Routing – Secure connect & access across 2 separate LAN Subnets using PFSense/ Sophos

bridgenat;routingsubnetvlan

Secure connect & access across 2 separate LAN Subnets using PFSense/ Sophos?

Following is an older diagram of a 2+1 level Small Business/ Startup + Co-working space, with recent expansion & need for integration.

2 Suites in a Condo Building

The following changes & information have been outlined:

2 CAT6 Networks/ LANs:

  • Level 3 & 4 LAN is integrated & maps off a Central Area (Green Area); which has the NAS

    • ISP---WR1: Asus RT-N16 N Router w Tomato USB FW + HP ProCurve 24 GigE Managed SW + ... N/W Clients
    • Look at adding a PfSense/ Sophos box around here

  • Level 5 is a separate; a simpler & sparser LAN; recent expansion and sub-let

    • ISP---WR3: D-Link DIR 816 + ... N/W Clients

Each of the above units have their own ISP with their own Data Cap limits

  • The Stuff in Green box to the upper right titled 'Load Balance ISPs' does not exist; It was the original plan that was never implemented

  • We plan to run CAT6 cable between Level 4 & 5, outside the building and maybe add some more cables + terminations, and maybe a Hub/ Switch inside Level 5 – This is open/ flexible for now

  • We need to connect & give access to NAS & maybe MFC/ Printer/ Scanner from Level 6 LAN

2 possible connection & usage scenarios pop up in my head:

  • Option A: Level 5 clients have Limited access purely to NAS & MFC; not be able to use Level 4 ISP Bandwidth
  • Option B: Level 5 & 4 clients be able to share/ switch over/ bond ISPs in some fashion?

Key Question:

With Option A constraints, How can we Connect/ access across separate LAN Subnets in 2 Suites in a building?

  • Network Partitioning
  • Addressing
  • Physical Connections
  • SubNets/ VLANs?

Best Answer

If I understand your question correctly (I'm not entirely sure I do), you can use routers between the two LANs to share route information, but each LAN could have its own default route to its respective ISP. That way, each LAN has a complete understanding of the networks in the other LAN and will route traffic destined for the other LAN to the other LAN instead of to the ISP on a default route. If you have overlapping addressing, there are NAT solutions to handle that, too.

You probably want to do that on the inside of the LAN firewalls, but you could also firewall between the LANs if they need to be protected from each other.

Edit:

If, as you say in the comments, you are going to us pfSense running on PCs as your routers, you will need to connect the two routers together (a direct link without a switch in between should work). You can either use static routing on each router to point to the networks on the other router (this doesn't scale, and network changes become more difficult), or you can run a routing protocol, probably OSPF, between the routers so that they share routes automatically.

You can run WAPs to give you the Wi-Fi.

You will need to make sure you have some sort of firewall between each PC running pfSense and the corresponding ISP. This can be a software firewall on the router/PCs, or, better, separate, dedicated firewalls.

This allows devices on each network access to the other network. You can restrict access between the networks with access lists on the router/PCs. Do this if you don't want all devices on each network able to access all devices on the other network.