Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DMZ design in CARP environment

    Scheduled Pinned Locked Moved General pfSense Questions
    3 Posts 2 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      JannikEB
      last edited by

      Hi

      At my company we are currently running 2 pfSense 2.03 firewalls in a CARP config. For months I have been arguing that its a VERY bad idea hosting our webservers on the internal LAN.

      I have finally had a breakthrough  ;D because top management is now ready to listen.

      I need to decide on a design for our DMZ and I'm not sure what would be best.

      I'm hoping you guys could assist with some comments  ::)

      Here are my ideas so far:

      Option 1:
      Create new VM with pfSense and 3 NIC.
      NIC1 "Outside" used only for routing traffic from main FW - but resides physically on internal LAN.
      NIC2 "DMZ" Connects to DMZ virtual switch.
      NIC3 "Inside" Connects to Internal LAN with access to internal hosts and DB server.

      Option 2:
      Add extra NIC in existing two FW and create DMZ using those.

      Option 3:
      Create two new VM with pfSense each with two NIC.
      One for "outside" to DMZ
      one for DMZ to "inside".

      How to balance security vs ease of use/simplicity. KISS  ::)

      Currently we use 1:1 NAT on several public IP's - how will this be affected by adding another NAT device ?

      In order to protect traffic I would like to add somekind of content scanning/IDS.

      Been looking at Snort, but for the purpose of protecting webservers - maybe a proxy with mod security would be enough ?

      Since we are using HTTPS on all webservers - contentscanning will be somehow complicated  :-\

      Any thoughst on this matter would be grately appreciated  ;)

      Jannik

      1 Reply Last reply Reply Quote 0
      • E
        ethos101
        last edited by

        I am in exactly the same situation, CARP setup and everything.  I have an ESXi host for DMZ virtual machines and a virtual pfsense inside it, but with two interfaces (I probably need 3) and a vSwitch on the host.  I chose to do this because I don't have an extra interface on the main FW cluster.

        I am interesting in finding out what you ended up doing and any advice you may have.  Did you use NAT to bring external traffic into the DMZ?

        1 Reply Last reply Reply Quote 0
        • J
          JannikEB
          last edited by

          Well - we have not reached a final conclusion yet - but….

          We realized that using virtual firewalls, how ever flexible, it still would be a single point of failure, and thus effectively making CARP on main firewall pointless.
          Yes we would have HW failure protection, but there would still be ONE VM that could fail, and  thus essentially creation a "System Down" event.

          So - currently we are leaning towards option 2 - in regards to the DMZ.

          On the matter of using Snort or Proxy ... - welll - we are still in the dark and looking into options.

          Not sure that helped much...  ::)

          /Jannik

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.