I'm running pfSense with a Netgear POE managed switch and stand-alone Ruckus APs.
For simplicity and security, I use a router-on-a-stick configuration with multiple VLANs trunked down to the switch. Individual devices are then placed on different networks by modifying the vlan(s) associated with that port.
My networks include (but are not limited to..);
GUEST-WIFI -- Isolated network with no internal access, limited ports open outbound, and a unique SSID.
LAN-WIFI -- General network with limited access to MGMT network, unrestricted outbound to internet, and a unique SSID. This is where our personal devices sit, to include things like Chromecasts and Plex.
MGMT -- Restricted network with extremely limited egress rules that prevent most devices from communicating to anything outside of the mgmt network, no wireless SSID. This is where mgmt interfaces for the firewall, switch, and APs, sit. An ESX host with a number of virtual machines, and the M1. When I install cameras, they will go here.
All of my trusted devices (my laptop/phone, wife's laptop/phone) have DHCP reservations on the general network, firewall rules permit our IPs to specific things back in the mgmt network (i.e. the kids devices and the Chromecast cannot access the mgmt interfaces on firewall, switch, APs, or the M1). This also takes care of the occasional scenario where we might put a guest device on the internal wifi, such as if they wanted to cast, or if someone hacks into the wireless network.
Remote access is locked down fairly tight, First WAN rule blocks anything not originating from a US based IP address. Then there are only a few ports open, and I only permit access to those ports from a few known IPs. OpenVPN would be technically more secure, but I frequently use VPNs for work and that creates headaches.
...v
Sent from my HTC One_M8 using Tapatalk
For simplicity and security, I use a router-on-a-stick configuration with multiple VLANs trunked down to the switch. Individual devices are then placed on different networks by modifying the vlan(s) associated with that port.
My networks include (but are not limited to..);
GUEST-WIFI -- Isolated network with no internal access, limited ports open outbound, and a unique SSID.
LAN-WIFI -- General network with limited access to MGMT network, unrestricted outbound to internet, and a unique SSID. This is where our personal devices sit, to include things like Chromecasts and Plex.
MGMT -- Restricted network with extremely limited egress rules that prevent most devices from communicating to anything outside of the mgmt network, no wireless SSID. This is where mgmt interfaces for the firewall, switch, and APs, sit. An ESX host with a number of virtual machines, and the M1. When I install cameras, they will go here.
All of my trusted devices (my laptop/phone, wife's laptop/phone) have DHCP reservations on the general network, firewall rules permit our IPs to specific things back in the mgmt network (i.e. the kids devices and the Chromecast cannot access the mgmt interfaces on firewall, switch, APs, or the M1). This also takes care of the occasional scenario where we might put a guest device on the internal wifi, such as if they wanted to cast, or if someone hacks into the wireless network.
Remote access is locked down fairly tight, First WAN rule blocks anything not originating from a US based IP address. Then there are only a few ports open, and I only permit access to those ports from a few known IPs. OpenVPN would be technically more secure, but I frequently use VPNs for work and that creates headaches.
...v
Sent from my HTC One_M8 using Tapatalk
