Separating public network from private network

  • What are the “Best Practices” for separating public network from private network but allowing selected traffic?

    I currently have pfSense setup with a separate interface for my office network and my WIFI network, each with its own subnet.

    I like this because I have a single pfSense box to maintain. Also, if I eventually turn Squid on , I’ll have a single cache for both networks to benefit from.

    However, I’m wondering what the best method is for allowing clients on the WIFI network to securely access resources on the private network (mainly RDP).

    I’m assuming that the VPN features of pfSense would only work from the WAN side. Is that correct?

    I have firewall rules setup to limit traffic between the subnets and only allow RDP traffic.

    However, I still need VPN for when they are not using our WIFI.

    Therefore, it seems like I have to configure two separate connections for them.

    Is there a better way to approach this?

  • Generally the public network should be on another physical or VLAN interface. Default pfsense firewall rule is deny, so enable only the ports and the hosts you like to connect to inside network.
    It makes no sense to use VPN in private network. Generally the people who are using mobile computers should have a shortcut for the VPN connection and they should be instructed to double click it before they try to do RDP.
    As simple as that :)

  • Netgate Administrator

    Who is on your wifi network? How secure do you need the access to be? Are you using captive portal?
    Using a vpn internally seems completely reasonable if your wifi is pretty much public. I'm not sure you can use the same vpn as wan though. Hmm.


Log in to reply