[lug] network question - pfsense, dd-wrt, etc

Maxwell Spangler lists at maxwellspangler.com
Thu Jul 16 15:46:50 MDT 2020 

I'm no network admin, but I'll play this game if others will teach me
what I don't know to help Bear solve the puzzle?

On Wed, 2020-07-15 at 11:03 -0600, Bear Giles wrote:
> The ultimate goal is to have four network segments:
> 
>  - mobile
>  - IoT 1 - devices accessed from mobile devices
>  - IoT 2 - devices not accessed from mobile devices, e.g., rokus 
>  - "wired" - which ironically has a few wireless components (work
> laptop, Linux desktop downstairs, raspberry is)
> 
> The "wired" and "IoT 2" should be completely isolated.
> The mobile and IoT-1 should have some interactions.
> I want to be able to keep a close eye on what the IoT devices send
> and receive.
> 
> Many people also want a "kids" or "guest" segment. There would be
> similar issues on deciding who gets what access to the other
> resources.
> My question is whether anyone has set up this combination and, if so,
> how did they configure it. There's two obvious places to put it -
> either between my cable modem and router or between my router and
> switch. In the first case I'll have to reconfigure the router as just
> an access point (I think) and handle all of the actual routing in
> pfSense. Otherwise I won't be able to access it to configure and
> monitor it. In the second case I can leave the router as-is and only
> use the firewall on the wired part of my network

Thinking out loud diagram:

internet (centurylink/comcast/etc)  |  |  |pfsense firewall (dns, dhcp,
firewall, routing, logging) 5 physical
ports|    |   |   |   ||    |   |   |  netgear DD-WRT 192.168.9.10/24
bridge mode to network controlled by
pfsense?|    |   |   |   ||    |   |   |  WIRELESS AP mobile route to
pfsense, pfsense allows access to intrnet and
iot1|    |   |   ||    |   |   netgear #2 192.168.11.0/24 bridge mode
to network controlled by pfsense?|    |   |   ||    |   |   WIRELESS AP
guest_kids route to network through filter service or
appliance?|    |   |     |    |   (switch) iot1 192.168.20.0/24 use
pfsense to log and control i/o of iot devices|    ||    (switch) iot2
192.168.30.0/24 use pfsense to log and control i/o, isolate from
iot1/mobile|internal switch|wired (internal) network (isolated)
192.168.100.0/24
1. Connect the internet gateway to a dedicated external port 0 on
pfsense.

2. Connect port 1 to an internal switch and connect all wired devices
for that.  Configure pfsense to mostly trust these devices and allow
access to dns/dhcp/internet

3. Connect IOT2 'trusted' devices to a switch that connects to port 2
on the pfsense system. Setup i/o rules and logging of access to/from
these devices.

4. Connect IOT1 'untrusted' devices to a switch that connects to port 3
on the pfsense system. More i/o rules and logging. Look to setup
routing to/from wireless networks as desired

5. Connect netgear #1 to port 4 on the pfsense system. Configure the
netgear in bridge mode and don't really use any of its services.  Setup
pfsense to route this network's outbound via a kid parental filter
service or appliance?

6. Connect netgear #2 to port 5 on the pfsense system. Configure the
netgear in bridge mode again and let the pfsense provide services.

Thoughts:

This provides a lot of true physical isolation but requires many ports
and devices.
- All IOT devices would be wired not wireless.

It allows pfsense to a be a central router/firewall/gateway that
controls all traffic and can log or publish logs to other
resources.  It's also a single point of failure for *everything*.

Now lets assume not all your iot devices are wired:

Setting up DD-WRT with two wireless networks (2.4 Ghz and 5 Ghz) seems
straightforward and each can have a unique SSID.

It's less clear, in DD-WRT, how you can control the network connections
of the wireless to the wire.  By default they appear to be both bridged
to bridge 'br0' and linked to the lan ports.  So any traffic on the
wireless is seen on the lan ports and any on the lan ports is broadcast
to the wireless as well.

But perhaps you want to have wireless iot1 and iot2 subnet devices.

I think you can setup a 'Virtual AP' on the same hardware but give each
a unique network subnet.  Then with routing in the netgear you can
determine where that traffic goes?

So possibly:

internet (centurylink/comcast/etc)  |  |  |pfsense firewall (dns, dhcp,
firewall, routing, logging) 5 physical ports|      |   |    netgear DD-
WRT 192.168.9.10/24 bridge mode to network controlled by
pfsense?|    |   |    ||    |   |   PHYSICAL WIRELESS AP mobile route
to pfsense, pfsense allows access to intrnet and
iot1|    |   |     |    |   VIRTUAL WIRELESS AP iot1 192.168.20.0/24
give this virt ap a subnet and setup routing to
pfsense|    ||    VIRTUAL WIRELESS AP iot2 192.168.30.0/24 give this
virt ap a subnet and setup routing to pfsense|internal switch|wired
(internal) network (isolated) 192.168.100.0/24

A mobile phone would connect to SSID 'mobile' and it's bridge to the
LAN ports and routed to pfsense naturally.

An iot device would connect to virtual SSID iot1 and using DHCP or
static IP would use a specific subnet IP address.  The netgear routing
rules would route these packets to pfsense and receive packets coming
from pfsense.


Thoughts?


-- 
Maxwell Spangler

===================================================================
Denver, Colorado, USA

maxwellspangler.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20200716/13b2c6f8/attachment.html>

More information about the LUG mailing list