I am working with a couple local non-profit groups in designing and setting up a networking and computer lab for educational purposes. This is a tad ironic because… I have to learn some stuff in order to make it happen. Anyway…
The building that this lab will be hosted in is a community center, of sorts, and has business class internet with a Unifi system doing the distribution. On this Unifi network are several VLANS (VLAN 2,10,20,30,40) that we would like to have available in our lab while simultaneously preventing access to other vlans or the community center’s private network. We will have internet access through the community center’s public network.
The lab environment will consist of FreeNas, XCP-NG and FreePBX dedicated servers with XCP-NG allowing virtual machines to be added. This entire lab will be sitting behind a Pfsense firewall. There will be additional resources (cameras, VOIP phones or what have you) on the previously mentioned VLANS on the community center’s network.
My question is… is it possible, and if so, how should I bridge the VLANS on the community center side (WAN of Pfsense) and the lab side (LAN of Pfsense)?
I would think that is all depends on how your network is setup. Let’s just assume that all of the VLAN’s already have dedicated Gateways. Take two free IP addresses (one from each VLAN) and assigned them to your PFS server. Doesn’t matter whether you use WAN or LAN for any VLAN as long as you know the network segment you are connecting to and assign the right IP address for the right VLAN network segment. You would then need to work out the firewall rules that you want to implement. I would suggest using dedicated VIP’s on each side of the firewall to provide direct connections for whatever systems you want to route traffic to. Make sure you review some of the You-Tube video’s on setting up PFSense on an internal network with non-Internet routeable IP addresses. And remember PING is your friend.
You know, I got thinking about it. Since the lab is going to have a smart switch… I think I can do some fancy footwork with the vlans utilizing a couple ports on the switch. What I am thinking is have, say, port 1 as my “Trunk” port to the community center’s network and tagged for the VLANS I need. Then have port 2 as the WAN port for PFSense. Then port 3 setup for the LAN port. The VLANS would be available to any other port on the switch and I could create a VLAN in the switch who only has ports 1 & 2 as a member to carry the “internet source”. This would bring the VLANS I need around PFSense instead of through it, but I don’t need PFSense to do anything to them anyway.
This arrangement with everyport of every device connected to the switch is called a “Core Switch” and is very common in certain industries. For example, almost every hotel you have ever stayed at uses it.
Edit: Except for IHG hotels… they absolutely hate the Core Switch idea.
You say you hate them… any particular reason? Again, I’m just looking for a way to make the lab the most usable including giving access to these 5 VLANS which are on the community center’s network… all while protecting their network
I don’t hate them, whomever designed IHG’s network requirements does. They don’t trust a DMZ VLAN (which is outside of any firewall protection) being on the same switch as inside/secured VLANs