Pfsense: Difference between revisions

Introduction

Pfsense on Pear is designed to keep the virtual networks separate from the physical NIC and the unrelated Virtual Machines separate . It is has an interface on each of the virtual networks and the WAN interface on the same network as the physical NIC. The install does not have any plugins.

Interfaces

There several LAN networks including Production, Infra, VPNnet and terminals for the virtual machines to use. There is also another LAN called mgt that is reserved for management. Update With the addition of the 2.5 Gb p/s NIC the LANs have been changed to VLAN aware VLANs on a single network, still the same security of separation but with VLANs instead of LANs with no bridge/slave NIC.

Production

The production network is reserved for the main production VMs, mainly Webhosts and hosts that support them. Juniper has also been moved to production as it will be hosting jellyfin and n8n.

Infra

Infra or infrastructure is used for the LAN services such as the nameserver and the monitoring hosts.

VPNnet and Terminals

The VPN servers are on VPMnet and the desktops are on Terminals. The desktops will probably be moved to production but the two VPN servers (Wireguard and Openvpn) will stay where they are as they need to be kept separate for security reasons.

MGT

This management network is highly restricted and reserved purely to do management functions, particularly for the management of the web GUI of pfsense which means that it is not possible to manage Pfsense from any remote computer, all Pfsense management must be done from the console while logged on to Pear. Also any other management should be done from the mgt network. To make this possible the VM host Lemon has been created with firefox and passwordless ssh to most relevant hosts. Keepass has also been installed to keep track of all passwords used on Pear.