pfSense, Firewall, VLAN, ACL - Best Practices?

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.
B

Blue)(Fusion

Active Member
Mar 1, 2017
150
56
28
Chicago
Hello all,

I currently have a pfSense custom box as my main NAT router, firewall, gateway, and DHCP server using VLANs. Running a 10GbE network now, I think offloading as much inter-VLAN routing to the switch would be ideal.......right?

I have 4 Netgear switches in a 2-Teir design. 1x XSM7224S (24x 10G SFP+) is the core switch. 1x GSM7328S is in the rack for 1GbE connectivity. 2x GSM7228PS switches make up the rest of the network for security cameras, client end points, and UAPs. All 4 switches have L2+ static routing features.

Based on no personal experience, I want to run my ideas by you fine folks and get your feedback and corrections.

I want to continue using pfSense as the internet gateway router (NAT),WAN firewall, and VPN tunnel. Probably also continue using this as the DHCP server, as well, as I have alot of persistent MAC-IP bindings.

So my thoughts....

  • Change pfSense LAN IP to 10.1.1.1/16 with no more VLAN configuration
  • VLAN routing and VLAN "firewalling" will be taken care of by switch ACLs
  • All VLAN ACLs should be on the "core" switch, no ACLs on other switches


Again, I am entirely new to L2+/L3 on switches. I have tried to interpret as much as I can from online tutorials and documents, but I am having trouble making it all look right to me.
 
B

Blue)(Fusion

Active Member
Mar 1, 2017
150
56
28
Chicago
To help identify my needs as much as possible, here's some current network info:

pfSense box:
  • WAN - <public IP> 1000BASE-T
  • LAN - 10.1.1.1/24 - 1000BASE-T (management network)
  • LAG1 - VLANs - 2x 10G SFP+ LAGG
    • VLAN 2 - VOIP - 10.1.2.1/24
    • VLAN 3 - Cameras - 10.1.3.1/24
    • VLAN 4 - Servers - 10.1.4.1/24
    • VLAN 5 - Management (not configured on this device as it's untagged on LAN port)**
    • VLAN 6 - IoT - 10.1.6.1/24
    • VLAN 10 - VIP - 10.1.10.1/24
    • VLAN 20 - Employees - 10.1.20.1/24
    • VLAN 30 - Guest - 10.1.30.1/24
** VLAN 5 is used as the Management VLAN on the switches and also used for management IPs of Proxmox servers.

The same VLANs are configured and Trunked via 2x SFP+ in LAG to each of the switches and to Proxmox servers (OpenVSwitch used for VLANs).


In general, the VLANs should not be cross communicating except for a few pinholes. I believe I have most (still missing a few) of those pinholes configured on the switch:

Code: 
vlan database
vlan 2-6,10,20,30,666
vlan name 2 "Voice"
vlan name 3 "Cameras"
vlan name 4 "Servers"
vlan name 5 "Management"
vlan name 6 "IoT"
vlan name 10 "VIP"
vlan name 20 "Employees"
vlan name 30 "Guests"
vlan name 666 "devnull"
vlan routing 10 1                                                                                                                                           
vlan routing 5 2                                                                                                                                             
vlan routing 2 3                                                                                                                                             
vlan routing 3 4                                                                                                                                             
vlan routing 20 5                                                                                                                                           
vlan routing 30 6                                                                                                                                           
vlan routing 4 7                                                                                                                                             
vlan routing 6 8                                                                                                                                             
exit

ip access-list VLAN2
deny ip any any
exit


ip access-list VLAN3
deny ip any any
exit


ip access-list VLAN4
deny ip any any
exit


ip access-list VLAN6
deny ip any any
exit


ip access-list VLAN10
permit tcp any 10.1.3.0 0.0.0.255 eq 80
permit tcp any 10.1.3.0 0.0.0.255 eq 8080
permit tcp any 10.1.3.0 0.0.0.255 eq 443
permit tcp any 10.1.4.0 0.0.0.255 eq 22
permit tcp any 10.1.4.44 0.0.0.0 eq 3306
permit tcp any 10.1.4.46 0.0.0.0 eq 80
permit tcp any 10.1.4.46 0.0.0.0 eq 443
permit tcp any 10.1.4.2 0.0.0.0 eq 111
permit udp any 10.1.4.2 0.0.0.0 eq 111
permit tcp any 10.1.4.2 0.0.0.0 eq 2049
permit udp any 10.1.4.2 0.0.0.0 eq 2049
deny ip any any
exit


ip access-list VLAN20
permit tcp any 10.1.4.46 0.0.0.0 eq 80
permit tcp any 10.1.4.46 0.0.0.0 eq 443
deny ip any any
exit


ip access-list VLAN30
permit tcp any 10.1.4.46 0.0.0.0 eq 80
permit tcp any 10.1.4.46 0.0.0.0 eq 443
deny ip any any
exit

interface vlan 10
routing
ip address 10.1.10.254 255.255.255.0
exit

interface vlan 5
routing
ip address 10.1.5.254 255.255.255.0
exit

interface vlan 2
routing
ip address 10.1.2.254 255.255.255.0
exit

interface vlan 3
routing
ip address 10.1.3.254 255.255.255.0
exit

interface vlan 20
routing
ip address 10.1.20.254 255.255.255.0
exit

interface vlan 30
routing
ip address 10.1.30.254 255.255.255.0
exit

interface vlan 4
routing
ip address 10.1.4.254 255.255.255.0
exit

interface vlan 6
routing
ip address 10.1.6.254 255.255.255.0
exit

I do not know yet how to set up default routing. I suppose this depends on the IP/netmask used by pfSense and whether or not it will be VLAN-aware. This is where I am lost. The best practices for setting up management VLANs for the network, ensuring ACLs will work the way I intend, and the correct setup of the pfSense as the default gateway for all non-VLAN traffic (i.e. to internet).
 
Last edited:
You must log in or register to reply here.
Top Bottom