Messages

In reality there are 5 interfaces because one is dedicated to the WAN and one for the DMZ. The 3 interfaces indicated are for internal traffic, understood as VoIP traffic and work, guest and personal traffic using a Captive Portal and obviously rules for these 3.

What I was wondering was whether to create the VLANs on the 3 interfaces or whether to aggregate them all together and create the VLANs only on the "aggregate" interface.

I'm doing some lab tests before activating it in the work environment. I talked about it in a post a couple of months ago.
I have about 20 desks with PCs and VoIP.
On all floors I have only one switch connected with an optical backbone to the main rack.
On some floors I also have an Access Point used for both work and guests.
On one floor I also have a personal area.
I had thought about separating the network with VLANs: Works, Guest, VoIP and Home. So, I have to run a trunk to the individual switches.
A Captive Portal would allow me to divide access across VLANs.

The firewall has 3 interfaces.
I was wondering whether to keep them all independent, each with its own VLAN, or aggregate them and associate all the VLANs on this single interface.

LAN traffic is modest. The Guests one cannot be documented, but I imagine it is equally modest and in any case occasional. The Home one, on the other hand, is quite demanding although only during non-working hours.

So it's not so much a problem of network load, but rather of ease of management.

What is your opinion?

OK. Thanks for your suggestions.

[small company]

First of all, thanks for your replies.

A first general comment right away.
This is a small company; the number of users with desktops is less than 15 and the rest are all laptops.
Sure, the warehouse worker who works alone can also secretly access a porn site; or the employee can spend her time on Facebook
But I have to leave more freedom of access to the Internet for those who work in marketing and I can't block the boss's access.

As I said initially, in my opinion the biggest problem comes from devices that are not under management.
A good example would be that of a school where students connect to the network with their laptop, but where you cannot manage their PCs or their smartphones.

Returning to the company, if there is an event in the showroom or in the meeting room, I cannot block the Internet or limit it to a predefined whitelist because there may be the need to consult an external site. For example, a competitor's website or a web magazine to see how the banner looks.
Not to mention the need to allow a guest to access his/her email or website.

I thought I could manage this by replacing the switches and access points with devices capable of managing VLANs so as to segment the network.

Again for example, in the personal apartment I can create a VLAN for personal devices (SmartTV, XBox, etc.), one for the children and one for those in the family who work in the company and who need to access the services or the NAS even from home.
User desktop PCs will be on one VLAN, company laptops on a second VLAN, agent laptops on a third, guest laptops on another, smartphones on yet another, etc.

Using Squidguard on the Squid proxy I can differentiate access by blocking entire categories (such as porn, sport and social networks) and adding specific websites into blacklists and whitelists.

However, I was wondering how to manage these filters. Not so much at the level of specific configuration or firewall rules, but primarily at the design level.

If I want to use ClamAV I have to open packets for what is now predominantly HTTPS traffic.
As I was saying, I'm perplexed by the use of the "Man in the Middle" and the difficulty in automatically configuring devices of people I don't know (such as guests and sales agents).

Furthermore, the considerations of some colleagues worry me.
I'm going to "impose" the use of wpad.dat on a person who then goes somewhere else to download a wpad.dat to an unauthorized website.
Who is responsible if something happens with this access that shouldn't have happened? Of this guest who didn't check properly or mine who allowed him to download wpad.dat automatically?

Finally, as for the budget, it is commensurate with a small company.
For switches and access points I will focus on devices like Ubiquiti while the firewall is already a PC with i5 quad core and 16GB of RAM, enough to manage both the proxy and future VPNs.

I don't think that replacing it with a appliance firewall will change anything if I don't solve the segmentation and filtering problem.

I have a project problem even before a technical one.

I'm working in a small company where users are all on the same LAN, but in offices not close to each other. More than one user has their own personal laptop. Agents and guests often arrive with their own laptops. There is no domain server with AD in the network and therefore no PC is managed.

So, each user does what he wants, thanks also to the lack of a company policy.
Furthermore, there is also a home in the network where personal PCs, SmartTVs and XBoxes are connected to the Internet via the company LAN.
Without forgetting smartphones of all types that connect to home and office access points.

I was thinking of segmenting the LAN with VLANs, but this is useless if I don't limit Internet access and manage traffic.

On the pfSense firewall there is Squid with ClamAV and Squidguard.
I was thinking of using ClamAV as the first additional filter to what is usually NOT installed on the various devices.
Then, I would like to use Squidguard to block part of the traffic using public blacklists and differentiating the use of the network based on accesses or VLANs.

But, how to configure all this correctly?

With the Transparent Proxy I do not filter HTTPS.
To filter and use Clamav over HTTPS I would need to enable "Man in the Middle", but I would need WPAD and a certificate. A solution that in this situation is not recommended to me by other colleagues because users with laptops (the majority) could download (without knowing they have done so) insecure configurations when they are elsewhere, for example with public hotspots.
Furthermore, few know how to change the network settings of PCs and smartphones. I should continuously provide them with extra assistance.

Installing Captive Portal I think would add more problems because guests would still have generic access.

I'm doing a lot of tests without ever finding a satisfactory solution. I welcome all your suggestions.

Thanks in advance.