I am trying to change from a flat home network, to one that allows outside access for grown kids that have moved out of the house and segments the traffic within the house. I had nextcloud set up for a period of time, open to the internet. Changed to local access only after seeing how much from the outside bounced off of it. After doing some research, I ended up with a box dedicated to pfsense.
I first want to say a big thanks, the you tube videos have been a great help getting me through a lot of things. Also, reading through the forum topics others have posted has been a great help.
I included a picture of what I have set up so far, and included where I think I should go next. I guess I am just not exactly clear on the best way forward. I do not want to set things up that are not needed, but I do want to make sure everything is secure like it should be.
From what I understand, for file access on TrueNAS from the outside, I need a VPN (plan on using OpenVPN on pfsense for this). For nextcloud, plex or any other type of system I decide to set up in the future, it should be in a DMZ. I recently watched the HAProxy video, and that seemed like a great way to go about doing that part.
Should nextcloud and plex be accessed through VPN as well ? Does the HAProxy set up make using OpenVPN redundant ?
If I have not provided enough information, willing to provide more. Also, willing to accept any kind of constructive criticism on what I have set up so far. I have learned a ton to this point, and hoping to learn more.
Hopefully my network drawing isn’t too hard to follow
I can let you know what I’ve done on my network and you can take from it anything you find useful.
My pfsense router is connected to my switch with LACP on four of its ports, the other one is a WAN and LAN. I use the LAN in the event of an emergency of needing to access the pfsense unit, otherwise everything else sits on vlans.
Have the following:
vlan management for switches, AP’s etc.
vlan ISP for traffic going out my ISP WAN
vlan VPN for traffic going out my VPN WAN
vlan CAM for my ip cameras traffic blocked from the internet and other vlans as my cams are out of support but obviously still work
vlan IoT for crapola i don’t trust
vlan guest for guest access
vlan print erh just bought a printer and decided to put it on its own vlan
Constructed rules based on my needs on how traffic should be routed, e.g. I can spy on my guest network but guests can’t see anything except the internet. Should also add my AP has several SSIDs which align to my vlans.
It takes me an incredible amount of time to setup a new vlan, as I found out with my print vlan, so I’d say it will save you time to over engineer your network. Mainly due to forgetting my precise steps from 18m earlier.
Have several OpenVPN servers running, I don’t use shared keys I prefer certificates, it’s not that difficult once you get the hang of it. I’ve set up a single CA then issue certificates based on devices that have access to everything. If you lose a phone just revoke the certificate, the laptop of the person won’t be compromised.
All my openVPN servers are remote access servers, so I create clients for both other sites and devices to connect back. I use high levels of encryption, given I have 12 running CPU can be high at times. Speed seems ok to me.
The other thing I do is all my wireless devices at home also use an openvpn connection for further protection on top of the 802.1x username and password access.
Goes without saying when I’m out I only connect to my home OpenVPN servers to access the internet when I’m using free wifi. You can also setup an OpenVPN server that uses your paid-for-VPN gateway, means when you are out you can use your paid for VPN even if it has a connection limit.
My logic is OpenVPN is pretty secure used by banks either directly or indirectly, putting apps on the internet is a risk so why bother.
As @neogrid has kinda said above. You want to bite this off in small chunks, getting the order right might be the problem though particularly as you start using vlans. Sometimes it ends up being a bit of a chicken and egg scenario and at some point you will probably need to break things before putting it back together.
Some of this is more personal preference than “the best way” as well.
First target is probably to get a VLAN set up on the switch and untag it over to pfSense. Once that’s up and working right you can tag the switchport and configure the vlan on the pfSense iX interface. Once you have that done adding new VLANs becomes much easier as you already have the trunk going between the two and adding new doesn’t cause any disruption.
I would go for separate vlans for things you want to have different permissions. I keep phones and cctv separate from “normal” lan traffic and have a guest wireless. I split printers off as well but many people think that’s overkill.
VPN anything that you can to prevent opening ports to the outside world. I run a unifi server with firewall rules that block inbound connections from anywhere except known client sites but I also run an owncloud server which is open to the world (but it has fail2ban running!) I need to be able to get to random places sometimes. I also have an internal wiki that you can only get to from internal or from the VPN. You could decide to keep OC/NC inside the VPN as well if you only access it from devices that will have the VPN up.
