pfsense and BI - multi LAN or multi NIC?

rhosch

n3wb
Joined
Oct 12, 2019
Messages
14
Reaction score
2
Location
Ridgeland, MS
I've been searching and reading through threads here for a few days but haven't yet stumbled onto a clear answer. Maybe there isn't one.

New home construction and while it is being finished I'm putting together some of the key pieces I'll need for electronics side of things.

BI for security - building that computer now and will start playing with and learning BI shortly. Building instead of buying used because I want it to fit cleanly into a rack with all other equipment and used rack computers are noisy hot and power hungry. So I'll bite the bullet and spend a little more to get modern efficient processing in the form factor I want.

Home network will be based around pfsense and Ruckus WAPs. The pfsense computer has 8x gigabit NICs and fiber (more than needed for sure).

I've read the wiki and lots of posts about dual NICs in a BI computer. I've read a few about using VLANs instead. But haven't found a good comparison of the pros and cons to each method. With the pfsense box I'll have multiple physical LANs I could use if needed.

Should I plan on a dual NIC setup in the BI computer (would have to purchase a PCIe card, no biggie), or keep the cameras on a separate NIC of the router instead?
 

crw030

Known around here
Joined
Apr 26, 2016
Messages
792
Reaction score
447
Location
Colorado
@rhosch do you have VLAN experience and are you already familiar with pfSense or will you be needing to learn your way around both VLANs and pfSense? Both dual-NIC and VLANs are completely viable options, just depends on your willingness to tackle one or more learning curves at the same time. Will you have VLAN aware switches already or would that be an extra (unplanned) expense, because that might guide you to one solution over the other?

The main argument for dual-NIC is just KISS because these cameras are always among the most insecure devices on your network. But the fact you are going the pfSense route obviously you are either comfortable with better-than-consumer-grade networking (or want to be!). I’m in the pfSense boat, but I haven’t mastered VLANs just yet, so I’m still running dual-NIC. I’m currently mostly using VLANs for IOT and AV (Roku, Chromecast, DirecTV) just to segregate them.
 

rhosch

n3wb
Joined
Oct 12, 2019
Messages
14
Reaction score
2
Location
Ridgeland, MS
No prior experience with pfsense, VLAN's or BI for that matter. I'm plenty tech handy in general but networking is by no means a strong suit for me. So learning curves everywhere I turn.

The Ruckus WAPs I'll be using are VLAN capable... but won't be utilizing them for BI/cameras.

I've purchased one POE switch for now to make it easier to starting playing with and learning both the Ruckus hardware and BI once I get that machine finished. It isn't a managed switch, but I'm not sure if can pass VLANs through or not.

I had assumed (!) that if I don't go the dual NIC in BI machine route, I would keep entirely separate networks from the pfsense router out, meaning one NIC would be dedicated to the cameras with their own POE switch not used for anything else. Hardware is relatively cheap. That seems less of a virtual LAN and more of a second physical LAN but perhaps the term VLAN covers that configuration as well?

I'm certainly not opposed to the dual NIC in the BI machine route. The cost of another network card is trivial. But from reading here I'm at least aware that there is some complexity in that configuration in how the cameras are accessed from outside my network, needing a VPN (the pfsense hardware I have should be powerful enough to run openVPN reasonably well so that option is there) etc. What I didn't run across is whether VLANs (or physically separate LANs?) alleviate any of those issues, or add more complexity of their own without solving any problems, make security better or worse, etc.
 

crw030

Known around here
Joined
Apr 26, 2016
Messages
792
Reaction score
447
Location
Colorado
No you have the right idea, since you will have multiple physical LANs in that setup it will accomplish the same thing as using a VLAN would for a typical single network consumer home network. If you secure that particular LAN interface with proper firewall rules to prevent the cameras from “calling home” as well as block inbound connections (standard firewall stuff) and DON’T PORT FORWARD you can forego the VLAN in my opinion. In this case I would put the Blue Iris machine on the same switch on that same network interface.

Your ability to secure the interface from allowing the cameras to make any nefarious outside calls is the key to securing that interface. In typical consumer grade routers creating firewall rules to block internal clients from reaching the WAN is less common (and sometimes only implemented as a parental lock-style all or nothing). But in pfSense you’ll be able to firewall those clients off from the WAN and your other networks with very fine control.

I have pfSense with 1-WAN and 4-LAN. (PRIMARY, WIFI, AV, CAMS) but had to rethink after I realized Chromecast have to be on the same subnet as mobiles to “Cast” (workaround would be mDNS service). Right now the only device on the CAM subnet is Blue Iris, and dual NIC in that machine is connected to POE switch for simplicity when I was starting out. If I connect the POE switch directly and move all the cameras to it, and reconfigure the firewall we’d have a very similar setup.
 

rhosch

n3wb
Joined
Oct 12, 2019
Messages
14
Reaction score
2
Location
Ridgeland, MS
Thanks, that helps. I wonder if the BI machine being on the same firewalled switch/LAN as the cameras would cause any other issues? I guess if connected externally via openVPN I'd still have access to the BI machine even if all network traffic were blocked on that pfsense interface? Same for say an automation computer I want to talk to BI, if it's on internal network (even if a different pfsense interface than the BI machine) would I still be able to have them communicate?

I think this will probably come down to how familiar I get with pfsense and my ability to create necessary firewall rules. I can default back to the dual NIC BI approach if needed but I think I'll at least give it a go the other way first.
 

crw030

Known around here
Joined
Apr 26, 2016
Messages
792
Reaction score
447
Location
Colorado
If you are connected OpenVPN, you will be "inside your network", from a firewall standpoint you just need to allow traffic between your OpenVPN subnet and this subnet (and back).

The beauty of pfSense firewall rules is you have absolute control over any traffic that has to flow to the router, you should put the Blue Iris machine on the same network (primarily to avoid routing so much traffic through pfSense as a regular dumb switch would be more efficient than software routing between LANs), set that PC as a DHCP fixed IP lease, and then allow as much traffic back and forth to that computer IP as you want, while blocking essentially all the traffic from the rest of the network (cameras) trying to escape. If you went dual-nic you would be using the Blue Iris computer (via RDP) to talk to the cameras, and BI UI3 as your primary video interface. If you just put them in a VLAN or physically separate LAN like you discuss you can still restrict access to/from them that would pass through the firewall, but could use other Dahua discovery etc tools from devices on that network.

Either VLAN or separate physical LAN with it's own switch, both accomplish keeping your camera stream bandwidth OFF your primary network, and throw good firewall rules on that interface and you can have as good of security as dual-nic or VLAN. The key will be figuring out firewall rules and testing the rules, as there have been a few situations where cameras do some pretty crazy things to try and "phone home". I have setup a syslogd server (kiwi free), to help me in troubleshooting firewall rule setup, because you can log traffic blocked (or briefly during setup even traffic passed) by a specific firewall rule and then go look at the log to understand whether the rule is doing what you think it is.
 
Last edited:

rhosch

n3wb
Joined
Oct 12, 2019
Messages
14
Reaction score
2
Location
Ridgeland, MS
That makes sense, thanks. Looks like it's time to button up the BI machine and get to learning pfsense. Our house won't be finished for a couple of months yet but I'll probably buy one camera now to start testing and learning.
 

davej

Getting the hang of it
Joined
Apr 25, 2014
Messages
199
Reaction score
34
I have pfSense and just acquired a Unifi AP that supports VLANs. I was going to put this AP on a dedicated port but apparently VLAN and non-VLAN traffic can flow on the same pfSense port?
 

crw030

Known around here
Joined
Apr 26, 2016
Messages
792
Reaction score
447
Location
Colorado
Yes, you create VLAN interfaces in pfsense and assign them to a physical interface. I haven't figured out how to bridge the same VLAN across multiple interfaces in pfSense, my limited understanding is that should be possible with VLANs (grouping clients together on a virtual lan regardless of different subnets), but if it is possible it's still beyond my expertise level. If not possible, I believe the Unifi switches (and other managed switches) can uplink VLAN traffic on different ports to build physical bridges between networks.

I currently have my wifi network primary LAN and 3 VLANs (IoT, Guest, RADIUS trusted) all running on a single port on pfSense with IoT firewalled from internet, Guest, RADIUS and WiFi all have internet but can't see each other except for one rule that lets my IoT devices send MQTT messages to a device on WiFi LAN.
 

pete_c

Pulling my weight
Joined
Jul 30, 2019
Messages
138
Reaction score
149
Location
USA
Personally here using:

1 - PFSense with two WAN (failover) connections and 3 LAN connections
2 - Ruckus AP's (recently switched from Ubiquiti WAPs)
3 - 3 managed 24 port switches and 2 unmanaged 24 port switches (Gb).
4 - IPSec VPN and OpenVPN is running on PFSense, NTP via GPS with PPS, Squid, Snort, PFBlockerNG, et al.

I personally would go with autonomous physically separate networks.

The traffic / utilization of a managed switch port whether in a VLAN or not will still hit the back plane of the switch.

You can get very creative with PFSense rules between networks.

Check out the you tube videos for PFSense. Here is a quickie DIY I did for PFSense.

How to configure a PFSense Firewall

Best to ask questions on the PFSense (Netgate) forum over here ==> hxxps:/forum.netgate.com/
 

davej

Getting the hang of it
Joined
Apr 25, 2014
Messages
199
Reaction score
34
...my wifi network primary LAN and 3 VLANs (IoT, Guest, RADIUS trusted) all running on a single port...
RADIUS means individual wifi logins? How difficult is that to accomplish?
 

crw030

Known around here
Joined
Apr 26, 2016
Messages
792
Reaction score
447
Location
Colorado
RADIUS means individual wifi logins? How difficult is that to accomplish?
I will be honest I was using it with MAC Address login (which is apparently very poor security), so that my IOT devices etc could all be placed on the proper VLAN automatically by the Unifi AP (it supports RADIUS assigned VLAN). I did NOT explore the individual passwords scenario, but it supports the Google Authenticator approach which might be a secure way for trusted people to login to your wifi...especially in my situation as I have a "boarder", I wouldn't have to share the primary wifi password in that case (I'm guessing). I have stopped using RADIUS for the time being, I just wanted a simple way to assign VLANs to specific clients without creating several SSIDs.

Right now he has his own access point with a dedicated password I can just change, and if I wire him a connection I'd assign the VLAN at the switch so all his devices can see each other but nothing else on my network.
 

achalmersman

Getting the hang of it
Joined
Jan 26, 2017
Messages
205
Reaction score
58
Location
Delaware USA
I use pfSense. 2 ports a WAN port and a LAN port. The LAN port is a trunk to a layer 2 48 port Cisco POE 3750x switch. All layer 3 interfaces are within the pfSense box. Create firewall rules to isolate traffic however you want it to be isolated. My camera VLAN can only access devices (a tablet and PC) that are part of an alias group (allowed cam access) in the regular LAN. All other traffic is blocked. I have BI set up with a NAT rule so that Ui3 and mobile app can access BI from my public IP without having to use my VPN however only public addresses which have been added to a alias group whitelist are allowed in. Any other incoming requests for that port are dropped.

pfSense is so capable. Google is your friend.

Sent from my SM-G965U using Tapatalk
 

achalmersman

Getting the hang of it
Joined
Jan 26, 2017
Messages
205
Reaction score
58
Location
Delaware USA
Yes, you create VLAN interfaces in pfsense and assign them to a physical interface. I haven't figured out how to bridge the same VLAN across multiple interfaces in pfSense, my limited understanding is that should be possible with VLANs (grouping clients together on a virtual lan regardless of different subnets), but if it is possible it's still beyond my expertise level. If not possible, I believe the Unifi switches (and other managed switches) can uplink VLAN traffic on different ports to build physical bridges between networks.

I currently have my wifi network primary LAN and 3 VLANs (IoT, Guest, RADIUS trusted) all running on a single port on pfSense with IoT firewalled from internet, Guest, RADIUS and WiFi all have internet but can't see each other except for one rule that lets my IoT devices send MQTT messages to a device on WiFi LAN.
Are you asking about using multiple physical interfaces on the pfSense box to run the same vlans? Sounds like you're talking about link aggregation/ 802.3ad. Look under interfaces/ assignments / LAGGS. This can create a Layer 2 logical interface by using multiple physical interfaces to a capable switch for increases bandwidth and redundancy. You need a compatible switch. For instance in a Cisco switch you would assign 2 or more interfaces to a channel-group and then your configs would be done on that "port channel".

Sent from my SM-G965U using Tapatalk
 

Sybertiger

Getting comfortable
Joined
Jun 30, 2018
Messages
675
Reaction score
623
Location
Orlando
I used the "KISS" method. Curious to know what my KISS method is missing compare to what you are trying to accomplish.

Network1.jpg
 

achalmersman

Getting the hang of it
Joined
Jan 26, 2017
Messages
205
Reaction score
58
Location
Delaware USA
Nothing wrong with your KISS method and it would work fine. But he's already planning a pfSense install which means he doesnt need another router, and BI doesnt need dual NICs. He just needs a good layer 2 switch with VLAN capabilities. Everything is able to be done via VLANS and firewall rules. And he has 100x the capabilities as far as firewall rules, NAT rules, VPN, redundancies etc. Its insane what pfSense is capable of considering it's open source freeware.

Sent from my SM-G965U using Tapatalk
 

Sybertiger

Getting comfortable
Joined
Jun 30, 2018
Messages
675
Reaction score
623
Location
Orlando
I'm sure whatever he's building it'll be quite capable. Just curious on what I was missing out on. The ASUS router was $70 and had OpenVPN built-in, it's the only router I use. The second NIC was $7 off eBay. Maybe his implementation will have higher performance and more security than OpenVPN...don't know which is why I asked. He appeared to be concerned about power but the extra computer he has for pfSense uses more power than just an OpenVPN router.
 

achalmersman

Getting the hang of it
Joined
Jan 26, 2017
Messages
205
Reaction score
58
Location
Delaware USA
If you dont need it you don't need it. But pfSense is literally an enterprise level routing / firewall / VPN, etc. It can build IPsec tunnels, anything you can think of. You can build aliases for firewall rules so that when you're building rules you use the alias (game_consoles) so that any new "game comsole" can just be added to that alias group and then all your firewall rules are updated without going into them 1 by 1. It's definitely a case of "not needed" for the network you drew. But considering its freeware and for people like me that have hardware laying around....its a no brainer. 100x the capabilities and it cost me nothing. I actually sold my Asus router for $100 after building my free pfSense server.

Sent from my SM-G965U using Tapatalk
 
Top