Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Create a DMZ in VirtualBox using two pfSense instences

    Scheduled Pinned Locked Moved General pfSense Questions
    9 Posts 4 Posters 9.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mayfair_50
      last edited by

      Hi all,
      I am trying to create a DMZ in VirtualBox using two instences of pf Sence. The problem I am having is two fold

      1: I cant get my internal pf to speak with my external pf.
      2: I cant get my internal LAN traffic to see my internal pf  WAN interface or external pf sence interfaces.

      My setup:

      External pfSense
      Adapter 1 is bridged to host NIC in VirtualBox this is WAN port (DHCP) ip: 10...*
      Adapter 2 is set to Internal in VirtualBox network name DMZ ip:192.168.20.1

      Internal pfSense
      Adapter 1 is set to Internal in VirtualBox network name DMZ ip:192.168.20.2 WAN in pf
      Adapter 2 is set to Internal in VirtualBox network name testnet ip:192.168.1.1 LAN in pf

      I can ping 192.168.20.1 from internal pfSense but cant ping the other way.
      I cant configure the external pfSense via Web browser because I cant ping/ reach it. 
      Both pfsense are running on FreeBSD

      ***Can I change my internal WAN interface to a LAN. Can their be two LAN interfaces and no WAN?

      What would the default gateway be for the internal pfSence ?

      I would like the 192.168.20 network to be my dmz. My goal is to put some other servers like snort in this network.

      1 Reply Last reply Reply Quote 0
      • KOMK
        KOM
        last edited by

        I am trying to create a DMZ in VirtualBox using two instences of pf Sence.

        Why do you need two routers?  Why not just put your DMZ on OPT1?

        1 Reply Last reply Reply Quote 0
        • M
          muswellhillbilly
          last edited by

          I can't see much point in this. Why not have just one firewall with your WAN,LAN and DMZ defined as separate networks on the one box?

          Edit: I see KOM got there before me.

          1 Reply Last reply Reply Quote 0
          • M
            mayfair_50
            last edited by

            I am conducting some test on snorts ability to detection different attacks in different parts of a network. A common network topology is  cloud–-external router---DMZ---Internal router--LAN.
            I would like to use pfsense as a router more then a firewall for now

            https://en.wikipedia.org/wiki/DMZ_(computing)
            See Dual firewall
            The most secure approach, according to Stuart Jacobs,[1] is to use two firewalls to create a DMZ. The first firewall (also called the "front-end" or "perimeter"[2] firewall) must be configured to allow traffic destined to the DMZ only. The second firewall (also called "back-end" or "internal" firewall) only allows traffic from the DMZ to the internal network.

            1 Reply Last reply Reply Quote 0
            • M
              mayfair_50
              last edited by

              @KOM:

              I am trying to create a DMZ in VirtualBox using two instences of pf Sence.

              Why do you need two routers?  Why not just put your DMZ on OPT1?

              When you say OPT1 do you mean give pfSence a third LAN interface ? If so how do I control the traffic? is this just rules or is their some extra network configs that need to be placed  ?

              1 Reply Last reply Reply Quote 0
              • K
                kpa
                last edited by

                It is just by filter rules. PfSense wouldn't a seriously taken firewall system if it wasn't able to fully control traffic between all the interfaces. This kind of filtering is bread and butter for every firewall/router platform.

                I wouldn't take just about anything you read in Wikipedia as a grain of salt, much of the content is not written by hardened professionals but enthusiastic yet less qualified amateurs.

                1 Reply Last reply Reply Quote 0
                • M
                  mayfair_50
                  last edited by

                  @kpa:

                  It is just by filter rules. PfSense wouldn't a seriously taken firewall system if it wasn't able to fully control traffic between all the interfaces. This kind of filtering is bread and butter for every firewall/router platform.

                  I wouldn't take just about anything you read in Wikipedia as a grain of salt, much of the content is not written by hardened professionals but enthusiastic yet less qualified amateurs.

                  I agree but before I go too deep into the WHY I would like to solve the HOW?
                  Dumb or not do we all agree that I should be able to have two pfsence talk to each other and pass traffic?
                  If so HOW do I set it up ?
                  thanks for the suggestion I will also try with one pfsence but I would also like to know how to do it with two or possible settings that would stop two from working.

                  1 Reply Last reply Reply Quote 0
                  • K
                    kpa
                    last edited by

                    https://doc.pfsense.org/index.php/Installing_pfSense#LAN.2C_WAN.2C_OPTx

                    https://doc.pfsense.org/index.php/Example_basic_configuration

                    1 Reply Last reply Reply Quote 0
                    • KOMK
                      KOM
                      last edited by

                      If so HOW do I set it up ?

                      Add another interface in VB, on intnet2 or whatever.  Then in pfSense (you're driving me nuts with pf Sence btw ;D ) you just configure the OPT1 interface from the console.

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.