Pfsense Setup (2 boxes and subnet)



  • Greetings:

    I want to run my proposed setup by the community to learn if this configuration is worth the trouble.

    Internet >>> Pfsense BOX #1> Pfsense #1 NAT'd to WEBSERVER (10.0.1.0/24)>Pfsense BOX #2> pfsense #2 with transparent proxy>Internal Network (192.168.1.0/24)

    I decided not to use the DMZ functionality in pfsense. Does this setup work? If so, how does the internal network behind pfsense #2 get internet connectivity through pfsense #1?

    Thank you.


  • Rebel Alliance Global Moderator

    Why would you do this?



  • Which part?

    I've read there is often a concern of a single point of failure. This is why i opted for 2 physical boxes. Two boxes are available therefore I decided to put them to use. I feel there is more to your question.



  • I don't think that is the right way to do it.


  • Netgate

    Two nodes in-line like that doubles the likelihood of hardware failure taking you down. At least for the internal network part. If uptime is a concern you'd probably be better off keeping one unit on the shelf as a pre-configured spare and doing a proper DMZ interface for the web server. That, of course, is if you can't do a proper HA cluster for some reason.


  • Moderator

    @Derelict:

    Two nodes in-line like that doubles the likelihood of hardware failure taking you down. At least for the internal network part. If uptime is a concern you'd probably be better off keeping one unit on the shelf as a pre-configured spare and doing a proper DMZ interface for the web server. That, of course, is if you can't do a proper HA cluster for some reason.

    This. I'd also recommend - if those two boxes are nearly identical in hardware - to put them to (correct) use in a (parallel working) CARP cluster. Not a serial working lineup.


  • Rebel Alliance Global Moderator

    If your issue is point of failure of a single device.. How does your setup mitigate that issue?

    But what is does do is add complexity for no value.  So your going to double nat?  I have to assume so since you make no mention of a transit network?



  • Thank for your responses:

    I found this: (http://www.tech-faq.com/dmz.html)

    Dual Firewall DMZ Model
    In order to create a more secure network DMZ, two firewalls can be used to setup the architecture. The “Front-End” firewall is setup to allow traffic to pass to/from the DMZ only. The “Back-End” firewall is then setup to pass traffic from the DMZ to the internal network. The two firewall or dual firewall model is considered to be more secure than the three legged DMZ option since there would have to be two firewalls that would have to be compromised for the network to be compromised. Some organizations even go as far as to use firewalls produced by two different companies to make it less likely that a hacker could use the same security vulnerability to access the internal network.

    As an example, if a network administrator makes a setup or configuration error on one firewall brand, he or she would likely make the same mistake on the second one. If a different brand or vendor’s firewall is used for each then the odds of a configuration mistake propagating across each firewall is much lower. The practice of using two different firewalls; however, is more costly and requires additional effort to maintain when compared to the single firewall model.

    In the end i decided to learn and go with the single firewall 3 prong interface. The education continues.

    Thanks all.