Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Advantage to separating SOHO and home networks?

    Scheduled Pinned Locked Moved General pfSense Questions
    7 Posts 5 Posters 2.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • U Offline
      utnuc
      last edited by

      Hello, new to pfSense… and new to advanced network design. I have a quad NIC box on order that I plan to use at my home.  Have multiple home devices (tablets/phones/laptops) as well as 3 (SOHO) web servers.  Network theory question:  what is the advantage to having a separate network/subnet for the home devices and another for the servers?

      I can think of a couple disadvantages.  I assume that two separate switches would be required for this set up.  And what about directly accessing the servers from my laptop (ssh/scp for instance).

      Thanks in advance.

      1 Reply Last reply Reply Quote 0
      • C Offline
        churchi
        last edited by

        You can use VLAN's if your switch supports Layer 2 configuration.

        This means you can have the Layer 3 address on your pfsense firewall and you can run ACL's/firewall rules between the networks.

        Having them on different subnets allows you to manage the communication between the networks. You can have it permit any any, or you can add in some rules.

        Only issue there is the routing/switching between the subnets has to always hairpin through a pfsense port. If they were all on the same subnet the switch would just switch the traffic between the hosts without needing to hit the layer 3 IP address.

        All in all, its a good idea if your pfsense has enough grunt.

        1 Reply Last reply Reply Quote 0
        • U Offline
          utnuc
          last edited by

          @churchi:

          You can use VLAN's if your switch supports Layer 2 configuration.

          This means you can have the Layer 3 address on your pfsense firewall and you can run ACL's/firewall rules between the networks.

          Having them on different subnets allows you to manage the communication between the networks. You can have it permit any any, or you can add in some rules.

          Only issue there is the routing/switching between the subnets has to always hairpin through a pfsense port. If they were all on the same subnet the switch would just switch the traffic between the hosts without needing to hit the layer 3 IP address.

          All in all, its a good idea if your pfsense has enough grunt.

          Thanks for your reply.  Just trying to learn here - but I fail to see how firewalling my internet only devices from my webservers is beneficial.  I have no hackers in my family, or anyone else who even knows their way around a terminal.  Bunch of iPads my wife and kids use.

          I've read that it is generally a good idea many places here, but I just can't seem to find a definitive reason for this.  Will pfSense allow me to track network usage on different subnets?  I could see this being beneficial for tax reporting…

          1 Reply Last reply Reply Quote 0
          • D Offline
            divsys
            last edited by

            Just trying to learn here - but I fail to see how firewalling my internet only devices from my webservers is beneficial.  I have no hackers in my family, or anyone else who even knows their way around a terminal.

            One counter argument to "no hackers in my family" is what happens if someone in your home accidentally gets hacked/virus/grandkids clicking something they shouldn't?
            It's entirely possible that malware will dynamically search through all easily reachable parts of your network.
            Vice versa, what if a webserver gets hacked and starts trying to zombie attached iPads?
            Clearly defining the bounds of the two subnets and what you wish to allow between them can go a long ways towards avoiding/limiting future trouble.

            If you have a small home setup, it may or may not be worth the trouble of separating the networks.
            If you already have extra NICs available, it becomes the cost of an extra switch and the time to analyze the traffic.

            In the end I ask myself, "What's it worth to me if something goes wrong?"

            For a business, it's much like the question I'm continually asked: "how often should I do backups"?
            To which I invariably answer:"How many weeks/days/hours of data can you afford to lose?  Backup that often."

            Only you can decide what your data and network security is worth to you.

            Just my $.02

            -jfp

            1 Reply Last reply Reply Quote 0
            • U Offline
              utnuc
              last edited by

              OK,  I've set up the two networks per your suggestion.  I did have to add this rule to each network to get it working the way I want it.  Is this secure enough for the firewall?

              ![Screen Shot 2016-04-14 at 11.31.04 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2016-04-14 at 11.31.04 PM.png_thumb)
              ![Screen Shot 2016-04-14 at 11.31.04 PM.png](/public/imported_attachments/1/Screen Shot 2016-04-14 at 11.31.04 PM.png)

              1 Reply Last reply Reply Quote 0
              • F Offline
                fragged
                last edited by

                @utnuc:

                OK,  I've set up the two networks per your suggestion.  I did have to add this rule to each network to get it working the way I want it.  Is this secure enough for the firewall?

                If you want to restrict traffic between the SOHO and home network, add a rule blocking traffic from SOHO to home network before the allow rule and do the same for home network. Then you can instead open single ports or addresses between the two networks if you need to.

                1 Reply Last reply Reply Quote 0
                • ? This user is from outside of this forum
                  Guest
                  last edited by

                  what is the advantage to having a separate network/subnet for the home devices and another for the servers?

                  • increasing security
                  • finding and solving issues and failures faster
                  • being able to work with QoS to balance loads

                  I can think of a couple disadvantages.

                  • more knowledge is needed
                  • more work in normal for you as admin (not permanently)
                  • more or more expensive hardware in the LAN & DMZ (switches, APs, ect.)

                  I assume that two separate switches would be required for this set up.

                  Would be a real benefit for the entire network security and also for the entire speed too.
                  All devices over more switch chips and routing CPUs

                  And what about directly accessing the servers from my laptop (ssh/scp for instance).

                  SSH or https would be common in that situations.

                  You can create one or more VLANs for that use case or one switch as the DMZ switch and another one
                  for as the LAN switch. With an viewing eye on the inter VLAN hopping is perhaps the DMZ the better
                  solution to realize it.

                  • VLAN10 private LAN devices OpenLDAP on a Raspberry PI or on a Minnowboard Turbot
                  • VLAN20 SSID "private" WLAN devices radius server on a RaspBerry PI or on a Minnowboard Turbot
                  • VLAN30 SSID "guests" WLAN devices captive portal (pfSense)
                  • Web, Mail, FTP, Fax, and VOIP servers into the DMZ

                  Together with Squid, SquidGuard, SARG, Snort, pfBlockerNG and other packets it will be able to secure
                  and control your network for sure with ease.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.