Fresh Attempt



  • Hi All

    Bit of background.

    I built a mini itx router based on an intel DQ77KB board with msata drive and powered off a Dell external laptop supply. Initially I had no probs installing and setting up pfsense in a basic fashion and bridging it do my adsl modem. I have a comprehensive home network that requires 2 dlink web smart switches to provide the necessary ports for all the outlets I have around the house and also accommodate my NAS, camera system, ESXi server, voip multi fxs gateway, email server, cloud server…the list goes on but you get the idea, its enough to max out 34 ports.

    The idea behind pfsense was to replace routing, port forwarding, DNS, DHCP and packet inspection of adsl modem/router whilst also adding the ability to implement VPN for selected IP's/functions as well as introducing ad blocking. I almost had everything running fine, with the exception of routing via VPN or normal gateway (struggling with firewall rules), when my home made router started to experience some odd problems like dropping the VPN or the bridge connection and also just locking up requiring a reboot. I noticed that the external adaptor was getting really hot as was the intel board. I added additional fans and tried fresh installs of pfsense but the problems persisted so I ended up ordering a Netgate 2440 which is on the way.

    Sorry for the long intro to my question but I think the background will help in answering the question at hand, which is:

    The new pfsense router has 4 ports, so if I use 1 for WAN what (if any) benefit can I derive in using the 3 remaining ports for my home network LAN side and if their is a benefit in my circumstance, what is the implementation?

    I am willing to introduce VLANs (my switches are capable) and also restructure my network if it will result in a better utlisation given the additional ports on the 2440.

    cheers



  • I have no experience of the Netgate 2440. However, if it is VLAN capable and you have three interfaces available you could put them to use by separating service types creating additional layers of security.

    You could have VLANs for DMZ, VoIP, Print, DNS, CCTV, HomeEntertainment, and so on.

    Your old ITX firewall if it still works could also be used to offload the burden of non-internet video traffic from the Netgate. You could group VLAN's that have internet access on the Netgate, and VLANs that have no internet access or access only to services in DMZ on your old ITX box. There's no reason why you can't have more than one router/firewall in your network.



  • Cheers vbentley

    Unfortunately the mini itx isn't usable as there is some sort of over heating or power problem, hence my purchase of 2440.

    I like the idea using vlans to segregate services and devices that don't require net access. My managed switches are vlan capable (dlink DSG series) so I guess I could theoretically do that now without requiring additional real nic ports of the 2440, so what if anything does the 2440 add to the mix apart from provisioning physical ports that could be used for physical separation of vlans at the router stage, or is this more desirable than routing vlans over same physical switch trunk?



  • Sorry for the long intro to my question but I think the background will help in answering the question at hand, which is:

    Would be preventing much more following questions in normal.

    The new pfsense router has 4 ports, so if I use 1 for WAN what (if any) benefit can I derive in using the 3 remaining ports for my home network LAN side and if their is a benefit in my circumstance, what is the implementation?

    There are often more then only one way you could go.

    • Build only some VLANs and use them as you need it, but the routing for something around 10 or more VLANs
      could be also a really strong work for the SG-2440 and will often not serving the expected throughput.
    • Building the and setting up a real WAN port, DMZ port and two LAN ports to sort them with different
      switches for different use cases.

    I am willing to introduce VLANs (my switches are capable) and also restructure my network if it will result in a better utlisation given the additional ports on the 2440.

    You can go by one WAN port sorted with the provider modem or router in the so called "bridge mode" and
    one LAN port or two LAN ports as a LAG (LACP) or one LAN and one spare port for another WAN or LAN to
    be used in the near future or for something that is not there today in usage.

    I would suggest to set up one Port as WAN, one as DMZ and another one for the LAN, the DMZ port should be
    sorted with one Layer2 Switch and without any VLANs, but filled with all devices that should be or must be
    connected to the Internet permanently or ports were opened and forwarded to them continuously. There fore
    you could use one off the old switches from now as I see it right. On that Layer2 switch you should use the pf
    rules and perhaps snort and squid to secure the DMZ area better.

    To the LAN port you might be perhaps thinking on a new Layer3 switch likes the D-Link DGS1510-20/24 or
    a Cisco SG300-20/24 that would be really nice matching in your scenario here. They are capable to route
    the entire LAN traffic with full wore speed and on top of this also between the VLANs in your network.

    I have a comprehensive home network that requires 2 dlink web smart switches to provide the necessary ports for all the outlets I have around the house and also accommodate my NAS, camera system, ESXi server, voip multi fxs gateway, email server, cloud server…the list goes on but you get the idea, its enough to max out 34 ports.

    Some devices such as the NAS can be put in the DMZ too or in the LAN and then connecting it from outside
    over a proper VPN tunnel for a better security.

    If Squid, SquidGuard, SARG, Snort, pfBlockerNG, Captive Portal, QoS and VLANs are in the game you
    would be nice impressed by the Layer3 Switch and the lower network load inside of the LAN pending
    on the device set up in the DMZ area.

    DMZ switch:

    • FTP, Web, FTP-S or S/FTP, Fax, on line DB, Cloud servers
    • Internet TV, Internet Radio, play console or inside of a separate VLAN inside of the LAN

    LAN switch:
    VLAN1 - management for you
    VLAN10 - LAN PCs, Laptops, etc….
    VLAN20 - Network Printers, Scanners,
    VLAN30 - LAN servers, NAS, SAN, DBs, server based and offered services in the LAN only
    VLAN40 - VOIP hardware and software IP phone and PBX servers or appliances
    VLAN50 - WLAN/WiFi clients private & used internal - over Radius server with certificates
    (Internet/LAN/DMZ)
    VLAN60 - WLAN/WiFi clients guests & used external - over Captive Portal with vouchers & client isolation (Internet only)
    VLAN70 - Internet TV & Radio, Xobox & playstations, AppleTV, Netflix, Entertain services, DLNA, etc....



  • Cheers Frank

    Such a detailed reply, exactly what I was looking for, this has given me much to think about. Some of it will require further research as networking is not my strong point but I am always up for learning.

    I definitely like the idea of segregating services as at the moment I have one flat structure, which does work but I am sure it is not a best practices configuration (eg. entertainment devices sharing same lan as voip services).

    My switches are only layer 2 but they are managed ones and are fully vlan capable. I will fit an additional network card (I have a spare) to my NAS (G8 Expenology) to further split its services out so that I can structure my network better.

    I have room in the server rack (where all my infrastructure equipment is located) for one more 1U switch and like the idea of the DMZ, are all ports open in the DMZ or do you still forward ports as normal?



  • I have room in the server rack (where all my infrastructure equipment is located) for one more 1U switch and like the idea of the DMZ, are all ports open in the DMZ or do you still forward ports as normal?

    Yes and there the Snort IDS/IPS is also working straight forward to inspect the data flow. And for that service
    you should be able to go with the Layer2 Switch and the other could be sold and finance the newer Layer3 one
    too if needed. If there is a 10 GbE device inside of the LAN I would go with the D-Link DGS1510-20 or 24 Port
    one and if not I really would prefer to go with the Cisco SG300-20 or 24 Port one, they are really good performing.

    You could also use Squid between the servers and the Internet so they are not really directly connected
    to the Internet, that would be preventing other issues too. It would be mostly making sense to draw a
    small network schematic where all devices are inside.



  • @BlueKobold:

    It would be mostly making sense to draw a small network schematic where all devices are inside.

    Hi Frank

    I have ordered a new dlink switch and whilst I await the arrival I have drawn up a diagram of how I could possibly interconnect everything:

    I don't know if so many vlans are initially warranted for the LAN side, perhaps I could keep it simple to start with and apart from management vlans maybe only introduce an entertainment (streaming, netflix, radio…etc...), surveilance and a general purpose computing one (PC's, printers....etc...).



  • For what it's worth, my suggestion of needed subnet separation/VLAN's (in approximate order of priority highest to lowest):

    1)  IP Cams and recording devices, dedicated NAS, etc.
    2)  Voip devices
    3)  IOT devices (irrigation controller, power monitor, automation, etc.)
    4)  Wifi network.
    5)  Other desirable splits - IP TV, multimedia, Web servers, custom servers, etc.

    1-3 are the most critical IMHO, many will argue about 4, & 5 but for a home setup they can be added as needed (I do run a #4 subnet myself).

    Just my $.02



  • Cheers divsys

    I think I will start small and scale if needed, just to keep it simple.

    Do I still apply vlans on the DMZ switch or do I just leave as is?



  • Initially, you could start with leaving things as-is.

    Don't shy from the VLAN concept because it's "too scary" or "new"
    One way to think of this in your setup is to ignore the physical NICs in your SG2440 and redraw your diagram as if you had 6 or 8 NICs.

    How might you separate out your network in that case?

    All VLANs do is give you a way of addressing specified ports on your switch as if you had "extra" NICs on your pfSense box plugged into them.
    You effectively can break up your smart 24 port switch into 3-8port or 8-3port or 2x2+3x3+3x1+1x8 or whatever configuration you need switches.

    I agree, start simple but definitely experiment with VLANs.
    They can improve your setup dramatically.

    If your DMZ is intended to be wide open to the internet, then no point in VLANs.

    From your diagram I think you could (and probably should) lock things down a little tighter.
    Unless you have a device that really can't live with NAT and port-forwards talking to the internet (I don't see anything that obviously has that problem) you should tighten things up.



  • @divsys:

    If your DMZ is intended to be wide open to the internet, then no point in VLANs.

    No it will still be blocked unless port forwarded, so isolated vlans could still be used to lock it down.

    I have read up on private vlans and like the idea of community sub vlan so that a group (say apple tv's) can access both the nas streaming and the internet, or am I barking up the wrong tree?


Log in to reply