Is there a benefit to nested firewall/NAT? (defense in depth?)


  • For several years, I've used a Linux server as a NAT/firewall box. Originally, it was an energy hog. Over the years, it's been upgrade a couple times and is currently a more than capable C2D Dell optiplex box. When I learned of pfSense, I bought a small appliance with it pre-installed to see how I liked it. I set it up inside my LAN to make sure I could get it functional at first and it wasn't long that I moved it to the front of the line.
    e.g.
    Internet <–> ISP cable modem <--> pfSense box <--> Linux NAT/firewall box.

    I kind of felt a little better knowing I had 2 firewalls, though on occasion I open up a port for external access back into the LAN (all the way through to access one of my internal machines, thus, I had to put in a NAT/firewall rule allowing it at the pfSense box and at the Linux box.

    Lately, I've been contemplating setting up the VPN access, but going through some documentation, I would have given my 'calling home' laptop an IP address on the subnet of the pfSense box which in my case, wouldn't have been fully functional. At that point, I'd have access through the first firewall, but not into the 2nd layer where my actual machines were located (behind the Linux box).

    So, I wanted to ask the experts: which is more secure?
    Just get rid of the Linux box so I can VPN straight into the IP range of the pfSense box and have access to the systems that would be moved out of the 2nd internal firewall?
    or
    Keep a 2nd internal box and give up the idea of VPN into the internal firewall and only use a couple common protocols (e.g. SSH)?

    Is a 3rd option viable? Turn the Linux box into a pfSense box and setup external VPN access to 1st layer WAN, and have the LAN of that external box have a device-to-device VPN to the internal pfSense box and keep all the stuff inside the 2nd pfSense? (or, is this possible? redundant/useless time to configure, etc?)


  • I have a pfSense firewall and also run firewall software on my computers, for an extra layer of security.  However, while I used to run a VPN, I find I can do all I need with just SSH and SSL/TLS.  On IPv4, I have to use port forwarding to the appropriate computer, but on IPv6, I go right to the destination.  PfSense is configured to allow specific ports to specific addresses.  So, if you were to try SSH, for example, just getting through the firewall wouldn't get you anywhere, as you'd still have to get through the firewall on the only computer you'd be allowed to reach.  Also, the 2 firewalls are different, so what works to break through one, might not work for the other.  My computers run iptables on Linux.

    Proper security is always defense in depth.


  • Thanks for the response. It firms up what I felt in my gut: dual layer firewall = better. Defense in depth is a mantra for a reason, right?

    However, this portion confuses me: "On IPv4, I have to use port forwarding to the appropriate computer, but on IPv6, I go right to the destination.  PfSense is configured to allow specific ports to specific addresses."

    I am able to configure my Linux box with iptables to allow specific ports to specific addresses (and use the same or different ports on the internal hosts, much like pfSense can do).

    For example, if I have 2 firewalls, I have to SSH to port on pfSense that accepts SSH connections, then forward that internally to the Linux box using either the same or different port. Once I hit that one, I can SSH internally to the Linux boxes through local access. The reason for my confusion is I don't see how that's any different than what you described above. e.g. I can go right to the destination as well, if I configure it to do so.


  • I agree that two firewalls of different type will add a fraction of additional security, based on the idea that a bug in one is unlikely to be in the other. However I think that "…only use a couple common protocols..." rather than a VPN will probably add more insecurity than what's gained from the dual firewall setup.

    • Every service open to the outside in a firewall is an attack vector and multiple open services are more insecure than a single service (VPN).

    • The more complicated configuration with multiple open services and multiple firewalls with different administration increase the risk for administrative errors.

    • Once configured, a VPN is an easy to use do-it-all access path to the network in question which decreases the risk for user mistakes and stupid ideas caused by the fact that the access to the home network is more complicated and/or may have usage limitations.

    Defense in depth isn't just having serial perimeter firewalls. Defense in depth is about deploying security at every level possible. Like having a sane network design, not using any outdated and/or insecure clients, configuring all nodes as securely as possible, doing proper log management, keeping yourself updated on the security landscape, constantly educating the users and many many more things.

    With an updated firewall of good reputation (like pfSense) that's being well administered, I'd say that the risk for someone to break through it is a long way down on the list of threats to your network.


  • However, this portion confuses me: "On IPv4, I have to use port forwarding to the appropriate computer, but on IPv6, I go right to the destination.  PfSense is configured to allow specific ports to specific addresses."

    What confuses you?  IPv4 has to go through NAT and requires port forwarding to reach the appropriate computer.  With IPv6, the firewall is configured to allow the packets through to the specified address.  In either case, the destination computer's firewall is configured to allow the specific protocol


  • P3R: Just for clarity, only 1 port (not SSH) is opened to outside, but that is the price to pay if we want to be able to access a server remotely. Just having the port open only gains them a single vector with which to begin an attack. When I travel for extended time, I also occasionally open up an additional port (SSH) for a different service. This is in the event something happens I can remote back in and fix something for my wife. Although less secure to then have a 2nd port open vs. the 1st that's usually always open, makes my life easier than trying to explain/write instructions/create permissions for my wife to grant my remote access. e.g. if I could do that, I'd just explain to her how to fix the issues. :)

    I guess the purpose of my initial question was I thought it might be beneficial to have VPN access instead of that occasional SSH access - as I am nearly 100% positive I would want or need to leave my other port still open 24/7. (I should add the 1st port is application username/password protected as well for access), so it's not like it's a huge open door. It's a small, partially locked door. From what you and JKnott indicate, I think I was more secure in my previous position (layered 2 types of firewalls, plus all the hosts protections). Thus, I did take the time last night to reconfigure back to my original setup.

    While much more technically savvy than the regular user, I also freely admit I do not have (or want to take?) the time away from family to (as often as one should) keep up on the latest and greatest attack vectors, how to mitigate them, or even comb through logs thoroughly enough. e.g. I'm just 1 guy and this is for a simple home network; I can do a lot, but I can't (or don't have the time) to do it all. Hence, my coming here to post a discussion about the topic.

    @JKnott:

    However, this portion confuses me: "On IPv4, I have to use port forwarding to the appropriate computer, but on IPv6, I go right to the destination.  PfSense is configured to allow specific ports to specific addresses."

    What confuses you?  IPv4 has to go through NAT and requires port forwarding to reach the appropriate computer.  With IPv6, the firewall is configured to allow the packets through to the specified address.  In either case, the destination computer's firewall is configured to allow the specific protocol

    The difference between IPv6 & IPv4. This is just a lack of my knowledge of the differences. So from my understanding of what you've stated, IPv6 effectively handles the NAT/routing back to the computer you want it go to go, where as with IPv4, it has a little more leg work to handle the NAT routing.

    Either way, thanks to both of you for the discussion, thought provoking questions and statements. I think I know the direction I'll continue to go/follow to (try to) keep my stuff more secure.


  • The difference between IPv6 & IPv4. This is just a lack of my knowledge of the differences. So from my understanding of what you've stated, IPv6 effectively handles the NAT/routing back to the computer you want it go to go, where as with IPv4, it has a little more leg work to handle the NAT routing.

    No NAT with IPv6.  NAT is a hack to get around the IPv4 address shortage.  However, it also breaks a few things, including being able to directly access a computer behind the firewall.  Since I have 18.2 billion, billion IPv6 addresses available¹, there's no shortage that requires NAT.

    1. At the moment, I "only" have a /64 prefix, but shortly I'll be able to get a /56, which is about 4.7 billion, trillion addresses (4.7 x 10^21).

  • LAYER 8 Global Moderator

    "which is about 4.7 billion, trillion addresses (4.7 x 10^21).  "

    The number of address available in ipv6 really doesn't mean all that much - other than it making really impossible to do a scan of all IPs in a network looking for hosts… Since the number of hosts on a /64 is not going to be anywhere close to the number of ips... So you really don't know where in the haystack the hosts (needle) might be.  And the haystack is just too freaking been to sift though looking for that needle.

    What is more important in IPv6 is the prefix the number of networks the prefix allows you to have with /64 you can have 1 network, with a /56 you can have 256 different network segments, with /48 you can have 65k, etc.

    While yes the numbers are HUGE for the number of individual IPs - not really good for anything... Your never ever ever going to get even anywhere close to using the number of IPs available in a /64 on the same segment..

    To the multiple vectors comment with only 1 port - depends do you have that 1 port open to multiple hosts?  If so then its multiple attack points.. You have to keep up each hosts ssh server updated, configured, etc.  The more hosts the more likely to make a mistake and not update 1 or bad config, etc.

    I would vpn into the network, and then through the vpn ssh to your different hosts.  This way you have the security of the vpn on top of all of the ssh servers as a blanket if you will.. So even if you make a mistake on the sshd side, you still have it locked down to only vpn clients being able to access the ssh anyway.. Not every possible tom dick and harry bot on the internet hitting your sshd, etc.  Even if someone manages to get into the vpn - they would then have to get through the sshd security.  Public key I would hope, etc.


  • Adding depth to security can be a good thing, but it also adds complexity and surface area, which are bad things. There is no rule of thumb, but I would be careful about having multiple layers of the same thing, like a firewall, assuming they're responsible for the same thing. If you have a firewall on the trunk, and each department has their own firewall, that's one thing. But if you effectively have two firewalls chained together and effectively configured the same, that's just one more area to make a mistake.

  • LAYER 8 Global Moderator

    also complexity adds overhead, overhead leads to shortcuts and work a rounds and mistakes..

    You make users jump through to many hoops to access the resources, they will just find ways to work around the "extra" security because of the work it causes.

    Screw accessing the vpn on my laptop from home to access my work… I have to log in here, I then have to put in the pin on my sec card, then I have to use the OTP password.. Then it times out in a minute, etc..

    Screw that - will just download all the work onto my thumbdrive and take it home and read it on my home computer, etc.  Or I will just upload it to dropbox, or I will just run teamviewer on the machine and just teamviewer in from home to my work machine..

    Security is good - but when you make it PITA to get work done - the user will blow all your layers of security away with stupid luser tricks ;)