Advantage to separating SOHO and home networks?



  • Hello, new to pfSense… and new to advanced network design. I have a quad NIC box on order that I plan to use at my home.  Have multiple home devices (tablets/phones/laptops) as well as 3 (SOHO) web servers.  Network theory question:  what is the advantage to having a separate network/subnet for the home devices and another for the servers?

    I can think of a couple disadvantages.  I assume that two separate switches would be required for this set up.  And what about directly accessing the servers from my laptop (ssh/scp for instance).

    Thanks in advance.



  • You can use VLAN's if your switch supports Layer 2 configuration.

    This means you can have the Layer 3 address on your pfsense firewall and you can run ACL's/firewall rules between the networks.

    Having them on different subnets allows you to manage the communication between the networks. You can have it permit any any, or you can add in some rules.

    Only issue there is the routing/switching between the subnets has to always hairpin through a pfsense port. If they were all on the same subnet the switch would just switch the traffic between the hosts without needing to hit the layer 3 IP address.

    All in all, its a good idea if your pfsense has enough grunt.



  • @churchi:

    You can use VLAN's if your switch supports Layer 2 configuration.

    This means you can have the Layer 3 address on your pfsense firewall and you can run ACL's/firewall rules between the networks.

    Having them on different subnets allows you to manage the communication between the networks. You can have it permit any any, or you can add in some rules.

    Only issue there is the routing/switching between the subnets has to always hairpin through a pfsense port. If they were all on the same subnet the switch would just switch the traffic between the hosts without needing to hit the layer 3 IP address.

    All in all, its a good idea if your pfsense has enough grunt.

    Thanks for your reply.  Just trying to learn here - but I fail to see how firewalling my internet only devices from my webservers is beneficial.  I have no hackers in my family, or anyone else who even knows their way around a terminal.  Bunch of iPads my wife and kids use.

    I've read that it is generally a good idea many places here, but I just can't seem to find a definitive reason for this.  Will pfSense allow me to track network usage on different subnets?  I could see this being beneficial for tax reporting…



  • Just trying to learn here - but I fail to see how firewalling my internet only devices from my webservers is beneficial.  I have no hackers in my family, or anyone else who even knows their way around a terminal.

    One counter argument to "no hackers in my family" is what happens if someone in your home accidentally gets hacked/virus/grandkids clicking something they shouldn't?
    It's entirely possible that malware will dynamically search through all easily reachable parts of your network.
    Vice versa, what if a webserver gets hacked and starts trying to zombie attached iPads?
    Clearly defining the bounds of the two subnets and what you wish to allow between them can go a long ways towards avoiding/limiting future trouble.

    If you have a small home setup, it may or may not be worth the trouble of separating the networks.
    If you already have extra NICs available, it becomes the cost of an extra switch and the time to analyze the traffic.

    In the end I ask myself, "What's it worth to me if something goes wrong?"

    For a business, it's much like the question I'm continually asked: "how often should I do backups"?
    To which I invariably answer:"How many weeks/days/hours of data can you afford to lose?  Backup that often."

    Only you can decide what your data and network security is worth to you.

    Just my $.02



  • OK,  I've set up the two networks per your suggestion.  I did have to add this rule to each network to get it working the way I want it.  Is this secure enough for the firewall?

    ![Screen Shot 2016-04-14 at 11.31.04 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2016-04-14 at 11.31.04 PM.png_thumb)
    ![Screen Shot 2016-04-14 at 11.31.04 PM.png](/public/imported_attachments/1/Screen Shot 2016-04-14 at 11.31.04 PM.png)



  • @utnuc:

    OK,  I've set up the two networks per your suggestion.  I did have to add this rule to each network to get it working the way I want it.  Is this secure enough for the firewall?

    If you want to restrict traffic between the SOHO and home network, add a rule blocking traffic from SOHO to home network before the allow rule and do the same for home network. Then you can instead open single ports or addresses between the two networks if you need to.



  • what is the advantage to having a separate network/subnet for the home devices and another for the servers?

    • increasing security
    • finding and solving issues and failures faster
    • being able to work with QoS to balance loads

    I can think of a couple disadvantages.

    • more knowledge is needed
    • more work in normal for you as admin (not permanently)
    • more or more expensive hardware in the LAN & DMZ (switches, APs, ect.)

    I assume that two separate switches would be required for this set up.

    Would be a real benefit for the entire network security and also for the entire speed too.
    All devices over more switch chips and routing CPUs

    And what about directly accessing the servers from my laptop (ssh/scp for instance).

    SSH or https would be common in that situations.

    You can create one or more VLANs for that use case or one switch as the DMZ switch and another one
    for as the LAN switch. With an viewing eye on the inter VLAN hopping is perhaps the DMZ the better
    solution to realize it.

    • VLAN10 private LAN devices OpenLDAP on a Raspberry PI or on a Minnowboard Turbot
    • VLAN20 SSID "private" WLAN devices radius server on a RaspBerry PI or on a Minnowboard Turbot
    • VLAN30 SSID "guests" WLAN devices captive portal (pfSense)
    • Web, Mail, FTP, Fax, and VOIP servers into the DMZ

    Together with Squid, SquidGuard, SARG, Snort, pfBlockerNG and other packets it will be able to secure
    and control your network for sure with ease.


Log in to reply