Sub-networks?
-
I'd like to set up my network so that my roommate and I don't see each other's devices. We are on a single WAN from our cable modem which will go into the pfSense box. From there, the connection goes to a switch and then out via wired or wireless connections. I can use multiple wireless access points (and would almost prefer to do it).
For example, I'd like to have my printer, NAS, PC, and wireless devices be able to see and interact with one another and my roommate to have his devices work with one another but that we don't interact with each other. I'm sure there is a specific term for this that I'm not remembering. It would also be nice if there were a way to allow certain devices to be visible to everyone if needed (media PC, etc.). A future goal would also be to traffic shape or limit the connections so that we don't infringe on each other's usage which still having all the bandwidth available if it is free.
What would be the best way to accomplish this?
-
Separate interfaces with individual AP/switches will do what you want. So will VLANs but you may not have VLAN capable hardware.
You will have one WAN interface, and two LAN interfaces (more specifically a LAN and OPT1). Your stuff will be on LAN, his stuff on OPT1. Firewall rules will block all connections between the two segments unless an allow rule is in place (will need to set a OPT1 -> WAN rule for him to get internet). Also make sure the LAN/OPT1 -> WAN rules are specific and don't accidentally allow communication between segments.
For the "community" devices like a media center PC, the best way to handle that would be to add yet another interface to pfsense and another network segment. Will the media center PC just access internet sources or will it need to access local files on yours/his networks? You could just add it to either of your networks and it won't really matter but since you're interested in segmenting the network, I figured a third "community" network would be wise.
-
Thanks for the reply. I don't have VLAN capable hardware so you're right that it wouldn't work. What is the best way to set up a dual LAN setup? I'm currently using one of these. Would I need a USB -> ethernet adapter?
The HTPC was more hypothetical and I think that just adding it to one network and making a rule would be sufficient as you say.
-
I would never trust USB to Ethernet adapters personally, plus most of them lack support in pfsense anyway I believe. It does indicate is has a Mini PCI card, so you may be able to add WiFi support (still not as reliable as actual ethernet ports IMO but better than USB). I wouldn't try and use it in AP mode but it should be OK in client mode to connect to one of your existing APs.
Here's another option for you. Assuming you don't NEED gigabit support, how about a VLAN capable switch? Older 100 meg managed, VLAN capable switches can be had for CHEAP. If you're using WiFi anyway, 100 meg ethernet is going to be as fast if not faster (especially compared to 802.11g) in real world use.
Check out the HP Procurve 2524. The 2524 can be had for $20 shipped, there is a 12 port version but it isn't any cheaper than the 24 port version. The only issue might be finding a seller in the UK or paying more for shipping (the link you gave indicates Europe so I'm making an assumption here).
-
I'm in the US, just that was the first link I found, haha.
I really would like to keep gigabit since I do lots of work from my NAS. Would it be possible to make two subnets and just give everyone a manual IP? I could manage my own stuff pretty easy so give myself static IPs in the 192.168.1.x range and then put all his stuff on 192.168.2.x. I should be able to make a rule to disallow interaction between subnets right?
-
Unless you add a USB adapter, you can get a VLAN switch or you can get a computer with more network ports. Take your choice. With only 2 ports and no VLAN you have room for either 1 client or 1 switch and several clients but those clients would be able to see each other directly. Thats the nature of a simple switch. If you ad a usb>ethernet adapter, and connected a switch to that, you could give that subnet to your friend. Everything he has on that switch will work at gigabit speed because it wouldn't need to pass through pfsense. You could hook another switch up to one of the two ports on your box and that would also be all gigabit on your side. The only time you would get less than gigabit throughput is if you pulled traffic from his side to yours. You could give the interfaces 2 separate subnets and firewall them however you want.
-
Would it be possible to make two subnets and just give everyone a manual IP? I could manage my own stuff pretty easy so give myself static IPs in the 192.168.1.x range and then put all his stuff on 192.168.2.x.
If you mean have the two subnets on the same pfSense interface then that doesn't give you any real security beyond the trustworthiness of the network users.
Your chosen hardware doesn't appear to have any expansion slots other than USB. There are some USB WiFi adapters that work well with pfSense (though with some limitations) and these might be able to be used to give your box additional network interfaces.
There are some wireless APs that can support multiple wireless networks assigning each to a distinct VLAN. Most simple switches seem to pass through VLAN tags
The Microtik RB250GS is a 5 port Gigabit switch with VLAN capability available quite cheaply.
If you ad a usb>ethernet adapter
Choose carefully: there seem to be many USB Ethernet adapters which aren't capable of more than 12Mbps on the USB side.
-
Honestly, it is more of a convenience thing than an actual security measure. Since we're both in the same place and will have physical access to everything, it doesn't really matter how intense I make the network from a security point of view. This would just make it easier to have our own devices.
-
"If you mean have the two subnets on the same pfSense interface then that doesn't give you any real security beyond the trustworthiness of the network users."
I suppose super-gluing all the cable ends into the RJ45 ports is out of the question ????Yeah - he screwed himself a little with no room for expansion.
-
you can pick up a smart gig switch for 100 bucks gs108tv2 for example does vlans
Or I doubt your internet is gig. So just put managed switch that does vlan between pfsense and your other switches..
so you would be on 1 switch with your hardware, your roomate would be on their switch with their hardware and your managed switch would be what handles the vlans connected to pfsense. This way your downstream switches don't need to understand vlans.
-
you can pick up a smart gig switch for 100 bucks gs108tv2 for example does vlans
Or I doubt your internet is gig. So just put managed switch that does vlan between pfsense and your other switches..
so you would be on 1 switch with your hardware, your roomate would be on their switch with their hardware and your managed switch would be what handles the vlans connected to pfsense. This way your downstream switches don't need to understand vlans.
That looks to be the best option. Thanks guys.
-
The Netgear GS105E is even cheaper and does VLANs. The drawback is it requires a Windows only program to configure it. If you don't need to reconfigure it often, which you probably don't, it should do the job.
Steve
-
This windows program… Might it run under WINE?
-
The Netgear GS105E is even cheaper and does VLANs. The drawback is it requires a Windows only program to configure it. If you don't need to reconfigure it often, which you probably don't, it should do the job.
Steve
Awesome, thanks!
-
Might it run under WINE?
Don't know, never tried. I'm sure someone has though. ;)
Steve
Edit: There's this: https://code.google.com/p/gsconf/
-
I keep ONE windows VM up for myself for crap just like this… Begrudgingly.
I have found that as long as I keep the VM screen locked and no one ever uses it or its web browsers except me and nothing ever gets installed on it ever and its firewalled from most everything, that is reliably rivals my Linux/BSD installs. ;D
-
I ordered the Netgear GS108E. Then I'll put my wireless router and dumb switch on a couple ports and use a second wireless router on another port for my roommate. With separate VLANs, we shouldn't have to worry about our devices interacting at all. If down the road we need to share something between us, I can make a third VLAN and have it viewable by our two.
Does that sound right?
-
Might it run under WINE?
Edit: There's this: https://code.google.com/p/gsconf/
I think its nice that he does TRY not to brick our hardware. Thats a comforting statement.
(I know he means well with the statement)
-
I usually try not to brick stuff but that hasn't stopped it happening in the past! ;)
I try to see it as a learning opportunity. ;DThe fact that he has written the code sort of implies it doesn't run under WINE. I couldn't find any references to anyone else doing it either. Like you I always have a Windows box or two lying around for such occasions. I think this laptop can dual boot into Vista though it's such a long time since I tried I'm not sure now.
It's inconvenient having to use a Windows only config program but on a desktop switch like that how often are you really going to be changing it?Steve
-
I'd buy one of the ones that use straight HTML for config first, but if someone were to stumble onto one of these cheap, it would be nice. Plus, me and you are in the minority. Most people are hooked on things like artificial sweetners, high fructose corn syrup, Ritalin and Windows. All things that at first brush seem to work for you but actually work against you.
This would work fine for most people.
-
If down the road we need to share something between us, I can make a third VLAN and have it viewable by our two.
You could certainly make a third VLAN interface in pfSense and equivalent port on the switch. Then add firewall rules to allow both of you to access that new subnet. You could has a NAS device in that subnet to share files for example.
Depending on how you use your various devices you may want to have additional segregation. I have my wireless access point on a separate interface here at home for example. That way I can happily allow internet access to guests without worrying about what they may be carrying in their laptops. With that switch you could potentially have 7 isolated subnets.
Steve
-
If down the road we need to share something between us, I can make a third VLAN and have it viewable by our two.
You could certainly make a third VLAN interface in pfSense and equivalent port on the switch. Then add firewall rules to allow both of you to access that new subnet. You could has a NAS device in that subnet to share files for example.
Depending on how you use your various devices you may want to have additional segregation. I have my wireless access point on a separate interface here at home for example. That way I can happily allow internet access to guests without worrying about what they may be carrying in their laptops. With that switch you could potentially have 7 isolated subnets.
Steve
Awesome, this will definitely open my setup up for lots of options. Thanks.
