Thanks Adam. Didn't receive that info before. That helps.
----- Original Message ----- From: "Adam Thompson" <[email protected]> To: "pfSense support and discussion" <[email protected]> Sent: Monday, December 30, 2013 1:49:51 PM Subject: Re: [pfSense] pfsense <-> pfsense vlans and trunking without the aid of switches On 13-12-30 12:21 PM, John Wells wrote: The diagram is here: http://i.imgur.com/yGghcOb.jpg So yes, I think you and I are on the same page. Still, my security questions remain. Thanks, John Then my mail client is lying to me again about what it has sent and what it hasn't :-(. To recap my entire lengthy email: you don't have any security issues worth worrying about. VLANs are basically secure. That doesn't mean they're 100% perfect; as with anything, software bugs are the largest class of vulnerabilities, but for general use - assuming you aren't working for the NSA - they're more secure than almost anything else you're doing with your computers. Whether you're using a dedicated piece of hardware, or a general-purpose piece of hardware with some software, to implement a switch, you control which interfaces care about VLAN tags and which ones will ignore them. There are some VLAN-related protocols that I would avoid enabling on the internet-facing port, that pfSense doesn't support anyway (e.g. GVRP, VTP...) so there's no issue there. Using pfSense as a switch is probably even safer than using pfSense as a router; there's less of an attack surface presented to the outside world. However, you still have a pfSense box at the next layer 2 hop acting as a firewall... bottom line, you're exactly as safe as you were before, assuming pre-existing use of pfSense. -- -Adam Thompson [email protected] _______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
_______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
