Designing a kid- and guest-friendly home network with pfSense



  • Hello all,

    I am having some trouble designing my existing home network for two zones: a "green" zone that I can allow kids and guests on, and a "red" zone that has no restrictions. Everything is one big "red" zone right now (sorry, red and green are the simplest ways I can think of to describe what I'm trying to do!). I have had pfSense up and running for a couple of months now–I eventually want to get Squid, Snort and VPN all running, but these will be projects for another day.

    My network setup looks like this:

    • pfSense 2.2 BETA running bare metal on an Intel NUC D54250WYK
        -- Internal IP4 address 192.168.10.1, DHCP server, DNS forwarder
        -- External dynamic IP4 address, dynamic DNS updates for "[mydomain].com"

    • Verizon FiOS 150 Mbps WAN

    • Cisco SG200-26 set up with default VLAN 10, and VLAN 666 (the evil internet/WAN)
        – Port 24 is connected to the pfSense NUC (10T, 666T, 4095P)
        -- Port 25 is connected to FiOS (666UP)
        -- Port 26 goes upstairs to a Cisco SG200-08, below
        -- ASUS RT-N16 as wireless access point, running Shibby's TomatoUSB
        -- Several connected devices, all red at the moment

    • Cisco SG200-08 on upper level
        -- ASUS RT-N66 as wireless access point, running Shibby's TomatoUSB
        -- Both red and green devices

    • Synology DS1513+ NAS, 4-port LAGG connection to SG200-26
        -- The green/kids' PC is running Windows 7 and needs to connect to the NAS for backups, but in general I don't want green devices to access the rest of the NAS (I have Samba shares with bank statements, etc. on it, but maybe I can restrict these with file/share permissions or some other way).

    My switches are VLAN aware, but I'm not sure if I want to make a separate VLAN for the green zone (e.g., VLAN 20 on 192.168.20.x subnet), or if it's better to set up some combination of firewall rules and access restrictions to do what I want. I'd like to have a green wireless connection for guests, but I'm not sure whether to completely dedicate one access point to red and one to green, or if there's a better way. I would also like to use OpenDNS FamilyShield (or something like it) on the green zone to filter the internet and continue to use my ISP's unfiltered DNS servers for the red zone. The fact that both red and green devices need to be able to connect to the NAS also has me a bit confused when I start thinking about segregating the existing LAN.

    I knew what I was doing enough to get the basic network up and running, but I'm having trouble wrapping my mind around whether I should run two separate networks, so I'm not really sure what to ask in terms of specific questions. I tried to be as specific as possible with my goals--I appreciate any ideas or thoughts.


  • Netgate

    Yes.  I would create a VLAN for the green network.  Call it VLAN 20.

    You don't need two access points.  Tell the AP to tag the green SSID with VLAN 20 and tag that VLAN to the AP in the switch.

    If you want to cache OpenDNS queries locally you might need another DNS server.  If not, all you need to do is set the DHCP server on the green LAN to assign workstations the OpenDNS servers.  Then make a firewall alias called opendns_servers that contains the IPs of the OpenDNS servers then do something like this on the green firewall rules:

    pass tcp/udp source GREEN net dest opendns_servers port 53
    reject tcp/udp source GREEN net dest any port 53

    The first lets them query OpenDNS, the second blocks queries to any other name server.

    Find out what ports they need access to on the NAS to complete their backups.  Let's say they need access to ports tcp/8080 and tcp/8090.

    Create a firewall port alias containing TCP 8080 and 8090 - we'll call it nas_backup_ports

    Create a firewall host alias containing the IP address of the nas - we'll call it nas_address

    Create this on green's firewall tab:

    pass TCP source GREEN net dest nas_address port nas_backup_ports
    reject any source GREEN net dest RED net port any

    And finally, allow access to the internet:

    pass any source GREEN net dest any port any

    Or pass specific ports only (80, 443, etc) then reject anything else.  Depends on how hard you want to lock it down.

    You probably also want to block access from green net to things like the webConfigurator, ssh, etc.  2.2's (self) automatic alias should be good for that:

    reject TCP source GREEN net dest (self) port 22

    etc.


  • Netgate Administrator

    Yep ^, pretty much what he said.  ;)

    I would definitely use a separate VLAN in your situation. If you don't create a separate network then you can't control traffic between them in any useful way. The only reason not to use VLANs usually is that it introduces significant complexity but you're already using VLANs.

    Steve



  • @Derelict:

    Yes.  I would create a VLAN for the green network.  Call it VLAN 20.

    Thanks much for the VERY helpful post. I haven't had too much time to work on this yet, but I have made some initial progress. I've actually decided to go with 3 new VLANs:

    VLAN 10: RED - No restrictions
    VLAN 20: YELLOW - Trusted family devices
      – Access to RED net for printers, etc. (I implemented account controls for the NAS to allow backups)
      -- Web filtering, with pass rules for Steam and Battle.net (so far)
    VLAN 30: GREEN - Untrusted guest devices
      -- No access to RED or YELLOW nets
      -- Web filtering, HTTP, IMAP, SMTP ports only (80, 443, 465, 993)

    Haven't had time to implement the WLANs yet (right now both APs are on RED, using the same 2.4g SSID, and in addition the NT-R66U is using a unique 5g SSID). Mostly using the two APs to extend range. I may use dansguardian filtering on YELLOW and RED instead of OpenDNS--it would be helpful to have all the nets use the DNS forwarder and cache. But I do have OpenDNS working on YELLOW by defining the two DNS IP addresses on the interface page and rejecting port 53 on the firewall page.

    Thanks again!