Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Fresh Attempt

    Scheduled Pinned Locked Moved General pfSense Questions
    11 Posts 4 Posters 2.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V Offline
      venno
      last edited by

      Hi All

      Bit of background.

      I built a mini itx router based on an intel DQ77KB board with msata drive and powered off a Dell external laptop supply. Initially I had no probs installing and setting up pfsense in a basic fashion and bridging it do my adsl modem. I have a comprehensive home network that requires 2 dlink web smart switches to provide the necessary ports for all the outlets I have around the house and also accommodate my NAS, camera system, ESXi server, voip multi fxs gateway, email server, cloud server…the list goes on but you get the idea, its enough to max out 34 ports.

      The idea behind pfsense was to replace routing, port forwarding, DNS, DHCP and packet inspection of adsl modem/router whilst also adding the ability to implement VPN for selected IP's/functions as well as introducing ad blocking. I almost had everything running fine, with the exception of routing via VPN or normal gateway (struggling with firewall rules), when my home made router started to experience some odd problems like dropping the VPN or the bridge connection and also just locking up requiring a reboot. I noticed that the external adaptor was getting really hot as was the intel board. I added additional fans and tried fresh installs of pfsense but the problems persisted so I ended up ordering a Netgate 2440 which is on the way.

      Sorry for the long intro to my question but I think the background will help in answering the question at hand, which is:

      The new pfsense router has 4 ports, so if I use 1 for WAN what (if any) benefit can I derive in using the 3 remaining ports for my home network LAN side and if their is a benefit in my circumstance, what is the implementation?

      I am willing to introduce VLANs (my switches are capable) and also restructure my network if it will result in a better utlisation given the additional ports on the 2440.

      cheers

      1 Reply Last reply Reply Quote 0
      • V Offline
        vbentley
        last edited by

        I have no experience of the Netgate 2440. However, if it is VLAN capable and you have three interfaces available you could put them to use by separating service types creating additional layers of security.

        You could have VLANs for DMZ, VoIP, Print, DNS, CCTV, HomeEntertainment, and so on.

        Your old ITX firewall if it still works could also be used to offload the burden of non-internet video traffic from the Netgate. You could group VLAN's that have internet access on the Netgate, and VLANs that have no internet access or access only to services in DMZ on your old ITX box. There's no reason why you can't have more than one router/firewall in your network.

        Trademark Attribution and Credit
        pfSense® and pfSense Certified® are registered trademarks of Electric Sheep Fencing, LLC in the United States and other countries.

        1 Reply Last reply Reply Quote 0
        • V Offline
          venno
          last edited by

          Cheers vbentley

          Unfortunately the mini itx isn't usable as there is some sort of over heating or power problem, hence my purchase of 2440.

          I like the idea using vlans to segregate services and devices that don't require net access. My managed switches are vlan capable (dlink DSG series) so I guess I could theoretically do that now without requiring additional real nic ports of the 2440, so what if anything does the 2440 add to the mix apart from provisioning physical ports that could be used for physical separation of vlans at the router stage, or is this more desirable than routing vlans over same physical switch trunk?

          1 Reply Last reply Reply Quote 0
          • ? This user is from outside of this forum
            Guest
            last edited by

            Sorry for the long intro to my question but I think the background will help in answering the question at hand, which is:

            Would be preventing much more following questions in normal.

            The new pfsense router has 4 ports, so if I use 1 for WAN what (if any) benefit can I derive in using the 3 remaining ports for my home network LAN side and if their is a benefit in my circumstance, what is the implementation?

            There are often more then only one way you could go.

            • Build only some VLANs and use them as you need it, but the routing for something around 10 or more VLANs
              could be also a really strong work for the SG-2440 and will often not serving the expected throughput.
            • Building the and setting up a real WAN port, DMZ port and two LAN ports to sort them with different
              switches for different use cases.

            I am willing to introduce VLANs (my switches are capable) and also restructure my network if it will result in a better utlisation given the additional ports on the 2440.

            You can go by one WAN port sorted with the provider modem or router in the so called "bridge mode" and
            one LAN port or two LAN ports as a LAG (LACP) or one LAN and one spare port for another WAN or LAN to
            be used in the near future or for something that is not there today in usage.

            I would suggest to set up one Port as WAN, one as DMZ and another one for the LAN, the DMZ port should be
            sorted with one Layer2 Switch and without any VLANs, but filled with all devices that should be or must be
            connected to the Internet permanently or ports were opened and forwarded to them continuously. There fore
            you could use one off the old switches from now as I see it right. On that Layer2 switch you should use the pf
            rules and perhaps snort and squid to secure the DMZ area better.

            To the LAN port you might be perhaps thinking on a new Layer3 switch likes the D-Link DGS1510-20/24 or
            a Cisco SG300-20/24 that would be really nice matching in your scenario here. They are capable to route
            the entire LAN traffic with full wore speed and on top of this also between the VLANs in your network.

            I have a comprehensive home network that requires 2 dlink web smart switches to provide the necessary ports for all the outlets I have around the house and also accommodate my NAS, camera system, ESXi server, voip multi fxs gateway, email server, cloud server…the list goes on but you get the idea, its enough to max out 34 ports.

            Some devices such as the NAS can be put in the DMZ too or in the LAN and then connecting it from outside
            over a proper VPN tunnel for a better security.

            If Squid, SquidGuard, SARG, Snort, pfBlockerNG, Captive Portal, QoS and VLANs are in the game you
            would be nice impressed by the Layer3 Switch and the lower network load inside of the LAN pending
            on the device set up in the DMZ area.

            DMZ switch:

            • FTP, Web, FTP-S or S/FTP, Fax, on line DB, Cloud servers
            • Internet TV, Internet Radio, play console or inside of a separate VLAN inside of the LAN

            LAN switch:
            VLAN1 - management for you
            VLAN10 - LAN PCs, Laptops, etc….
            VLAN20 - Network Printers, Scanners,
            VLAN30 - LAN servers, NAS, SAN, DBs, server based and offered services in the LAN only
            VLAN40 - VOIP hardware and software IP phone and PBX servers or appliances
            VLAN50 - WLAN/WiFi clients private & used internal - over Radius server with certificates
            (Internet/LAN/DMZ)
            VLAN60 - WLAN/WiFi clients guests & used external - over Captive Portal with vouchers & client isolation (Internet only)
            VLAN70 - Internet TV & Radio, Xobox & playstations, AppleTV, Netflix, Entertain services, DLNA, etc....

            1 Reply Last reply Reply Quote 0
            • V Offline
              venno
              last edited by

              Cheers Frank

              Such a detailed reply, exactly what I was looking for, this has given me much to think about. Some of it will require further research as networking is not my strong point but I am always up for learning.

              I definitely like the idea of segregating services as at the moment I have one flat structure, which does work but I am sure it is not a best practices configuration (eg. entertainment devices sharing same lan as voip services).

              My switches are only layer 2 but they are managed ones and are fully vlan capable. I will fit an additional network card (I have a spare) to my NAS (G8 Expenology) to further split its services out so that I can structure my network better.

              I have room in the server rack (where all my infrastructure equipment is located) for one more 1U switch and like the idea of the DMZ, are all ports open in the DMZ or do you still forward ports as normal?

              1 Reply Last reply Reply Quote 0
              • ? This user is from outside of this forum
                Guest
                last edited by

                I have room in the server rack (where all my infrastructure equipment is located) for one more 1U switch and like the idea of the DMZ, are all ports open in the DMZ or do you still forward ports as normal?

                Yes and there the Snort IDS/IPS is also working straight forward to inspect the data flow. And for that service
                you should be able to go with the Layer2 Switch and the other could be sold and finance the newer Layer3 one
                too if needed. If there is a 10 GbE device inside of the LAN I would go with the D-Link DGS1510-20 or 24 Port
                one and if not I really would prefer to go with the Cisco SG300-20 or 24 Port one, they are really good performing.

                You could also use Squid between the servers and the Internet so they are not really directly connected
                to the Internet, that would be preventing other issues too. It would be mostly making sense to draw a
                small network schematic where all devices are inside.

                1 Reply Last reply Reply Quote 0
                • V Offline
                  venno
                  last edited by

                  @BlueKobold:

                  It would be mostly making sense to draw a small network schematic where all devices are inside.

                  Hi Frank

                  I have ordered a new dlink switch and whilst I await the arrival I have drawn up a diagram of how I could possibly interconnect everything:

                  I don't know if so many vlans are initially warranted for the LAN side, perhaps I could keep it simple to start with and apart from management vlans maybe only introduce an entertainment (streaming, netflix, radio…etc...), surveilance and a general purpose computing one (PC's, printers....etc...).

                  1 Reply Last reply Reply Quote 0
                  • D Offline
                    divsys
                    last edited by

                    For what it's worth, my suggestion of needed subnet separation/VLAN's (in approximate order of priority highest to lowest):

                    1)  IP Cams and recording devices, dedicated NAS, etc.
                    2)  Voip devices
                    3)  IOT devices (irrigation controller, power monitor, automation, etc.)
                    4)  Wifi network.
                    5)  Other desirable splits - IP TV, multimedia, Web servers, custom servers, etc.

                    1-3 are the most critical IMHO, many will argue about 4, & 5 but for a home setup they can be added as needed (I do run a #4 subnet myself).

                    Just my $.02

                    -jfp

                    1 Reply Last reply Reply Quote 0
                    • V Offline
                      venno
                      last edited by

                      Cheers divsys

                      I think I will start small and scale if needed, just to keep it simple.

                      Do I still apply vlans on the DMZ switch or do I just leave as is?

                      1 Reply Last reply Reply Quote 0
                      • D Offline
                        divsys
                        last edited by

                        Initially, you could start with leaving things as-is.

                        Don't shy from the VLAN concept because it's "too scary" or "new"
                        One way to think of this in your setup is to ignore the physical NICs in your SG2440 and redraw your diagram as if you had 6 or 8 NICs.

                        How might you separate out your network in that case?

                        All VLANs do is give you a way of addressing specified ports on your switch as if you had "extra" NICs on your pfSense box plugged into them.
                        You effectively can break up your smart 24 port switch into 3-8port or 8-3port or 2x2+3x3+3x1+1x8 or whatever configuration you need switches.

                        I agree, start simple but definitely experiment with VLANs.
                        They can improve your setup dramatically.

                        If your DMZ is intended to be wide open to the internet, then no point in VLANs.

                        From your diagram I think you could (and probably should) lock things down a little tighter.
                        Unless you have a device that really can't live with NAT and port-forwards talking to the internet (I don't see anything that obviously has that problem) you should tighten things up.

                        -jfp

                        1 Reply Last reply Reply Quote 0
                        • V Offline
                          venno
                          last edited by

                          @divsys:

                          If your DMZ is intended to be wide open to the internet, then no point in VLANs.

                          No it will still be blocked unless port forwarded, so isolated vlans could still be used to lock it down.

                          I have read up on private vlans and like the idea of community sub vlan so that a group (say apple tv's) can access both the nas streaming and the internet, or am I barking up the wrong tree?

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.