Hi, I am new to pfsense and networking. I am an enthusiast. I will like to know what is the best configuration possible with my current system for keeping it more secure.
I have 4 nics in my setup. Currently, I use one for the Internet and the other for my LAN & AP.
- Is it more secure to have a dedicated NIC for my AP (wireless LAN), physically separated from my wired ethernet LAN?
- Taking into consideration my first question. I have a FreeNAS installation with PLEX. I use my TVs and smartphones to watch my content. Is it possible to make the Wireless LAN only able to access the NAS and not my other resources?
Thank you for your replies. Regards.
Yes you can control flow of traffic between lans with firewall rules.
It is certianly more secure to have segregate wireless and wired networks as WLAN is inherently untrusted.
But the issue of inter network routing (layer3) is that it generally requires cpu bound processing to get your data from network a to network b. This is generally fine internet workloads as in a home setting you generally dont get more than 100mbps internet connects…
But if you end up in a situation where you are attempt to route @ Gagabit line speed you are going to need an epic cpu in your pfsense box.
As a prime example of this. I had pfsense 2.3 install on a mobo with a j1900 quad core and was only able to copy files over smb at approx 20mb/s on Gigabit lans
If you want to use the plex DLNA server then they have to be on the same network, not routed. If you’re using the plex client then it will work either way.
For a home environment it probably isn’t worth having the wired and wireless LANs on different networks as the downsides will outweigh the positives. However, it is more secure that way. Even if you secure your wireless network to the point where it becomes virtually impossible for someone to gain access to it anyone can sniff the wireless network and get basic topology and MAC information for the entire network (wired included). How important that is to you is up to you, I would argue that for most people it probably doesn’t matter but potentially a savvy criminal type could use that to get an idea of what sorts of things you have in your home, of course if those things are on the wireless network you can conceal that anyway so yeah.
Anyway, major issue that you’re going to run in to having two different networks is that you can’t have broadcast traffic between those networks, and a lot of things rely on broadcast traffic to automatically work, so if you use things which don’t allow you to configure things manually (steam streaming for example or DLNA) you can’t get it to work over a routet network.
This isn’t true. It sounds like you may have had a configuration problem. Routing is not CPU intensive, firewalling can be. But that is more to do with packets per second than throughput. A file transfer between two hosts does not produce as many packets per second as Web traffic can, especially things like torrents. So gigabit internet can certainly require decent hardware but inter-LAN type traffic on a home network shouldn’t be any trouble and certainly not that slow.
If you are using a OS like pfsense or routerOS (mikrotik CRS-125) even with “allow all” rules in the firewall rules, the rules are still have to be viewed by the firewall… hence the high CPU load… this is why am using a UBNT EdgeSwitch for my inter-vlan routing
Yes, but my point is that for inter-vlan traffic the firewall doesn’t need as much CPU as it would for an internet connection of the same speed because there are significantly less packets per second and firewall states.
I haven’t used that chip myself so I could be wrong, but I have a low powered embedded system and I can do multi gigabit (using link aggregation) transfers between VLANs without raising the CPU usage significantly, so I think that there was something wrong with the configuration or the hardware in your case and not a CPU bottleneck.
Maybe I am doing something majorly wrong. But I have also found this to be the case for the Mikrotik CRS-125 and it is designed to do this job (though there did fuck it up a little with the switch cpu connection being limit to 1G) even with 2 port is bridge/switch mod I have also was had poor performance with both my Gigabyte GA-J1900-D3V and my Mikrotik
I’ve heard you can get around 700mbps or so out of the old dual core atoms, the J1900 is a celeron right? I would think it would perform better. At a guess I would say its something to do with the TCP offload settings either on when they’re not supported or off when it would help to have them on.
That’s pretty disappointing about the mikrotik, they must be using an arm chip or something like that, but that’s the difference between doing bridging in software rather than switching with an ASIC. But you’d think they would use something which could handle it.
Hense the switch (no pun intended) to the edgeswitch and only using my mikrotik 4 nat
Thanks everyone for the input. Security is my top priority so I will try to segregate. Even at the cost of performance.