SOLVED: Firewalling Between Two LANs
-
I am having a hard time thinking this one through, but I may be really oversimplifying it. I need to have my existing pfSense box be able to act as a firewall between two LANs to facilitate access to a CCTV NVR over certain ports. I've drawn a crude network diagram below.
I need to have the workstations (in red) be able to access the CCTV NVR (in blue) through pfSense. I don't have access to the 2821 or the 2960, but I do have complete access to everything on the blue side.Here's what I'm thinking and please let me know if it would work.
-Provision a new VLAN (60) on both the ProCurve and pfSense.
-Assign pfSense a Static IP in the range of the red subnet on that VLAN
-Use NAT to forward the ports on pfSense's IP on VLAN 60 to the CCTV NVRWould that work or do I need to do something differently? I'd prefer to not have to add any more hardware.
Thanks!Version 2.1.3-RELEASE (i386)
built on Thu May 01 15:52:17 EDT 2014
FreeBSD 8.3-RELEASE-p16 -
Got it working - my plan worked exactly as I thought it would.
Tagged the RED VLAN on pfSense's LAN port
Created new VLAN (60) on pfSense and assigned static IP in RED Subnet
Adjusted firewall rules to deny everything from pfSense to RED Subnet and from RED Subnet to pfSense
Added NAT rule for necessary ports for NVR and put priority above other rules
Works great!Is this the best way to accomplish this or is there a better way?
-
Seeing as you can't change much on the Red side, this is probably as good a solution as you're going to get.
The other indicator that this is a reasonable solution - it works ;)