Discussion:
[pfSense] Finding the best network setup for pfsense.
Antonio
2017-12-22 21:56:32 UTC
Permalink
Hello,

I'm trying to design an optimal network setting for my home and was
wondering what people's thoughts were based on my needs:

1) Need a single DHCP, DNSMasq server;

2) want to route traffic through VPNs only on certain parts of my network

3) want to eventually install a proxy somewhere on the network to route
traffic from my kids laptops/tablets.

4) obviously want to firewall all centrally as best as possible.

My setup is as follows:

a) I have a little compact mini PC with four ethernet connections (1x
WAN and 3x LAN) - its wifi too

b) A Netgear Modem onto ADSL

c) A Netgear router Hawk 7000

d) a couple of desktop PCs wired to (a) as well as a server

e) several mobiles, IoTs that connect wireless to (c)

At the moment the connection is (b)->(c)->(a)->PCs but I feel I'm not
getting the best of this setup, particularly pfSense which at the moment
is just firewalling my PCs/server.

I generally consider the wifi network the weak point as guest come and
connect to it that's why its connected before (a); traffic from (c)
cannot get past (a) but the PCs/server can get out on the internet. I
feel that (a) should be connected to (b) and (c) should then be
connected to one of the LAN ports on (a), say LAN2 (I would have a
switch on LAN1 with PCs/server). I could then use pfSense to route
traffic from LAN2 to WAN and firewall LAN1 so that traffic from LAN2
could not go to LAN1.

That way, I could then set up pfSense as my single DHCP and DNSMasq
server. I could then set up VPNs for just traffic of LAN1 or LAN2.

Would you agree with this sort of setup or do you think I could
implement things better?

I look forward to some of your thoughts.

Best regards
--
Respect your privacy and that of others, don't give your data to big corporations.
Use alternatives like Signal (https://whispersystems.org/) for your messaging or
Diaspora* (https://joindiaspora.com/) for your social networking.
Eero Volotinen
2017-12-22 22:35:07 UTC
Permalink
Well,

Just plug pfsense to ADSL and buy managed switch and some unifi wlan aps.
You can install proxy on pfsense box also..


Eero

22.12.2017 23.57 "Antonio" <***@geotux.it> kirjoitti:

Hello,

I'm trying to design an optimal network setting for my home and was
wondering what people's thoughts were based on my needs:

1) Need a single DHCP, DNSMasq server;

2) want to route traffic through VPNs only on certain parts of my network

3) want to eventually install a proxy somewhere on the network to route
traffic from my kids laptops/tablets.

4) obviously want to firewall all centrally as best as possible.

My setup is as follows:

a) I have a little compact mini PC with four ethernet connections (1x
WAN and 3x LAN) - its wifi too

b) A Netgear Modem onto ADSL

c) A Netgear router Hawk 7000

d) a couple of desktop PCs wired to (a) as well as a server

e) several mobiles, IoTs that connect wireless to (c)

At the moment the connection is (b)->(c)->(a)->PCs but I feel I'm not
getting the best of this setup, particularly pfSense which at the moment
is just firewalling my PCs/server.

I generally consider the wifi network the weak point as guest come and
connect to it that's why its connected before (a); traffic from (c)
cannot get past (a) but the PCs/server can get out on the internet. I
feel that (a) should be connected to (b) and (c) should then be
connected to one of the LAN ports on (a), say LAN2 (I would have a
switch on LAN1 with PCs/server). I could then use pfSense to route
traffic from LAN2 to WAN and firewall LAN1 so that traffic from LAN2
could not go to LAN1.

That way, I could then set up pfSense as my single DHCP and DNSMasq
server. I could then set up VPNs for just traffic of LAN1 or LAN2.

Would you agree with this sort of setup or do you think I could
implement things better?

I look forward to some of your thoughts.

Best regards

--
Respect your privacy and that of others, don't give your data to big
corporations.
Use alternatives like Signal (https://whispersystems.org/) for your
messaging or
Diaspora* (https://joindiaspora.com/) for your social networking.

_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
Antonio
2017-12-23 00:15:58 UTC
Permalink
Sounds cool but maybe a bit overkill for what i need ...

Cheers

Respect your privacy and that of others, don't give your data to big corporations.
Use alternatives like Signal (https://whispersystems.org/) for your messaging or
Diaspora* (https://joindiaspora.com/) for your social networking.
Post by Eero Volotinen
Well,
Just plug pfsense to ADSL and buy managed switch and some unifi wlan
aps. You can install proxy on pfsense box also..
Eero
Hello,
I'm trying to design an optimal network setting for my home and was
1) Need a single DHCP, DNSMasq server;
2) want to route traffic through VPNs only on certain parts of my network
3) want to eventually install a proxy somewhere on the network to route
traffic from my kids laptops/tablets.
4) obviously want to firewall all centrally as best as possible.
a) I have a little compact mini PC with four ethernet connections (1x
WAN and 3x LAN) - its wifi too
b) A Netgear Modem onto ADSL
c) A Netgear router Hawk 7000
d) a couple of desktop PCs wired to (a) as well as a server
e) several mobiles, IoTs that connect wireless to (c)
At the moment the connection is (b)->(c)->(a)->PCs but I feel I'm not
getting the best of this setup, particularly pfSense which at the moment
is just firewalling my PCs/server.
I generally consider the wifi network the weak point as guest come and
connect to it that's why its connected before (a); traffic from (c)
cannot get past (a) but the PCs/server can get out on the internet. I
feel that (a) should be connected to (b) and (c) should then be
connected to one of the LAN ports on (a), say LAN2 (I would have a
switch on LAN1 with PCs/server). I could then use pfSense to route
traffic from LAN2 to WAN and firewall LAN1 so that traffic from LAN2
could not go to LAN1.
That way, I could then set up pfSense as my single DHCP and DNSMasq
server. I could then set up VPNs for just traffic of LAN1 or LAN2.
Would you agree with this sort of setup or do you think I could
implement things better?
I look forward to some of your thoughts.
Best regards
--
Respect your privacy and that of others, don't give your data to big corporations.
Use alternatives like Signal (https://whispersystems.org/) for your messaging or
Diaspora* (https://joindiaspora.com/) for your social networking.
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
<https://lists.pfsense.org/mailman/listinfo/list>
Support the project with Gold! https://pfsense.org/gold
Ryan Coleman
2017-12-23 00:29:55 UTC
Permalink
I think the overkill is all the extra appliances doing things that pfSense can do.

You want the pfSense to be in the middle, you want the traffic to be filtered and routed… pfSense is great for this very task, you don’t need the Hawk or Netgear firewalls…

aDSL modem -> pfSense -> switch -> Rest of network
Post by Antonio
Sounds cool but maybe a bit overkill for what i need ...
Cheers
Respect your privacy and that of others, don't give your data to big corporations.
Use alternatives like Signal (https://whispersystems.org/ <https://whispersystems.org/>) for your messaging or
Diaspora* (https://joindiaspora.com/ <https://joindiaspora.com/>) for your social networking.
Post by Eero Volotinen
Well,
Just plug pfsense to ADSL and buy managed switch and some unifi wlan
aps. You can install proxy on pfsense box also..
Eero
Hello,
I'm trying to design an optimal network setting for my home and was
1) Need a single DHCP, DNSMasq server;
2) want to route traffic through VPNs only on certain parts of my network
3) want to eventually install a proxy somewhere on the network to route
traffic from my kids laptops/tablets.
4) obviously want to firewall all centrally as best as possible.
a) I have a little compact mini PC with four ethernet connections (1x
WAN and 3x LAN) - its wifi too
b) A Netgear Modem onto ADSL
c) A Netgear router Hawk 7000
d) a couple of desktop PCs wired to (a) as well as a server
e) several mobiles, IoTs that connect wireless to (c)
At the moment the connection is (b)->(c)->(a)->PCs but I feel I'm not
getting the best of this setup, particularly pfSense which at the moment
is just firewalling my PCs/server.
I generally consider the wifi network the weak point as guest come and
connect to it that's why its connected before (a); traffic from (c)
cannot get past (a) but the PCs/server can get out on the internet. I
feel that (a) should be connected to (b) and (c) should then be
connected to one of the LAN ports on (a), say LAN2 (I would have a
switch on LAN1 with PCs/server). I could then use pfSense to route
traffic from LAN2 to WAN and firewall LAN1 so that traffic from LAN2
could not go to LAN1.
That way, I could then set up pfSense as my single DHCP and DNSMasq
server. I could then set up VPNs for just traffic of LAN1 or LAN2.
Would you agree with this sort of setup or do you think I could
implement things better?
I look forward to some of your thoughts.
Best regards
--
Respect your privacy and that of others, don't give your data to big corporations.
Use alternatives like Signal (https://whispersystems.org/ <https://whispersystems.org/>) for
your messaging or
Diaspora* (https://joindiaspora.com/ <https://joindiaspora.com/>) for your social networking.
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list <https://lists.pfsense.org/mailman/listinfo/list>
<https://lists.pfsense.org/mailman/listinfo/list <https://lists.pfsense.org/mailman/listinfo/list>>
Support the project with Gold! https://pfsense.org/gold <https://pfsense.org/gold>
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list <https://lists.pfsense.org/mailman/listinfo/list>
Support the project with Gold! https://pfsense.org/gold <https://pfsense.org/gold>
Antonio
2017-12-23 02:34:26 UTC
Permalink
You are probably right so I have gone and disconnected the Hawk. I'm a
bit worried now that my WAN is exposed to attacks. Is it sufficient to
have the "Block private networks" and "Block bogon networks" active on
the WAN interface? Any other rules needed?


Thanks

Respect your privacy and that of others, don't give your data to big corporations.
Use alternatives like Signal (https://whispersystems.org/) for your messaging or
Diaspora* (https://joindiaspora.com/) for your social networking.
Post by Ryan Coleman
I think the overkill is all the extra appliances doing things that pfSense can do.
You want the pfSense to be in the middle, you want the traffic to be
filtered and routed… pfSense is great for this very task, you don’t
need the Hawk or Netgear firewalls… 
aDSL modem -> pfSense -> switch -> Rest of network
Post by Antonio
Sounds cool but maybe a bit overkill for what i need ...
Cheers
Respect your privacy and that of others, don't give your data to big corporations.
Use alternatives like Signal (https://whispersystems.org/) for your
messaging or 
Diaspora* (https://joindiaspora.com/) for your social networking.
Post by Eero Volotinen
Well,
Just plug pfsense to ADSL and buy managed switch and some unifi wlan
aps. You can install proxy on pfsense box also..
Eero
   Hello,
   I'm trying to design an optimal network setting for my home and was
   1) Need a single DHCP, DNSMasq server;
   2) want to route traffic through VPNs only on certain parts of my
   network
   3) want to eventually install a proxy somewhere on the network to
   route
   traffic from my kids laptops/tablets.
   4) obviously want to firewall all centrally as best as possible.
   a) I have a little compact mini PC with four ethernet connections (1x
   WAN and 3x LAN) - its wifi too
   b) A Netgear Modem onto ADSL
   c) A Netgear router Hawk 7000
   d) a couple of desktop PCs wired to (a) as well as a server
   e) several mobiles, IoTs that connect wireless to (c)
   At the moment the connection is (b)->(c)->(a)->PCs but I feel I'm not
   getting the best of this setup, particularly pfSense which at the
   moment
   is just firewalling my PCs/server.
   I generally consider the wifi network the weak point as guest
come and
   connect to it that's why its connected before (a); traffic from (c)
   cannot get past (a) but the PCs/server can get out on the internet. I
   feel that (a) should be connected to (b) and (c) should then be
   connected to one of the LAN ports on (a), say LAN2 (I would have a
   switch on LAN1 with PCs/server). I could then use pfSense to route
   traffic from LAN2 to WAN and firewall LAN1 so that traffic from LAN2
   could not go to LAN1.
   That way, I could then set up pfSense as my single DHCP and DNSMasq
   server. I could then set up VPNs for just traffic of LAN1 or LAN2.
   Would you agree with this sort of setup or do you think I could
   implement things better?
   I look forward to some of your thoughts.
   Best regards
   --
   Respect your privacy and that of others, don't give your data to
   big corporations.
   Use alternatives like Signal (https://whispersystems.org/) for
   your messaging or
   Diaspora* (https://joindiaspora.com/) for your social networking.
   _______________________________________________
   pfSense mailing list
   https://lists.pfsense.org/mailman/listinfo/list
   <https://lists.pfsense.org/mailman/listinfo/list>
   Support the project with Gold! https://pfsense.org/gold
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
Laz C. Peterson
2017-12-23 03:29:36 UTC
Permalink
Hello,

A couple words from our experiences …

We have quite a few firewalls and many services offered publicly depending on which site you’re talking about, and we’ve learned that it really doesn’t pay off to try and micro-mange the firewall. pfSense is done well, so by default, you can feel good about not really playing with the settings. If you want security, you really want to have VPN to any clients that are going to access your network. Don’t be opening up ports on the firewall. So if you wanted to have access to your internal network, you could set that up easily with pfSense and the client for your OS.

If you wanted to do public services, like a web server etc, then it is what it is. You’ll get hit by who knows what. People scan IPs and ports all day long. It doesn’t stop. But then just open the ports, send them to your internal sever and call it a day. No need to worry about those things at the pfSense, unless you start having issues (then you can look into security features in pfSense).

Blocking private networks is a necessity (unless you have weird network requirements) because no WAN IP should have a private address trying to communicate with your pfSense. That would be bad news.

The proxy is great. You’ll love it for your kids. Just make sure to disable their cellular access ;-) …

Regarding routing, we always make separate subnets. One internal subnet would be “home” and the other would be “work”. Work network gets to connect to VPNs, home does not. Each network carries its traffic separately internally and to the internet, and they cannot communicate with each other. We do have some cases with AppleTV that we want to have mDNS and communication between subnets, so we do make special consideration for those — but it’s rare. But that may be of use to you … Streaming devices are always fun to get working with a complex (but optimal!) network.

Just some thoughts for you. Good luck!

~ Laz Peterson
Paravis, LLC
Post by Antonio
You are probably right so I have gone and disconnected the Hawk. I'm a
bit worried now that my WAN is exposed to attacks. Is it sufficient to
have the "Block private networks" and "Block bogon networks" active on
the WAN interface? Any other rules needed?
Thanks
Respect your privacy and that of others, don't give your data to big corporations.
Use alternatives like Signal (https://whispersystems.org/) for your messaging or
Diaspora* (https://joindiaspora.com/) for your social networking.
Post by Ryan Coleman
I think the overkill is all the extra appliances doing things that pfSense can do.
You want the pfSense to be in the middle, you want the traffic to be
filtered and routed… pfSense is great for this very task, you don’t
need the Hawk or Netgear firewalls…
aDSL modem -> pfSense -> switch -> Rest of network
Post by Antonio
Sounds cool but maybe a bit overkill for what i need ...
Cheers
Respect your privacy and that of others, don't give your data to big corporations.
Use alternatives like Signal (https://whispersystems.org/) for your messaging or
Diaspora* (https://joindiaspora.com/) for your social networking.
Post by Eero Volotinen
Well,
Just plug pfsense to ADSL and buy managed switch and some unifi wlan
aps. You can install proxy on pfsense box also..
Eero
Hello,
I'm trying to design an optimal network setting for my home and was
1) Need a single DHCP, DNSMasq server;
2) want to route traffic through VPNs only on certain parts of my network
3) want to eventually install a proxy somewhere on the network to route
traffic from my kids laptops/tablets.
4) obviously want to firewall all centrally as best as possible.
a) I have a little compact mini PC with four ethernet connections (1x
WAN and 3x LAN) - its wifi too
b) A Netgear Modem onto ADSL
c) A Netgear router Hawk 7000
d) a couple of desktop PCs wired to (a) as well as a server
e) several mobiles, IoTs that connect wireless to (c)
At the moment the connection is (b)->(c)->(a)->PCs but I feel I'm not
getting the best of this setup, particularly pfSense which at the moment
is just firewalling my PCs/server.
I generally consider the wifi network the weak point as guest come and
connect to it that's why its connected before (a); traffic from (c)
cannot get past (a) but the PCs/server can get out on the internet. I
feel that (a) should be connected to (b) and (c) should then be
connected to one of the LAN ports on (a), say LAN2 (I would have a
switch on LAN1 with PCs/server). I could then use pfSense to route
traffic from LAN2 to WAN and firewall LAN1 so that traffic from LAN2
could not go to LAN1.
That way, I could then set up pfSense as my single DHCP and DNSMasq
server. I could then set up VPNs for just traffic of LAN1 or LAN2.
Would you agree with this sort of setup or do you think I could
implement things better?
I look forward to some of your thoughts.
Best regards
--
Respect your privacy and that of others, don't give your data to
big corporations.
Use alternatives like Signal (https://whispersystems.org/) for
your messaging or
Diaspora* (https://joindiaspora.com/) for your social networking.
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
<https://lists.pfsense.org/mailman/listinfo/list>
Support the project with Gold! https://pfsense.org/gold
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
Loading...