Setup DMZ Using Virtual IPS, CARP, and ESXI (Virtual Servers)
-
Hello all,
I am a noob to Pfsense, and so far I am really liking it. I used to use Untangle, but it did not do what I wanted it too; so far Pfsense has! Anyway, I would like to place a couple of virtual servers that I have on an ESXI host into a DMZ, yet still having internal access to them. My setup exists of a Pfsense server (standalone) with 4 NICs. I am currently using only 2 of them, 1 WAN, 1 LAN. I have 5 Uverse static IP addresses. The main reason why I went with Pfsense is because it can create the virtual IPs, CARP, needed for my Uverse router to hand out each of the static IPs. My Uverse router needs a MAC address for each static IP…lots of reseach on this one. I got the Uverse router to hand out the static IPs through the WAN connection by creating virtual IPs, CARP.
Right now I have a web server and an exchange server running as virtual machines on an ESXI 5.0 host. They both have IPs from my internal network, 10.2.XXX.XXX. So I could get the servers up and running, I then setup a 1:1 NAT pulling one of the external IPs for each of the servers; that works great. I have the external IP routed to the internal network IP. When each of these virtual servers does a "What's my IP" check they are showing the right external IP address. I also set up firewall rules so that they could get the appropriate traffic through to them.
I know a bit about networking, and I think that putting these virtual servers in a DMZ should be the best thing seeing how they both face the internet.
I am hoping that I could get a bit of guidance on how to set Pfsense/ESXI so that these virtual servers can be placed into a DMZ, protecting any attacks from getting into my internal network. The other key is that I still want to be able to connect to them via RDP/VSphere to make changes/upgrades/etc. I know that I would have to set some rules only allowing certain kinds of traffic, but I would like to make this the most secure I can with the limited knowledge that I have.
This link: http://serverfault.com/questions/309187/pass-through-public-ip-addresses-to-pfsense might be a start to what I want to do, but I am not sure. I was looking at the first answer.
Thank you in advance for any assistance,
Brian