Help with network re-design with an emphasis in firewalling segments



  • I am in need of some help with my current home network.  My setup has been for awhile now ISP>pF Box>Cisco SG300 (used as my "core" router).  So with this setup, I've been having my sg300 being used as a layer 3 switch, which has all my vlans for all the different needs I have (wireless, guest access, servers, etc.) and is being used as my router to route between the vlans.  I did this because I needed speed since I have servers that I play with that use iSCSI and I wanted filesharing and internal streaming to be fast and not be bogged down by my pF firewall doing the routing.  So if devices needed to go out the Internet, I have a subnet between the pF firewall and the sg300 and I just point all traffic not matching my internal vlans to exit the interface thats setup for the pF from the sg300.

    Since my network has grown, I have been needing recently to restrict vlan to vlan access due to security concerns (ie, I didn't want my guest users connecting to my network and potentially infecting other devices, even on other vlans).  In the past, what I had been doing was setting up ACL rules to allow only the traffic I wanted to egress from a particular vlan but I'm seeing that this is starting to get ugly and I wanted more control over what goes in/out in a vlan/subnet.

    Is there any ideas on how I can accomplish this?



  • do the routing+firewalling on the pfSense, use the switch as a L2 vlan device only.
    when not doing nat or dpi, any modern desktop cpu will handle a couple of gigabit of traffic fairly well.

    so create a 2 port lag between pfSense <–> switch. that get you 2 gbit of throughput.
    most "affordable" nas' dont push a lot more then 200MB/s in real-life situations. (affordable as in <$5000)



  • hmm, I didn't think about doing a 2port LAG, I guess I could do that to increase bandwidth..but then again, I bought this SG300 just specifically to be my main route & switch device..now it's just going to be an overpriced L2 switch, which I feel i just wasted money on since I have a ton of other L2 cisco catalyst switches that can do this function.

    When you say "not doing NAT or DPI", I would assume most firewall configurations people are using NAT for their Internet connection??  If that is the case, I am indeed running NAT for my internal network to the Internet.  As for DPI (deep packet inspection?), what is this used for? I may explore this.

    My pf box right now is a atom D525 processor so I know eventually I will start turning on other security features on the pf box (snort/antivirus/proxy) so I don't want to add another burden to the box of routing.


  • LAYER 8 Netgate

    Note that you don't have to do every subnet on a firewall port.  You can do just the VLANs that you want to restrict, like the guest network.

    This would entail, in a nutshell:

    Remove the layer 3 vif on the VLAN in question from the switch.
    Tag the VLAN to pfSense
    Create the VLAN on pfSense
    Assign the VLAN to a pfSense interface
    Configure the layer 3 characteristics of the pfSense interface
    Configure the firewall rules to pass what you want passed



  • well, you are not doing nat when pushing traffic between the vlans.
    not sure if the d525 would be able to push the amount of traffic you'd want, but @derelict 's option is certainly a good idea.

    as for dpi: google "snort vs suricata"



  • @Derelict:

    Note that you don't have to do every subnet on a firewall port.  You can do just the VLANs that you want to restrict, like the guest network.

    This would entail, in a nutshell:

    Remove the layer 3 vif on the VLAN in question from the switch.
    Tag the VLAN to pfSense
    Create the VLAN on pfSense
    Assign the VLAN to a pfSense interface
    Configure the layer 3 characteristics of the pfSense interface
    Configure the firewall rules to pass what you want passed

    If I'm understanding correctly, my current config is all vlan's routing on my sg300 switch.  You're saying remove the vif (virtual interface? forgive my noobness) from my sg300 and put it on the pf box.  So if I do this, basically other vlans still route thru my switch and traffic on the guest vlan route through the pf box?



  • @heper:

    well, you are not doing nat when pushing traffic between the vlans.
    not sure if the d525 would be able to push the amount of traffic you'd want, but @derelict 's option is certainly a good idea.

    as for dpi: google "snort vs suricata"

    Oh I see, right, I'm not doing NAT between vlans.

    So, I did a search, it's just IDS tools, so you were asking if I ran snort?  I plan to in the future but not running it now since I heard the atom proc I'm running would be really slow so i'm waiting to get some funds to buy the new atom 2758 core:)


  • LAYER 8 Netgate

    @vsecgod:

    @Derelict:

    Note that you don't have to do every subnet on a firewall port.  You can do just the VLANs that you want to restrict, like the guest network.

    This would entail, in a nutshell:

    Remove the layer 3 vif on the VLAN in question from the switch.
    Tag the VLAN to pfSense
    Create the VLAN on pfSense
    Assign the VLAN to a pfSense interface
    Configure the layer 3 characteristics of the pfSense interface
    Configure the firewall rules to pass what you want passed

    If I'm understanding correctly, my current config is all vlan's routing on my sg300 switch.  You're saying remove the vif (virtual interface? forgive my noobness) from my sg300 and put it on the pf box.  So if I do this, basically other vlans still route thru my switch and traffic on the guest vlan route through the pf box?

    Yes.


Log in to reply