How plan for a new VLan configuration

pcmofo

I’ve been using pfSense for about 6 years now for a home network with maybe 10-20 devices on it. Now I’m building my first house and have a number of new devices that are going to be installed now and in the future and I would like to have a faster and more secure LAN.

So my question to you guys is, is their a guide or good example of how to configure a VLan network for what I want to accomplish?

For the new house I plan on running all connections through a 48 port Ubiquity switch that supports VLans and other managed features along with Ubiquity APs that allow multiple SSIDs that link to different VLans

Here is what I am thinking for the VLan setup,
Secure LAN
Guest LAN
IP Cams
IoT

To start, I’ve upgraded my Alix (512mb) pfSense build to a virtualized build using Proxmox with 8gb of memory assigned to the VM. It’s running OpenVPN for me to get back home and a PIA VPN. It’s also running Snort.

I have a number of Servers/VMs (FreeNAS, Plex, Crash Plan, etc) and I want those services and shares to only be accessible by computers on the Secure LAN and not by guests or being slowed down by the IP cams. I also don’t want insecure devices like IoT garage door opener or IP cams to be directly accessible to everyone on the LAN or WAN by default and instead they should follow specific rules as to what they can do.

For example, each device on the IP Cam VLan can’t get out to the WAN or Secure LAN etc but the DVR/NVR can talk to all of the IP Cameras, the Secure LAN, and the WAN on a specific port for remote access.

I have a general idea of how the VLans work so again I’m looking for best practices or example setups similar to mine. I plan on researching, testing, and validating this setup over the next few months.

JuantonJohn

hmmm… not sure about the vm aspect, but if it was hardware.

Four port pfSense
Int
0 WAN
1 LAN (private)
2 CAM
3 OTHER / iot / guest

Vlans
int
0
1 - 10
2 - 20
3 - 30 / 40 / 50

VLAN dhcp
10 - 10.0.0.1 /24
20 - 10.0.1.0 /24 (give 'none' on dhcp gateway)
30 - 172.16.1.0 / 24
40 - 172.16.2.0 / 24
50 - 172.16.3.0 / 24

Optional; add vLAN 9 as the dmz subnet on int1; 10.10.10.0/24 …

Then route between whatever subnet you want to be able to talk to each other.

In my experience, this IP scheme make it easy at a glance to know what network you're on or not on.

Does that help?

pcmofo

Thanks for the example, it makes sense.

Could I set a single ethernet cable as a trunked LAN into a managed switch instead of 4 physical cables/ports on the pfSense box and the switch?

Derelict

@pcmofo:

Thanks for the example, it makes sense.

Could I set a single ethernet cable as a trunked LAN into a managed switch instead of 4 physical cables/ports on the pfSense box and the switch?

Yes.

jahonix

@JuantonJohn:

20 - 10.0.1.0 /24 (give 'none' on dhcp gateway)

That's NOT a good idea.
If v20 would be your cams then you cannot connect to them from a different subnet. Without a gateway they are stuck in their broadcast domain. Better prohibit that with rules.

When you have IoT devices you probably have a control processor as well. Lot of those devices really dislike broadcast traffic / UDP as they have to process each packet just to throw it away.
So your Plex, Kaleidescape, Mozaex or whatever content servers you may have should broadcast elsewhere.

You have kids?
Put each kid's devices in one separate VLAN. At the core switch put that VLAN on an untagged port and feed it back into your lan. This way you can separate them if/when their PCs are full of viruses again or just cut-off their internet at bedtime (and you don't have to bridge interfaces in pfSense).
Kids will hate you for that. Their teachers will applaud.

pcmofo

@jahonix:

You have kids?
Put each kid's devices in one separate VLAN. At the core switch put that VLAN on an untagged port and feed it back into your lan. This way you can separate them if/when their PCs are full of viruses again or just cut-off their internet at bedtime (and you don't have to bridge interfaces in pfSense).
Kids will hate you for that. Their teachers will applaud.

Hah. That's a great idea!

It's my understanding that I need pfSense in order to route traffic between different VLANs even on the same switch. So I could create a rule to let a specific device, like a DVR/NVR to talk to the Secure LAN and the IP Cam VLANs and even then only on a specific port. Without both a switch that supports VLANs and pfSense configured to route VLANs this type of setup wont work.

I'm planning on using a 48-port Ubiquity switch and Ubiquity APs that allow broadcasting of multiple SSIDs that support assigning VLANs depending on which you connect to.

GomezAddams

You don't need a separate VLAN for your cameras. VLANs logically segregate traffic, they don't increase bandwidth. Remember, unicast traffic between two endpoints is limited to the two switch ports they are connected to. VLANs only affect broadcast traffic, and on an IP network, broadcasts are almost negligible.

Unfortunately, this notion that using VLANS will keep one sort of traffic from interfering from other traffic seems pretty pervasive. I wish I had a dime for every solution vendor who's come in and claimed that their solution requires a separate VLAN so all of our other traffic won't impinge on the performance of their equipment.

jc2it

@GomezAddams:

You don't need a separate VLAN for your cameras. VLANs logically segregate traffic, they don't increase bandwidth. Remember, unicast traffic between two endpoints is limited to the two switch ports they are connected to. VLANs only affect broadcast traffic, and on an IP network, broadcasts are almost negligible.

Unfortunately, this notion that using VLANS will keep one sort of traffic from interfering from other traffic seems pretty pervasive. I wish I had a dime for every solution vendor who's come in and claimed that their solution requires a separate VLAN so all of our other traffic won't impinge on the performance of their equipment.

This is true. The OP said he was using Snort. I am not a Snort expert, but whenever I have done network sniffing less traffic per vlan  is always preferred over filtering. With the amount of data produced by cameras I would segregate with a vlan. It makes life easier when stuff happens. Doing this changes the normal for each network and makes divisions in traffic apparent.

pcmofo

@GomezAddams:

You don't need a separate VLAN for your cameras. VLANs logically segregate traffic, they don't increase bandwidth. Remember, unicast traffic between two endpoints is limited to the two switch ports they are connected to. VLANs only affect broadcast traffic, and on an IP network, broadcasts are almost negligible.

Unfortunately, this notion that using VLANS will keep one sort of traffic from interfering from other traffic seems pretty pervasive. I wish I had a dime for every solution vendor who's come in and claimed that their solution requires a separate VLAN so all of our other traffic won't impinge on the performance of their equipment.

The switch I am planning on using has a 70Gbps backplane so it should be able to handle the traffic I plan on putting on it. 8x IP cameras streaming 1080p+ (1.5-3MP) constantly to a dedicated NVR software should generate a bit of traffic. The main goal with the IP camera VLAN is to prevent the cameras from being hacked directly or from someone using the cameras as a point of attack into the secure network. The DVR/NVR would either have two NICs or a trunked port so that it could see the IP camera feeds as well as allow remote viewing and admin of the NVR software.

On the secure network I plan on handling multiple Plex video streams and SMB file shares from my FreeNAS box along with general internet access for trusted devices.

The guest network would only have access to the internet, possibly throttled.

The IoT VLAN would be setup similar to the IP camera VLAN. eg you can't hack my garage door opener to get into my secure network, or be on the guest network and open my garage door. I would setup rules in pfSense to allow the IoT devices that needed to talk to the Secure network to do so for things like a Smart Hub device.

So even with no VLANs that switch should be able to handle all of my LAN traffic. Hopefully VLANs and matching SSIDs will make setting up IoT devices easier/more secure and make my network more secure overall, like viruses on guests computers deleting files in my SMB shares.