Virtual Infrastructure and 2 pfSense



  • Hello

    I want to install a fully virtualized environment of the attached pic in a our server physical server running XenServer 7 in a server hosting company.
    I will protect both LAN and DMZ with dedicated pfSense virtual instances.

    2 questions please:

    • what's your recommendation and your comments/critics  if any
    • I installed the pfsense instance but traffic is not going to Internet from LAN. Is there special routing that must be configured on both FWs ?

    Thank you :)

    ![Virtual Infrastructure Public.png](/public/imported_attachments/1/Virtual Infrastructure Public.png)
    ![Virtual Infrastructure Public.png_thumb](/public/imported_attachments/1/Virtual Infrastructure Public.png_thumb)



  • Forgot to say that communication between both FW is working fine, iedge FW is accessing the Internet too to retrieve package list.
    But no access to machines in the DMZ or in the LAN.



  • @SSamir:

    • what's your recommendation and your comments/critics  if any

    Delete the second FW and connect the LAN to an additional interface on the first one. It makes no sense to run two instances of pfSense providing just one network area on the same Hardware.



  • Dear Viragomann,

    Of course it's easily faisable by one FW having 3 branches (multi-arms).
    However, it's often recommended to have a DMZ (with its multiple services inside) between 2 distinct FW and better if from 2 distinct brands.

    What I'm trying to replicate is a micro-environment in virtual infrastructure of a real world enterprise class architecture.

    Thank you for your reply :)
    Samir



  • @SSamir:

    Forgot to say that communication between both FW is working fine, iedge FW is accessing the Internet too to retrieve package list.
    But no access to machines in the DMZ or in the LAN.

    i guess you are not running NAT on i-edge FW & are using it as a router/firewall? ==> you might be missing NAT for the 192.168.49.x/y subnet on the e-edge-FW then



  • So you have a double NAT setup.
    For getting internet access from LAN you have to set 192.168.59.1 as default gateway on i-edge FW.
    Also ensure that an outbound NAT rule is set on the DMZ interface.



  • Hi Guys,

    Thank you all for your reply.
    The guilty was the couple BSD/Xen.
    I disabled TX offloading on pfsense but forgot to do the same on the hypervisor (XenServer 7).

    The following did the trick :)

    xe vif-param-set uuid= <vif uuid="">other-config:ethtool-tx="off"
    xe vif-param-set uuid= <vif uuid="">other-config:ethtool-tx="off"

    Thank you again</vif></vif>