pfSense Gold Subscription

Author Topic: Blocking LAN access one server  (Read 1677 times)

0 Members and 1 Guest are viewing this topic.

Offline brigzzy

  • Newbie
  • *
  • Posts: 24
    • View Profile
Blocking LAN access one server
« on: May 26, 2012, 12:53:44 am »
Hi All,

First of all I just want to say that I installed pfSense just the other night and I am adoring it so far!  It has so many amazing features that I just love (The customizable dashboard and the NAT reflection policy just to name a few), and the more I use it the more I love it.  I was running m0n0wall till the other night, but it just doesn't compare!

All gushing aside, I have a tricky sort of problem that I was hoping someone here may be able to shed some light on.  I apologize in advance if I use any incorrect terminology, as I am still learning, and also if this is the complete wrong place to post it.  I suspect that this post may be more at home on a VMware community board, but I've never had any luck getting replies there, and if the solution can be applied directly on the router than all the better.

The problem I have is this:  I host a small VPS for a friend of mine, on a server I have running VMware ESXi, managed with vCenter.  I would like to set up his VPS to have access to the gateway, but no LAN access.  Is there some way I can configure pfSense (I am thinking through a VLAN or something like that) to allow internet access, but no LAN access?  I found lots of guides on Google for allowing LAN access, and blocking the internet, but the ones I found for blocking LAN access all seemed to just involve "password protecting your shares".  I like to keep things in the house rather open, so I would just rather put his VPS on a separate network (or VLAN).  The main reason I offered to host it for him is so he can have full root access, and as such, any changes I make to the OS (Ubuntu if that matters) on his VPS he could just undo.  I don't exactly expect him to go rooting through my files or anything, I just want to learn how to separate machines from my internal LAN.  I have full access to the configuration on the VM host, and the router.

Thanks for reading, and sorry for the long post.  If you require any additional information please let me know and I will provide!

Brigzzy  :)

Offline marvosa

  • Sr. Member
  • ****
  • Posts: 333
    • View Profile
Re: Blocking LAN access one server
« Reply #1 on: May 26, 2012, 10:31:04 am »
You have several options, but I think the most straight forward approach would be to add another interface, put his VPS on a different subnet on that interface, then use the firewall to block access to your LAN.

Offline brigzzy

  • Newbie
  • *
  • Posts: 24
    • View Profile
Re: Blocking LAN access one server
« Reply #2 on: May 26, 2012, 12:23:44 pm »
You have several options, but I think the most straight forward approach would be to add another interface, put his VPS on a different subnet on that interface, then use the firewall to block access to your LAN.

Thanks for the reply!  Do you mean add a different physical interface to the router?

Offline marvosa

  • Sr. Member
  • ****
  • Posts: 333
    • View Profile
Re: Blocking LAN access one server
« Reply #3 on: May 26, 2012, 04:02:51 pm »
Yes... assuming you're using PFsense as your router.

Offline brigzzy

  • Newbie
  • *
  • Posts: 24
    • View Profile
Re: Blocking LAN access one server
« Reply #4 on: May 26, 2012, 05:07:01 pm »
Gotcha.  Thanks!

Offline biggsy

  • Sr. Member
  • ****
  • Posts: 372
    • View Profile
Re: Blocking LAN access one server
« Reply #5 on: May 26, 2012, 05:26:22 pm »
Maybe I've misunderstood what you're asking but you could create a DMZ with another vSwitch then connect an OPT interface on pfSense and the VPS's interface to that vSwitch.  The only access from the DMZ to the LAN (or the Internet) would be what you allow through rules on the DMZ.

See if this helps: http://doc.pfsense.org/index.php/PfSense_2_on_VMware_ESXi_5#Adding_a_DMZ
« Last Edit: May 26, 2012, 06:15:14 pm by biggsy »

Offline brigzzy

  • Newbie
  • *
  • Posts: 24
    • View Profile
Re: Blocking LAN access one server
« Reply #6 on: June 06, 2012, 10:36:01 pm »
Maybe I've misunderstood what you're asking but you could create a DMZ with another vSwitch then connect an OPT interface on pfSense and the VPS's interface to that vSwitch.  The only access from the DMZ to the LAN (or the Internet) would be what you allow through rules on the DMZ.

See if this helps: http://doc.pfsense.org/index.php/PfSense_2_on_VMware_ESXi_5#Adding_a_DMZ


Sorry for the delay, I've been without access to the internet for a bit, just now getting things back in order.

That looks like a great article, and I'm sure I can use some of the information.  The main thing I'm going for here is to try to avoid running any more cables to my server room, which is on the other side of the house, which is why I was hoping that VLANs would offer the solution I was looking for.

Thanks :)

Brigzzy

Offline biggsy

  • Sr. Member
  • ****
  • Posts: 372
    • View Profile
Re: Blocking LAN access one server
« Reply #7 on: June 07, 2012, 03:59:53 am »
I had to re-read your original post and realized that you didn't say your pfSense is virtualized.  My earlier response might have been a bit off the mark.  Think I did that early on a Sunday morning  ;D

If sharing a LAN cable is important maybe a VLAN would be the right way to go.  Could you post a rough network diagram?


Offline brigzzy

  • Newbie
  • *
  • Posts: 24
    • View Profile
Re: Blocking LAN access one server
« Reply #8 on: June 07, 2012, 05:39:02 pm »
Please see attached.

Thanks!

Offline biggsy

  • Sr. Member
  • ****
  • Posts: 372
    • View Profile
Re: Blocking LAN access one server
« Reply #9 on: June 12, 2012, 05:22:11 am »
So the pfSense machine is located away from the ESXi server?

If that's the ace I think you will need to use a VLAN and probably another NIC in the pfSense machine and in the ESXi server.  Both of these would be part of the VLAN and use separate VLAN'd ports on your switches.  That would allow the VLAN traffic to run over the same cable as your LAN traffic. 

There may be much cleverer ways of doing this but they would probably make running another long cable quite attractive, in terms of complexity.  But then, if you're not familiar with setting up VLANs, cabling might still be an easier way to isolate the traffic to and from your friend's VM.

Maybe someone else can come up with a simple solution.

 

 




 

Offline brigzzy

  • Newbie
  • *
  • Posts: 24
    • View Profile
Re: Blocking LAN access one server
« Reply #10 on: June 12, 2012, 10:37:44 pm »
Thanks for the reply again :)

Learning to set up VLANs are not a problem for me, it's a skill I was hoping to learn anyways, however I thought my switches supported VLAN tagging, and it seems they do not, so I think a new hardware order is in my future, haha.

Thanks everyone for all your help :D