I think I know what you’re after, but the approach you’re taking doesn’t seem right.
What you want is to have your PFSense router connected directly to the Internet, with all other devices, including your switches, connected behind it. This will allow the PFSense box to do all of the routing and traffic segmentation for you, without having to double-NAT your traffic.
In order for any router to communicate with Google Fiber directly, you most likely need to tag the WAN interface onto VLAN 2, and set a QOS tag of 2 (at least that’s how it works for my unifi equipment).
Once that is complete, you will create multiple LAN networks. For this example, 2 - one for “guest” and one for “normal” stuff. Put all the devices you want to have “internet-only” access onto the guest network, and everything else into “normal”
You can then use trunking and VLAN tagging in order to isolate the devices as required. If you plan on using the ASUS wireless router, make sure it is in “bridge” mode, so the clients become a part of the LAN, and do not end up behind a second NAT as that may cause issues for some outbound connections.
The map of the network would look something like this (apologies in advance for paint)
You don’t need any l3 switch functionality. Set up your vlans and get the ports set up so that you have things separated the way you want them, then configure the firewall in pfsense to block whatever you want to block. That should be all you need to do…
@Jessassin is correct. I would add that for IPMI, you should use an additional vlan with no internet access that can only be accessed from an admin machine.
It is indeed a VLAN tag of 2, lol. Thanks for the map. I think my fear of the IPMI and their vulnerabilities led me to way over complicate what I was trying. This is good for me as I don’t need to buy any new hardware or really change much of my current set up. Again, many thanks for the map!
Some switches support isolated or private vlans that allow you to block traffic between devices on the same vlan. You can configure that on your ipmi vlan for bonus points.
Agreed, for IPMI local or VPN access only isn’t a bad idea. However, behind a NAT - the vulnerability would need to be inside the network (unless IPMI is already compromised)
Ahhh. I will check. I would doubt the netgear switches so (just assume $80 switches don’t have something like that, could be wrong), but will be looking for a switch that does. Love bonus points
Only experience seeing IPMI isolated was at a previous posting at a massive healthcare company (40k employees, hipaa, etc…) so that stuff was under everything but armed guard, lol, and know the IPMI on supermicro boards have had their…issues? lol. So just want to make sure I’m safe at home.
