as smoothie it was easier then changing host files :) but got sick of having to "mod" the base install to get what I wanted and then having to remod it after an upgrade, that sucked big time….
I have a fairly large network serving a very internet hungry family of four with a lot of devices, I dont go for pretty network diagrams I have it all in a spreadsheet so here is a link to a sanitised version of my network structure http://goo.gl/Nyin1
I am running a captive portal with throttling for guests, no restrictions to pur freeNAS file server so they can leech once on the network but throttles web traffic to 10% of our link and blocks bit torrent.
So what sort of networks are you running at "Home" with pfSense ?
This is quite a few devices!
If I listed everything I have at home I'm sure it would be quite long but most of those are hardly ever turned on.
The biggest difference between my network and yours is that I have mine divided into a number of separate subnets. In fact I have 10 interfaces in my pfSense box and firewall rules to govern the traffic between them.
I would recommend that if you haven't already. It looks like all your devices are on the same subnet. At the very least I would want wifi devices segregated from most of my network particularly various test boxes I have.
I totally get where you are coming from but I don't run any thing on the network that is "production" ready and I dont run any open ports to the WAN as I dont have any mail servers or webservers etc. Also the WiFi and captive passwords are changed weekly, I do have a small subnet in the HAM shack that isn't shown for when I want to play, the rest has to be able to talk easily as as it is my home network I dont want to have to spend 30 minutes setting up rules for various VLANS to talk to each other just because I want to print a PDF from my mobile phone or tablet.
I also live in the country so would see someone sitting in the paddock leeching my WiFi unless the sheep have increased the amount of RAM they have and are now network capable
I confess I mostly have 10 subnets just because my home box has 10 interfaces so I can. ;)
It is helpful though to be able to allow any guests to use the wifi without worrying about any viruses they may be carrying.
I allow most traffic between subnets in my network but having it divided makes it much easier to segregate stuff if I need to.
The only thing that doesn't really work too well across subnets is local discovery. For example if you have music/video stored on a media server and you play it back from your playstation you may find that there is no way to enter the IP of the media server it has to be 'discovered' using DLNA, or some similar protocol, and that won't look outside it's subnet. Even that can be mitigated to some extent using the IGMP proxy.
Running a few vlans
- general access
- NAS/SAN network
- guest wireless
- test lab
total nodes is less than 20 with a number of them being vm's. As the pfsense box is a VM I've only got vlans 1,3, and 6 going physical.