The pfSense Store

Author Topic: How to split LAN into two? - Jikjik101's network  (Read 7303 times)

0 Members and 1 Guest are viewing this topic.

Offline jikjik101

  • Full Member
  • ***
  • Posts: 193
    • View Profile
How to split LAN into two? - Jikjik101's network
« on: August 04, 2011, 10:30:24 am »
Sorry but I don't know the correct terminology or how to describe my problem.

Recently, I ran out of NIC and I want to use the LAN card to have two different networks. The reason for this is that all our devices are connected to our file server. For security sake, I want to separate the personal devices (smartphones and laptops) to our office devices (office PCs and printers).


My current setup is: WAN - pfSense - LAN(192.168.100.x)

What I want to do is:                       |-LAN1(192.168.100.x)
                                WAN-pfSense-|
                                                    |-LAN2(10.10.10.x)

Is this doable in 2.0? Can you please point me to the correct direction? I'm confused with VLAN, VIP and DMZ. Which one is more proper solution to my problem?

TIA.
« Last Edit: August 11, 2011, 12:21:16 am by jikjik101 »

Offline Metu69salemi

  • Hero Member
  • *****
  • Posts: 1564
    • View Profile
Re: How to split LAN into two?
« Reply #1 on: August 04, 2011, 10:45:17 am »
How many interfaces you have in your pfsense machine?
only 2? then use vlans
three or more, you can use physical interfaces to separate subnets

both ways are equally easy

Offline ericab

  • Full Member
  • ***
  • Posts: 207
    • View Profile
Re: How to split LAN into two?
« Reply #2 on: August 04, 2011, 11:11:48 am »
this is either going to require A) a switch in front pf your LAN nic, which supports VLAN tagging, or B) another physical NIC

Offline jikjik101

  • Full Member
  • ***
  • Posts: 193
    • View Profile
Re: How to split LAN into two?
« Reply #3 on: August 04, 2011, 11:56:14 am »
I have 4 nics and 3 isps. only one for the lan left. But i need to split the lan into two networks for security purposes. As of now, i cant get additional nic because of my mobo only supports additional 3 nics. And i can only buy the nic with more than two ports by next month. So i want to have atleast a temporary solution to my problem of which i need to "privatized" my office client group from the personal clients group.

I currently have a 3-ISP loadbalance setup.

Offline Metu69salemi

  • Hero Member
  • *****
  • Posts: 1564
    • View Profile
Re: How to split LAN into two?
« Reply #4 on: August 04, 2011, 12:06:03 pm »
Then you should use vlan with manageable switch until you get nic with multiple interfaces

Offline jahonix

  • Hero Member
  • *****
  • Posts: 845
    • View Profile
Re: How to split LAN into two?
« Reply #5 on: August 04, 2011, 01:26:42 pm »
...And i can only buy the nic with more than two ports by next month.
So i want to have atleast a temporary solution to my problem ...

If money is the limiting factor for buying another NIC then I doubt he will be able to buy a VLAN capable switch immediately.

To succeed, you need to separate the traffic. Either physically (NICs) or virtually (VLANs). Everything else does not separate the traffic and you gain nothing (except troubles).
If it is this important in a time frame before next month I probably would use one of the WAN NICs as second LAN until a dual NIC arrives.
Chris


Theoretically, theory and practis should be the same.
Practically they aren't.

Offline ericab

  • Full Member
  • ***
  • Posts: 207
    • View Profile
Re: How to split LAN into two?
« Reply #6 on: August 04, 2011, 06:14:31 pm »
10% off w/ promo code netswitch01, ends 8/8

Code: [Select]
http://www.newegg.com/Product/Product.aspx?Item=N82E16833122381&nm_mc=OTC-Froogle&cm_mmc=OTC-Froogle-_-Network+-+Switches-_-Netgear+Inc.-_-33122381

Offline jikjik101

  • Full Member
  • ***
  • Posts: 193
    • View Profile
Re: How to split LAN into two?
« Reply #7 on: August 04, 2011, 07:45:10 pm »
Then you should use vlan with manageable switch until you get nic with multiple interfaces
I though that vlan is already "embedded" with pfsense. This is my fatal misconception. I was thinking that I can just split my LAN into two or more networks and use the VLAN tags as the "category" to identify each network. I thought VLAN is an easy concept to implement without acquiring additional hardware. ;D

If money is the limiting factor for buying another NIC then I doubt he will be able to buy a VLAN capable switch immediately.
Actually money is not the factor, it is our office location. We are currently situated in a place of nowhere. Buying gadgets like this will require us at least a 3-hour travel or at worst, needs to wait 30-45 days for our supplier to get the hardware from their manufacturer/distributor.

To succeed, you need to separate the traffic. Either physically (NICs) or virtually (VLANs). Everything else does not separate the traffic and you gain nothing (except troubles).
If it is this important in a time frame before next month I probably would use one of the WAN NICs as second LAN until a dual NIC arrives.
Since physical separation is not possible at this point of time, then the only option that I have is VLAN. But VLAN needs a switch with VLAN capability of which I don't have a possession of, or buying the said hardware will still need time to produce and of which time is not on my side. So I guess this is a losing battle for me unless the new hardware arrives. :'(



10% off w/ promo code netswitch01, ends 8/8

Code: [Select]
http://www.newegg.com/Product/Product.aspx?Item=N82E16833122381&nm_mc=OTC-Froogle&cm_mmc=OTC-Froogle-_-Network+-+Switches-_-Netgear+Inc.-_-33122381
Thanks for the recommendation but I prefer the NIC with 4 ports. It is for easier management to control just one hardware than to have many devices in-between and it is also much easier to troubleshoot to find the one problematic hardware in a large system.


THANKS ALOT GUYS FOR SHEDDING LIGHT ON MY PROBLEM. CHEERS!

This is my system though:
2.0-RC3  (i386)
built on Sun Jul 31 05:05:32 EDT 2011
Intel(R) Core(TM)2 Duo CPU E7500 @ 2.93GHz 
http://www.dell.com/us/dfb/p/vostro-220/pd

Offline Metu69salemi

  • Hero Member
  • *****
  • Posts: 1564
    • View Profile
Re: How to split LAN into two?
« Reply #8 on: August 05, 2011, 12:41:11 am »
Well vlan is embedded in pfsense, but it needs hardware that is capable of understanding that traffic

Offline jikjik101

  • Full Member
  • ***
  • Posts: 193
    • View Profile
Re: How to split LAN into two?
« Reply #9 on: August 05, 2011, 01:13:09 am »
what can you suggest, additional dedicated NIC or manageable switch? Which is more better in terms of performance and management? Considering that I only want to split the current LAN.

Offline Metu69salemi

  • Hero Member
  • *****
  • Posts: 1564
    • View Profile
Re: How to split LAN into two?
« Reply #10 on: August 05, 2011, 05:08:00 am »
If you think that you would have more separated lans, then manageable switch pays off via multiple vlans.
But other than that it is flavor issue, which you prefer more

Online stephenw10

  • Hero Member
  • *****
  • Posts: 8080
    • View Profile
Re: How to split LAN into two?
« Reply #11 on: August 05, 2011, 06:05:55 am »
Would it not be possible, theoretically, to use VLANs without a switch if all the LAN clients support VLAN tagging directly?
I realise it would not provide much by way of security and that it may be completely impractical if you have lots of clients. It would also rely on you trusting the client computers.
However if you need to separate the traffic for some reason other than security this might be possible.

I've never tried this but I'd be interested in your thoughts.  :)

Steve
« Last Edit: August 05, 2011, 06:07:49 am by stephenw10 »

Offline Metu69salemi

  • Hero Member
  • *****
  • Posts: 1564
    • View Profile
Re: How to split LAN into two?
« Reply #12 on: August 05, 2011, 06:50:59 am »
Hmm, i've never seen this in action. so does this mean, that i don't trust people/client machines?!?

Offline jikjik101

  • Full Member
  • ***
  • Posts: 193
    • View Profile
Re: How to split LAN into two?
« Reply #13 on: August 05, 2011, 10:02:58 pm »
@metu: is the manageable switch alone is enough to create a vlan? i'm talking about hardware requirements. so from my pfsense box-manageable switch-different vlans?

@stephen: sorry but i don't understand what you are saying. If i have a vlan-capable client, i can separate this client from others in my LAN directly? And this client is the one who can control/manage the VLAN and not me? what if i have 3 vlan-capable clients, how are they going to communicate? thinking vlan alone makes my head aches. :-[


Myy current situation, I have one LAN composes of Group A(staff) and Group B(guests). My LAN has a file server of which Group B should not have access for confidentiality reason. I read that I cannot filter traffic coming in and out in the same interface. But I need to restrict Group B to access the file server. The question is how?



Offline wallabybob

  • Hero Member
  • *****
  • Posts: 5262
    • View Profile
Re: How to split LAN into two?
« Reply #14 on: August 06, 2011, 01:53:42 am »
@metu: is the manageable switch alone is enough to create a vlan? i'm talking about hardware requirements. so from my pfsense box-manageable switch-different vlans?
Yes, a small VLAN capable switch is sufficient for your needs. I'm not sure that all manageable switches are VLAN capable.

@stephen: sorry but i don't understand what you are saying. If i have a vlan-capable client, i can separate this client from others in my LAN directly? And this client is the one who can control/manage the VLAN and not me? what if i have 3 vlan-capable clients, how are they going to communicate? thinking vlan alone makes my head aches. :-[
Notice also that Stephen said it would not provide much by way of security so I think that rules his idea out for your circumstances.

Myy current situation, I have one LAN composes of Group A(staff) and Group B(guests). My LAN has a file server of which Group B should not have access for confidentiality reason. I read that I cannot filter traffic coming in and out in the same interface. But I need to restrict Group B to access the file server. The question is how?
You need to be able to configure separate interfaces for group A and group B so you can create distinct firewall rules for each group. You can use separate physical interfaces for each group (but your slots are all in use so you might need to replace a single port card by a dual port card to get the additional interface) or you can use VLANs to get distinct "virtual" interfaces over a single physical interface. If you use VLANs you will need at least a small VLAN capable switch. Where I live small VLAN capable switches are available for under the local equivalent of US$100.

Given that you aren't allowing significant traffic between group A and group B you should see any significant performance difference between the two options.

Actually money is not the factor, it is our office location. We are currently situated in a place of nowhere. Buying gadgets like this will require us at least a 3-hour travel or at worst, needs to wait 30-45 days for our supplier to get the hardware from their manufacturer/distributor.
If your superiors are not prepared to fund someone for the three hour trip and are not prepared to wait 30-45 days for your current supplier to provide and are not prepared to authorise an "exception" to get suitable equipment sooner and want the solution "now" then they are not serious about the security.
To get the security you appear to need you require either an additional port or the VLAN capable switch.

On thinking through this a bit more, I notice its not clear how groups A and B currently connect to pfSense: possibly both groups connect to a single switch, maybe there is a wireless access point or two etc. What you will need will actually depend somewhat on the mix of devices in the different groups. For example, if every device in group B is WiFi capable then you could get away with configuring a USB Wireless NIC that can act as an access point in your pfSense box. Group B devices would then come in over WiFi and would have their own separate firewall rules. (I'm presuming your existing pfSense box has at least one spare USB slot.)