PfSense - 2 Groups of users - different internet access?

MrGuvernment

Fully [H]
Joined
Aug 3, 2004
Messages
21,770
Hello everyone,


New office location, we have our executive team and our support team, marketing and so on,

Basically the exec will get full access, i dont want to use DMZ of course cause i want them to havbe the protection of the firewall.

Support anjd other departments will have highly limited access, using squid and such, most ports block, specific access to outside connections and so on.
What would be my best option to do this?

VLANs perhaps or?

since the Exec will need to share files with other departments as well for projects.
 
Pfsense with multiple Nics and then add the firewall rules accordingly. I would but the people that need filtering on the lan interface for squid and then execs on their own nic.

Should be easily possible all thought i'm not sure why everyone doesn't get the same level of filtering.
 
how would that work though with file shares with in the network if they are on different networks so to speak?

routing tables or?
 
Routing Tables on the pfsense boxes will know.

So 192.168.1.x resides on fxp0 and 192.168.2.x resides on fxp1 and as long as the firewall rules state that you will allow access to either or it can route them.

I was using my pfsense box to mock up my layer 3 switch before i got it setup with the difference vlans and it worked really well
 
seems like that is my onlu solution.

i would of thought something like this would of been simple to have in a firewall...

i have an old netgear that had "groups" in it that URL filtering could be applied to
 
Doing this with VLANs is much easier to maintain; you don't need to keep track of two physically separate networks and swap ports between them. It also lets you tweak things even further, for example setting up a separate network for your servers, guest users, wireless etc.

Just like rules for Internet traffic, you then need to create rules on each VLAN pseudo interface to allow or drop traffic between VLANs. Make sure you size your pfSense box to handle the traffic between your LANs and file servers as all that traffic will now go through pfSense which could be a bottleneck if you've got a bunch of GigE servers and clients. If performance is important you may need to toss an L3 switch into the mix and do some inter-vlan routing there first before hitting pfSense.

You can of course completely forgo actual segmentation and just create rules for some IP addresses to be able to do whatever they want, but that's basically just security through obscurity; it's trivial to defeat from the client side just by changing the IP address.
 
the pfsense box is an e5200 -2.5ghz dual core) with 4G of ram in it...think that would suffice?

any good tut's on setting up Vlans in Pfsense?
 
i have one Dlink PCIe giga nic, cant recall the model, the other is integrated into the intel mobo, it can handle VLANs it seems, the Dlink cant, or when i choose to do a VLAN on the original set up it said only the Integrated could handle it, going to check out that link. (cant recall the mobo model right now either)

Also the dell switches i have are the new Dell PowerConnectTM 2824 Switch http://www.dell.com/us/en/business/...px?refid=switch-powerconnect-2824&s=bsd&cs=04
 
Those Dell switches can do what's necessary.

I'd seriously consider replacing that DLink NIC with an Intel; the Intel motherboard probably has an Intel NIC onboard and they are good.
 
Back
Top