Advice sought: VLAN, firewall setup with shared resources

  • I'm looking for advice on setting up a PFsense/VLAN-based network at my work. We have groups of public computers, staff/public (guest) wifi, servers, a Synology NAS, network printers, and two WAN connections. I'm using a PFsense box with the VLANs configured on one port, and the two WAN connections on their own ports. I'm using Netgear FS726T switches.

    The only problem I'm running into, is how best to separate and secure "shared" resources? For example, two of our larger MFP printers are networked, and used by staff and public computers. The staff and public computers should not be able to see each other, but they should both be able to see the printer. Should I put the "shared" printer in its own VLAN, then grant access to it from the staff and public VLANs? Or should I put them all on the same LAN and block access with firewall rules? Any help would be appreciated.

  • I would put the printers on their own vlan and make firewall rules that staff and public computers can't see each other.

    Here are the VLANs that you could make:

    1. Staff
    2. Public
    3. Servers
    4. Management
    5. Printers
    6. WiFi - Staff
    7. WiFi - Public

    Would be nice to have the management be out of band, but to be truly out of band you would need separate switches for that.

  • Netgate Administrator

    If you put then all on the same network segment the traffic between then won't go through pfSense so you won't be able to filter it with firewall rules. Separate VLANs gets my vote.