Usually pfSense functions as your firewall and router. What device were you using after the pfSense? Is “router” just your WiFi?
If everything on your LAN and WiFi are at equal trust levels, then there is no reason to separate them.
I’m assuming your pfSense device is not handling WiFi (Edit: meaning you don’t have a WiFi card installed in your pfSense box). If that’s the case then you’ll need need to separate your WiFi and LAN on different VLANs.
Yes. If you want to do VLANs you’ll need a managed switch that is capable of supporting layer 2 or layer 3 routing. In either scenario the configuration gets a bit technical in how pfSense interacts with the switch. As it sounds like you don’t need devices on different VLANs ever talking to each other so a layer 2 VLAN will be the easiest and lower cost solution.
Sorry for not including this in my 1st post but it just popped into my head. If your pfSense box has 3 NICs ($15 on amazon) you could just add another LAN interface inside pfSense and connect that 3rd NIC to a new non-managed cheap-o switch. This would be the most cost effective solution of separating your LAN from WiFi traffic. But I’d really like to hear exactly what you are trying to protect against as I might be able to suggest an even better approach. ie. IoT Device, CCTV, or guests on your home WiFi segment
yeah sorry, had a netgear router for wifi like an access point, but also had wired lan connections on it. (iirc my pfsense machine only had 2 eth. ports) was a sony vaio from like 2001 lol.
not quite sure what trust levels are but personally my trust levels are generally sceptical lol
correct, I dont have wifi broadcast on pfsense. I suppose I could do that if there was no inherent security risk.
but my concern is I used to exclusively have a wired connection and I never was worried much about any interferance or hacking without physical access. but wifi made it where I am concerned about my whole network. If I lived alone I wouldnt even use wifi but others in the place do want wifi. so my idea is ignorance is bliss. if I can just isolate what Im doing from the airborn stuff I will feel a little better.
but in light of everything coming out the past few years is privacy or security a facade? worry my concern over security may be a losing fight. but the alternative I guess is forgo the web?
I dont have anything to hide though. not as worried about an agent hacking my stuff, they would just be bored, but I dont want a script child to hack me.
so with the 3 nic solution? would I just use that switch as opt1 and that would do it?
thanks again. and I hope the holidays treated you right. i always struggle to wish people stuff for the season because its alienating to some and online have no idea about beliefs but whatever the case for celebration I hope it was good. Guess most everybody celebrates new year? but its not the same in china so even that might be a misguided assumption? lol
You’re best not to unless you have a specific use case. Chipset support is limited and you’d probably have to order a compatible adapter.
If you are using WPA2 along with a strong passphrase (+12 mixed characters) you’ll be fine. If you are overly paranoid use a +16 character random passphrase and it’s all but impossible to brute force. More important than having a randomized passphrase would be ensuring your Netgear router has the latest firmware.
Not going to happen with up-to-date firmware and a strong passphrase. Now if your threat model includes a nation state then I’d be worried.
Yes. And you’d also need to assign a new static IP to the interface, configure a new DHCP range, and configure your DNS resolver to respond on OPT1.
If you are truly trying to accomplish a separated network the best option would be to set OPT1 (Wire NET) to a specific subnet such as 192.168.2.1/24. Then set OPT2 (WIFI NET) to a different subnet set to such as 172.16.1.1/24 then create a rules under Firewall > Rules under both to deny any traffic source from the opposing NET.
