On Thu, Aug 5, 2010 at 2:08 AM, Tortise <[email protected]> wrote: > ----- Original Message ----- From: "Chris Buechler" <[email protected]> > To: <[email protected]> > Sent: Thursday, August 05, 2010 6:01 PM > Subject: Re: [pfSense Support] multi-wan, multi-lan security > > >> Doing VLANs properly all on one switch is probably pretty safe if done >> right (biggest risk in those kind of setups is accidental >> misconfiguration). I wouldn't do it though, managed switches are too >> cheap to not physically segment your internal and external networks. >> > > Hi Chris, > > Do you mind if I ask you re-express the last sentence please, ("I wouldn't > do it though, managed switches are too cheap to not physically segment your > internal and external networks. ") I am having trouble gleaning what I think > is your intended meaning. Too cheap doesn't seem an adequate justification > in itself, if that is what you intend? >
It's best to physically segregate networks of considerably different trust levels. Especially unfiltered Internet traffic and your internal network - I would never setup a network like that. To answer an initial question posed: " At what point does 'should' become 'must'?" I would say it's never "should", always "must". That option shouldn't be discarded because it's "not in the budget". If you have the budget for 8 DSL lines, you can afford a switch. I would do two switches even so you have some switch redundancy, 4 connections on each of two switches (we did a config exactly like that for a customer in the past week, one of many), where you have adequate ports on the firewall. Additional ports configured on each so if one fails, you can physically move the ports and be back up and running on them all again within minutes. That would cost considerably less than just one month of 8 DSL lines, and you have a network that you should feel much better about. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] Commercial support available - https://portal.pfsense.org
