Public IPs behind the firewall - Best Practices and suggestions

mauro.tridici

Dear Users,

during the last two years, I started using pfSense in order to protect our private networks placing them behind the firewall.
Everything works as expected. But now, we have to instantiate a data-portal and an FTP server. Both of them should be reached from WAN using two different public IP addresses and DNS names (for example: portal.domain.com and ftp.domain.com).

So, my question is: how should I technically manage this kind of needs?
What is the best practice for this use case?

Can I assign a public IP to an host that resides behind the firewall? And if yes, how can I do it?

Many thanks in advance,
Mauro

stephenw10

It depends how the additional IPs are being provided to you by your ISP. The various options are outlined here:
https://docs.netgate.com/pfsense/en/latest/firewall/additional-ip-addresses.html

Steve

mauro.tridici

@stephenw10 thanks for your help. I will read the web page content.

A Former User

@mauro-tridici

So, my question is: how should I technically manage
this kind of needs?

Setting up a DMZ would be the bets and/or most
common way in that situation. You should place then
the device with the or a direct internet contact inside
of that DMZ (demilitarized zone). You could add a
small Layer2 switch to a port of your pfSense and
add there the both devices. You entire LAN (local
area network) will be then secured and separated
from the internet and the both devices we don´t
know until now are able to be reached from the
outside (internet) or they will be able to connect
to the internet as they need it, depending on the
ports and protocols they have in usage.

What is the best practice for this use case?

• Building a DMZ with a DMZ switch
• Place the devices inside the DMZ

Now they are able to be reached from the LAN and your
client there and also from the outside (internet) pending
on your firewall rules.

Can I assign a public IP to an host that resides
behind the firewall?

You may be able to do this, but and now we are
entering an area where many different meanings about
that doing are existing! So it is not so easy until we know
what units are this, what OS is running on and what they are doing exactly for you and others. This said we are only
do guess work here due to the lack of informations from
your side.

Common variants

• Setting up the public IP adresses at the pfSense
  firewall directly and sort the devices with privat IPs.
• Setting up the public IPs directly on the two devices

Other points to think about

• Setting up a reverse proxy between the pfSense
  firewall and the both devices in the DMZ, may be
  not that bad
• Setting up also an AV scanning on the devices (FTP)
• Setting up snort or suricata as an IDS/IPS option or
  instance between the Internet
• If the device are Linux based "you should" think
  about installing also fail2ban on them.
• FTP is one of the worst protocols from the security
  point of view. Better to go with FTP/S or S/FTP. Or
  once then both do VPN in your DMZ and or LAN.

And if yes, how can I do it?

Create a WAN, LAN and DMZ Port on pfSense and sort
them all. WAN gets the modem or internet link, LAN the
LAN switch and DMZ the DMZ switch installed. Then connect the devices to them.

mauro.tridici

@dobby_ thank you very much for your reply. I will read the message carefully.

Many thanks again,
Mauro