I am doing som network reorganization and clean up today and want to make sure I have my head on straight with how I am doing my rules as well as making sure my idea/plan will work.
I have the following networks connected to my pfSense installation:
Physical Servers (Hypervisor Servers & Storage Servers)
Printers & Scanners
My understanding is that unless there is a rule allowing an out of subnet connection they are by default blocked on the outbound side. This should also be true for the inbound side no?
I want to set it up that specific devices identified by IP are allowed on any network, so I would need 2 rules one for the outbound from the network they are on and one for each network on the inbound side right? Or can I use a single floating rule for this?
LAN is for all my switches and wireless APs and will only really talk to itself and pfSense as well as have access to the internet.
IPMI is for all the iDRAC and iLO2 connections I have to some of my servers and only talks to itself, pfSense and does not have internet.
Physical Servers talks to itself, the internet and pfSense
Virtual Servers talks to itself, the internet, pfSense and specific storage servers on the Physical Servers LAN.
Security talks to itself, the internet and pfSense
Printers & Scanners talks to itself, the internet, pfSense, the mail server, a specific storage server and the CUPs server
User Network talks to itself, the internet and pfSense, specific virtual servers and storage
Guest get internet only
Only the LAN network and the reverse proxy server can get to the pfSense GUI.
The reason for this change was that I learned a valuable lesson with respect to VLANs once I learned how to use them I went a little happy on creating them and ended up separating my hypervisors from my storage on separate VLANs whiich while it worked slowed everything down and also created a potential for issues if pfSense was down.