I have a roommate that I share internet with. I have google fiber. Ideally I would like my roommate to have a direct route to the internet and my traffic to go though a pfsense firewall.
I do not want to mess up my roommates internet while tinkering with things.
many homelab-ers actually separate their homelab from their household internet. Their household environment is more like prod whereas what started as their homelab remains the crazy devtest place
It depends on the hardware you have available, but you kind of want a firewall to separate traffic.
Re-reading that you have a pfsense router, you should be able to use that.
If the internet comes in to a modem (ONT?) The goes to your Pfsense for routing, then you & housemate both plug in to the pfsense, then you should be able to isolate traffic so the lan side ports can’t interfere?
[Edited, removed a lot of junk, after re-read that you Do have a pfsense]
I use a VM to split my traffic from my housemates.
For me it was easier to get a seperate NIC, and dedicate it to the VM, as a “wan” or “hot” or “untrusted” side, then set rules to stop local traffic from going to the red side
(Sorry for the long ramble on previous post. I need coffee…)
Either a smarter switch (Layer 2+) or router (Layer 3). Then you set up a rule where WAN gets to talk to Roommate and You, but Roommate and You are separate.
On my Router for example, I can switch ports into “private mode” which results in the port only being able to see WAN, but nothing else.
When there is a VLAN-capable switch before PFSense, you could make your roommates traffic a VLAN and yours a separate one, then the above routing rule applies to the VLANs.
Note that “I am unplugging a thing” may result with your roommate ending up mixed in with you, unless you get really fancy.
How many public addresses does GF give? Do they provide a router?
If only one then do a simple NAT, separate the two ends as separate subnets and interfaces in OWRT.
Ports that you don’t need you can forward your friend or just do something like DMZ for him.
In this model, any problems with PF or even hardware problems will not affect your friend’s internet.
If you use the box with pf to split the internet between the two of you, you will have a weak point and in case of an error, failure, update, hardware problem your friend will lose access to the network as well as you when something bad happens with the PF BOX.
If you want to avoid 100% of the problem when you do something with pf box then you have to physically separate it. If you keep everything on one PC and play with vm, this is where you always have a weak spot.
If this is not a problem for you then start vm with OpenWRT and do NAT, then connect vm with pf to owrt.
So the diagram above only instead of physical separation you do it in the VM. You avoid losing the internet to your friend when something happens to the PF VM, but you don’t avoid the problem when something happens to the host machine.
If for some reason you absolutely want to divide the network by doing it with one PF, then you will not avoid a problem if you make a mess in the settings.
If it is to be resistant to user errors, there must be a separation… minimum virtual and preferably physical. Otherwise, there are no magic settings that will prevent problems if you make a mess in PF and this pf handles both your internet connections.
Another approach is 1+1 which is a second box or vm with pf and CARP to have “High Availability” but is this still a simple solution hmm…
I would start off by describing the current way you split the internet. So that we can show a healthy/clean why of splitting it.
I have been in both situations before of a shared household and tinkering with VMs for routing.
You really don’t want any hardware you’re solely messing with to be responsible for breaking things, and you’ll break things, that’s part of the fun/pain! So a quick, disconnect your hardware and get things back to normal is something to keep in mind.
So I would leave the current router or whatever hardware you have presently as it is. And you can either tap that off to your new lab with an Ethernet line, or WiFi if cables aren’t possible.
At the end of the day, if your house hold has issues with the internet you are going to be the IT guy to fix it. So have a easy, risk free way of removing yourself as the possible cause.
At the end of the day, simpler is better. Even if it’s double NAT’d. Which you can term as SD-WAN as all the cool kids say!