Create a DMZ in VirtualBox using two pfSense instences



  • Hi all,
    I am trying to create a DMZ in VirtualBox using two instences of pf Sence. The problem I am having is two fold

    1: I cant get my internal pf to speak with my external pf.
    2: I cant get my internal LAN traffic to see my internal pf  WAN interface or external pf sence interfaces.

    My setup:

    External pfSense
    Adapter 1 is bridged to host NIC in VirtualBox this is WAN port (DHCP) ip: 10...*
    Adapter 2 is set to Internal in VirtualBox network name DMZ ip:192.168.20.1

    Internal pfSense
    Adapter 1 is set to Internal in VirtualBox network name DMZ ip:192.168.20.2 WAN in pf
    Adapter 2 is set to Internal in VirtualBox network name testnet ip:192.168.1.1 LAN in pf

    I can ping 192.168.20.1 from internal pfSense but cant ping the other way.
    I cant configure the external pfSense via Web browser because I cant ping/ reach it. 
    Both pfsense are running on FreeBSD

    ***Can I change my internal WAN interface to a LAN. Can their be two LAN interfaces and no WAN?

    What would the default gateway be for the internal pfSence ?

    I would like the 192.168.20 network to be my dmz. My goal is to put some other servers like snort in this network.



  • I am trying to create a DMZ in VirtualBox using two instences of pf Sence.

    Why do you need two routers?  Why not just put your DMZ on OPT1?



  • I can't see much point in this. Why not have just one firewall with your WAN,LAN and DMZ defined as separate networks on the one box?

    Edit: I see KOM got there before me.



  • I am conducting some test on snorts ability to detection different attacks in different parts of a network. A common network topology is  cloud–-external router---DMZ---Internal router--LAN.
    I would like to use pfsense as a router more then a firewall for now

    https://en.wikipedia.org/wiki/DMZ_(computing)
    See Dual firewall
    The most secure approach, according to Stuart Jacobs,[1] is to use two firewalls to create a DMZ. The first firewall (also called the "front-end" or "perimeter"[2] firewall) must be configured to allow traffic destined to the DMZ only. The second firewall (also called "back-end" or "internal" firewall) only allows traffic from the DMZ to the internal network.



  • @KOM:

    I am trying to create a DMZ in VirtualBox using two instences of pf Sence.

    Why do you need two routers?  Why not just put your DMZ on OPT1?

    When you say OPT1 do you mean give pfSence a third LAN interface ? If so how do I control the traffic? is this just rules or is their some extra network configs that need to be placed  ?



  • It is just by filter rules. PfSense wouldn't a seriously taken firewall system if it wasn't able to fully control traffic between all the interfaces. This kind of filtering is bread and butter for every firewall/router platform.

    I wouldn't take just about anything you read in Wikipedia as a grain of salt, much of the content is not written by hardened professionals but enthusiastic yet less qualified amateurs.



  • @kpa:

    It is just by filter rules. PfSense wouldn't a seriously taken firewall system if it wasn't able to fully control traffic between all the interfaces. This kind of filtering is bread and butter for every firewall/router platform.

    I wouldn't take just about anything you read in Wikipedia as a grain of salt, much of the content is not written by hardened professionals but enthusiastic yet less qualified amateurs.

    I agree but before I go too deep into the WHY I would like to solve the HOW?
    Dumb or not do we all agree that I should be able to have two pfsence talk to each other and pass traffic?
    If so HOW do I set it up ?
    thanks for the suggestion I will also try with one pfsence but I would also like to know how to do it with two or possible settings that would stop two from working.





  • If so HOW do I set it up ?

    Add another interface in VB, on intnet2 or whatever.  Then in pfSense (you're driving me nuts with pf Sence btw ;D ) you just configure the OPT1 interface from the console.


Log in to reply