So I’m very new to anything beyond absolutely basic networking but actively trying to figure stuff out and learn - which is a bit more challenging these days than it was 50 years ago!!
I just got finished installing ethernet cables in my home after too long dealing with flaky wifi. I have my server, switch, patch panel and router in a centrally located closet and it’s all working pretty well. The router is an Asus RT-AC86U which does AP duties as well.
The next stage I’d planned was to swap out the Asus router for a low power PC running pfsense and so I’ve been watching a lot of videos and reading up on setting up pfsense.
One of the (many) things I can’t wrap my head around is that quite a few tutorials recommend creating an 'Admin" network so as to give exclusive access to one PC to change settings on the router, switch and server so that other PCs and guests do not have such access.
So my question is: Is there a way, perhaps with pfsense, where my computer can access this “admin” network simultaneously with other networks without my having to manually unplug one cable and plug in another?
The scenario I’m thinking of is where my PC gets used to do the admin logins to various web ui’s as above - but also needs to be able to access my server’s shares and media streaming such as plex or jellyfin. At the same time I also need (from this PC) to be able to remote into all my family’s PC’s and laptops in order to fix problems and run updates etc.
I appreciate that this makes my personal desktop PC a potential security risk, but as I’m disabled and rarely leave the house it’s extremely unlikely that anyone other than myself would have physical access to it. It’s a multi boot PC but typically booted into Mac OS as a hackintosh.
Hope someone can help - there’s clearly something pretty fundamental I’m just not grasping!
Yes is the short answer !
If you are going to setup pfSense on a something and have a managed switch then you can segment your network using vlans. Vlans are just virtual networks, otherwise you would need the hardware for each network you wanted to setup.
You could have your admin / ISP / Guest networks say, it’s the rules you setup which allow you to do what you want. E.g. you might want to be able to access the Guest network from the ISP network but not vice versa. So in that example you can access two networks from one, so to speak.
Personally I have the following vlans:
MGMT- for switches, AP
ISP - for traffic out of the ISP
VPN - for traffic out of the VPN
CAM - no external traffic
IoT - for traffic out of VPN
WRK - for traffic out of the ISP
GUEST - for traffic out of the ISP
The difference is in the rules and what each vlan can see, the IoT cannot see anything else for example. I’m a bit lazy and have the ISP vlan as my main network, that is my personal laptop is on it and it can see everything. Plus I have some services running on some vlans and not others, the GUEST doesn’t have traffic shaping or pfBlocker, so if something is going wrong I can access the GUEST and test internet access.
Thank you that’s very helpful - firstly for the simple confirmation that it’s possible and the explanation, and secondly for the example of your own set up. Seeing how other people organise things in the real world is very useful compared to the examples that are given in tutorials that tend to be a bit abstract.
Another thing to clarify if I may: Does it matter whether devices are plugged directly into ports/interfaces on the pfsense router versus into the managed switch? i.e. is there any benefit to having my ‘admin’ PCs wired into the router ?
At the moment I have pfsense running on a Fujitsu S920 low powered PC, but I’ve just got it connected without a WAN connection to an ancient laptop to mess about with and configure. My plan was to set it up and then swap it out with the Asus RT-AC86U when everything was ready, but that means I can’t update it or install packages like pfBlockerNG.
Is it possible to somehow put it in the network so it can access the internet for updates without mucking up the functionality of the existing network? I know the answer to this must be ‘yes’ but I haven’t got a clue where to start . . .
Personally I have 6 ethernet ports on my pfSense box, WAN, LAN and the remaining 4 in a LACP LAGG to my my switch which carry my vlans. I only use the LAN as a emergency access to pfSense in the event I mess something up in pfSense, otherwise I use the various vlans for what I need.
Like most things it depends on your setup, if you plug directly into the router then you use up one port, it will act as a port and not like a switch (I believe), so you’ll have a second network. Whether this brings you any benefit I’m not sure, though nothing prevents you from doing it. Personally I’d buy a managed switch, at least new if it’s going to be your main switch, but you can pick up some cheap on ebay.
Right now you can connect pfsense WAN port into the LAN port of the Asus router, you just need to ensure that under Interfaces >> WAN >> Reserved Networks the boxes are unchecked so that pfsense can get an IP address from the Asus.
I’d suggest that you connect pfsense to your modem, then do a clean install, that way you will probably have fewer issues. However, you can always backup the configuration and do both if you have any issues.
The Asus router you have is unlikely to be be vlan aware, so if you set it up as an Access Point it will only have a single SSiD, they will probably be ok initially. If you want to have more than one vlan on your AP, then it needs to be vlan aware. You’ll see there are various AP’s you can buy and place on the ceiling, these can be powered by an injector or a PoE switch. Hence if you don’t already have a managed switch you might want to look at prices of PoE switches as well.
That Asus switch will probably end up being redundant in the long term, the reason I say this is that I had about a dozen routers, APs and extenders before I moved over to pfSense and a better AP, and I just gave them away to charity.