It seems strange to want to apply the same mistake that had been done on Linux, but let me explain the situation.
a) The previous configuration was made by a former business consultant here, the guy made the business work well, is round, but no VLAN is vulnerable, he may have done this way just to give a customer satisfaction that have hitherto switch that supports VLAN. b) Then in a work of restructuring the network, turned off the Linux client and put a pfSense virtualized on VMware ESXi 4.1, it has 03 virtual NIC interfaces that are connected to a single physical NIC connected to Switch, I am trying to apply the same scheme, after the customer wants it, at first looked like it would work, was going well until they started distributing the DHCP IP to the machines without considering the STATIC MAPPING, I found strange because I marked the option "deny unknown clients to" this each ranger, two are free and 192.168.0.0/24 192.168.1.0/24 192.168.2.0/24 and a security where any intruder would fall there, for example someone who broke the password for the wireless network. c) Under Firewall Rules, created rules that isolate these networks, works well, had already tested. d) Maybe if you put the version RC3 to work, the current is the pfSense 1.2.3, but it would be sure not to apply efforts in vain. e) You can not reach the client and say, buy with VLAN switch, buy this or that, it will say "But his predecessor did it work in Linux and had no problems," some customers for certain things are complicated to explain, he may think you are wanting to sell or wind, so friends I have total agreement that this is more or less security, the firewall rules insulates networks in fact as I said before, but a scenario with VLANS or even 802.1x, would be better, but it does not now, the least I can do is leave the scene no less than it was before, either with Linux or pfSense. So I'm sending this text to explain the more because at least on this account, I'm insisting on doing something that from the beginning is not 100% correct. Ivanildo Galvão - MCP, MCT, MCSA, VSP Consultor de Tecnologia Tel. (84) 3201 2146 | Cel. (84) 9111 8873 ivani...@itservices.com.br | www.itservices.com.br Twitter: @ivanildogalvao -----Mensagem original----- De: Tim Dickson [mailto:tdick...@aubergeresorts.com] Enviada em: quinta-feira, 1 de setembro de 2011 18:13 Para: support@pfsense.com Assunto: RE: [pfSense Support] Static ARP > I have a client who was using Linux as a proxy server it had this one LAN > interface and a WAN, LAN NIC in the virtual one he had, as follows: eth0: 1, > eth0: 2, eth0: 3, so he had: We kind of already answered this one yesterday... but What you want to do will not work like they had it on the linux box, and really is not a recommended way to setup a network. It provides NO "real" security on your network - so what is the reason for segregating? If it is to provide security, then you may as well not bother because it would be trivial to hop networks at that point. If it is for access restrictions after the firewall - you can do what you want with what was recommended yesterday. Open up the network with a 192.168.0.0/22 Put the DHCP Range on 192.168.3.1 -192.168.3.254 Put in STATIC DHCP for devices on 192.168.1.0 and 192.168.2.0 Then setup Rule restrictions for the ip ranges. The only other option I can think of would be to setup 3 NICs for 3 LANs then plug them all into the same switch. Turn DHCP on all of them, restricted 2 of them to STATIC MAC mappings. I have no idea how that would work, or if it would - but you are welcome to give it a shot. Seems like it would be a broadcast nightmare - but if you want to try it.... -Tim --------------------------------------------------------------------- To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
