Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    2 Firewall(s) after each other

    Scheduled Pinned Locked Moved Routing and Multi WAN
    4 Posts 2 Posters 492 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      CM350
      last edited by

      Hi Guys,

      At our datacenter we have several pfsense(s) to address our static ip addresses to a specific network or server.

      I will try to visualize it:
      WAN (VDSL)
      |
      Firewall 1 (which takes the PPOE session)
      |
      Static IP 1 –> 1:1 NAT to Firewall 2 for network 192.168.1.x
      |
      Static IP 2 –> 1:1 NAT to Firewall 3 for network 192.168.2.x
      |
      Static IP 3 –> 1:1 NAT to Firewall 4 for network 192.168.2.x (for something specific like a webserver)
      |
      …

      It really is time consuming to update all the firewalls :)

      So my question to you is: Can I optimize the setup by combining firewalls? I tried it myself on a testnetwork by adding extra network cards (2x WAN + 2X Lan) but ended up with an error "You can not set this IP, because network card * already has this network.

      Example:
      WAN (VDSL)
      |
      Firewall 1 (which takes the PPOE session)
      |
      Static IP 1 --> 1:1 NAT to Firewall 2 for network 192.168.1.x
      |
      Static IP 2 –> 1:1 NAT to Firewall 3 for network 192.168.2.x
      Static IP 3 –> 1:1 NAT to Firewall 3 for network 192.168.2.x (for something specific like a webserver)
      |
      …

      PS: There is a possibility it already is posted on this forum or on the interwebs, I really don't know which search term to use for this setup :)

      Questions? Ask!

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        Not sure why you think you need more than 1 firewall??  Unless your letting the user/customer control the 2nd firewall?  After you have done your 1:1 nat??

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • C
          CM350
          last edited by

          @johnpoz:

          Not sure why you think you need more than 1 firewall??  Unless your letting the user/customer control the 2nd firewall?  After you have done your 1:1 nat??

          It initially started for our Vlan Setup.
          Every firewall took the "firewalling" on his account for every Vlan. Every firewall had an extra network card to hop from Vlan1 to Vlan2 (if that was necessary).
          So it kinda grew on us.

          So VLAN1 had Static IP1
          Vlan2 had static IP2
          and so on…

          But for some servers we have 2-3 firewalls in 1 VLAN
          Static IP3 is on VLAN3
          Static IP4 is on VLAN3 also...

          But how can we reduce?

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            you can reduce to 1 firewall..  Not sure why you think you need another firewall for more vlans?

            "But for some servers we have 2-3 firewalls in 1 VLAN"

            That just seems crazy!!!

            For your different vlans you can either just use interfaces in the 1 firewall, or just use vlans on top of an existing physical/virtual interface.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.