I'm planning to set up a new firewall/router at our company, and am
leaning towards using pfSense because I want several green networks
(either using multiple ports on the firewall machine, or using a managed
switch and VLANs - as far as I understand it, they can work the same way).
There are going to be a couple of server machines on different branches
of the LANs, but I need access to them from the other branches. The
setup I've planned looks like this:
/-----------\
| |-red1----internet
| pfSense |-red2----(second internet connection, optional)
| |
| |-orange--DMZ---web server, mail server, squid, etc.
| |
| |-blue---(wireless for laptops, including visitors)
| | | | |
| | LinkSys WRT54GL LinkSys LinkSys
| | / \ / \ / \
| | laptops, etc.
| |
| |-green1---LAN (192.168.1.x)---server1.1, pc1.1, pc1.2, etc.
| |
| |-green2---LAN (192.168.2.x)---server2.1, pc2.1, pc2.2, etc.
| |
| |-green3---LAN (192.168.3.x)---server3.1, pc3.1, pc3.2, etc.
| |
\-----------/
Making appropriate firewall and routing rules for access to the DMZ
servers from the green LANs is easy enough, as are things like allowing
ssh access on different LANs for administrative purposes. But it is
also important that I can get windows share access in some way across
the LANs. For example, pc1.2 (say, 192.168.1.102) should be able to
mount a share on server2.1 (192.168.2.1), while the reverse is not true
(i.e., no machine on LAN2 should see the pc's on LAN1). Is it
sufficient, and safe, to simply open a pinhole for traffic on port 139
towards 192.168.2.1 from 192.168.1.x ? I suppose I could set up VPNs
somewhere to tunnel traffic around, but I can't see that this would
actually improve matters (I have no need to encrypt traffic passing
between greens) - I would need similar rules to limit the VPN traffic.
In fact, I'm assuming that once I've got things figured for cross-green
routing, I can use the same sorts of rules for VPN's from laptops on the
blue zone or attaching via the internet.
As far as I can tell, it is only the share access that I need from the
SMB/CIFS protocols. pfSense's DNS server should be able to handle
naming, and I am not running a windows domain (it's all set up as a
workgroup).
If I can't get a stable and secure arrangement for SMB sharing, what are
my other options? At the moment, we have a couple of linux file servers
and one old windows one, which can be replaced if it is not flexible
enough. I've heard of using WebDAV as a protocol - W2K and XP (and
linux, and presumably FreeBSD :-) can mount WebDAV paths, and use them
directly. If the WebDAV access is over https, then it could be used
directly from outside the LANs without needing a VPN. Another idea I
have read about is using a SFTP server along with WebDrive software.
Any hints, tips, website pointers, or comments about how only an idiot
would arrange things like that, would be much appreciated.
mvh.,
David
