[Newbie] Is my VLAN setup OK in terms of security?
-
Hi all,
I am technically knowledgable and recently set up my own pfSense box but networking is still a bit of a mystery to me.
I'm especially concerned that the firewall rules I set in place are not safe enough.
Let me explain (a map of my setup is attached):
My modem is set to bridge mode and pfSense gets the public IP address from the modem. On the LAN side I have many different computers and the TV box. The TV box and the modem talk to each other in order to offer TV service. They have fixed IP addresses (192.168.27.1 and .14) and communicate on VLAN 100 using an encrypted protocol (something using AH and IPSEC or so). The rest of the network is on 192.168.0.0/24.
Normally modem and TV box should be connected directly without a router in between so by adding the pfSense box I need to make sure that they can still talk to each other.
The switches are unmanaged.Here is what I did:
- Create two VLAN interfaces (vlan_WAN) and (vlan_LAN) using tag 100.
- For both interfaces the "block private IP addresses" is unchecked. My logic is that pfSense needs to allow private IP communication on the WAN side since the modem is part of the private LAN.
- Create a bridge with both VLAN interfaces as members.
- Added firewall rules on both VLAN interfaces (but not the bridge) letting PASS ANY protocol (TCP/UDP is not enough due to encryption) coming from and going to the 192.168.27.0/24 network.
To my astonishment, this actually does work and my TV is successfully streaming over VLAN 100. Felt like a hacker when I first saw the picture appear. But what about security? Are the firewall rules above protection enough? Could an attacker use a VLAN 100 tag to get into my network?
The confusing part for me is having a network device (modem) on the WAN side of my router.
Thanks,
MrPozor
-
Don't bridge the VLANs.
Don't make rules ANY to destination.
Make something like:
VLAN 100 to ANY but not VLANxxx
VLANxxx to ANY but not VLAN100