Noob vlan guidance

All-

Looking for some guidance on a couple pfsense topics; hopefully someone can set me straight.

I’ve segmented off my unifi switches and access points into a management vlan. The controller is (currently) not part of that network; should it be? I’m happy with it not, and adding firewall rules to allow it to talk with the management vlan; looking for experienced thoughts and suggestions.

It seems reasonable to me that no other clients aside from the controller be able to access this network (the reverse seems reasonable to me as well). None of the guides I’ve seen online suggest this; quite the contrary, rather, where networks are quite accessable between vlans. Does further isolation make sense here? What are the pros and cons of additional isolation?

Assuming additional isolation is a good thing, what 6 the best way to block all networks from reaching the management vlan, with the exception of the controller? It seems cumbersome to visit all networks to add basically the same rule… instead, it seems more sensible to block all incoming traffic to the management network, but I haven’t worked out how to do that…

Thanks in advance…

-Floyd

I suppose the answer is it depends :slight_smile:
It’s likely that your network will evolve with time so it’s better to have that in mind to make it easier to add devices rather than faff around with PfSense 6 months later.
I’ve set up vLans on my network more for security rather than anything else.

To achieve this I’ve set up an alias for subnets/vlans and another for ports. This allows me to more easily control traffic between the vlans and WAN rather than focus on devices.

My Guest network is isolated it goes directly to the internet, but my other vlans can see it. My IP camera vlan is isolated from the WAN and other vlans. I can issue email alerts by allowing a port, but the cameras are out of support so I consider that a risk so I don’t let them have access to the WAN.

My IoT vlans is also blocked from other vLans and only a few ports are open on the WAN. No idea what the devices are trying to communicate with outside but I just block them regardless.

The effort to over-engineer your network is probably worth it as understanding of PfSense will increase, pros and cons you’ll have to decide for yourself.

(Apologies for the plethora of typographic errors in my original post; the usual ‘on mobile’ excuses apply)

“It depends”; truer words have never been spoken… :slight_smile:

I, too, am attempting to employ vlans for security purposes; I’m certain I’ve over-engineered and have more than I need, possibly (likely) causing myself headache.

In your setup, can computers “interact” (using that term extremely loosely) with the packet-processing switches and access points on the management vlan, or are they completely separate and unreachable, transparent to other network devices? Does it make sense for devices to interact, or better sense for them to not be able to interact? If I cordon off the management vlan from all others, I gain some quantity of security – what might I be loosing?

Thanks for your thoughts…

Floyd

I’ll have to confess I’m not sure what best practice is. Though on my single AP and various switches there are options to enter the management vlan, I’ve added these basically because I can.

However, I’ve generally locked down my CAM / Guest / IoT vlans with respect to traffic going across vlans and out of the vlan.

My Management, ISP and VPN vlans can generally see and go freely.

The main thing I found were the following:

  1. Guests can only go out the WAN, but I need to allow that vlan access to the AP on the management vlan.
  2. My TVs and blurays go on the IoT, though I cannot even think of a reason why. I can easily modify a rule to block this if required.
  3. Soon realised that my outside IP cameras could be compromised, someone could cut the ethernet cable, crimp it and connect to my whole network :slight_smile: a few tweaks and the CAM vlan is locked down. It records to a NAS on that vlan, need to add more security here, and email alerts are allowed out.
  4. My infrastructure, I basically leave alone, I do have Zabbix feeding a Raspberry Pi connected to my TV so I can see if devices are offline whenever I switch on the TV.

Given all these steps which have taken a good while to get to grips with, I’m still not sure how secure my network is :joy: Now I have a new box with a quad port NIC I’ll set up Security Onion to see if anyone else is on my network !

My advice is try to keep the rules tight, then it’s far easier to troubleshoot. With a “range” of vlans you can tighten the screw as you see fit. Using Aliases will make life easier.