WAN, 2 LANs and VPN in data center

  • Currently I have the following setup on my half-rack in a data center.

    Cisco Catalyst Switch:

    • Datacenter management VPN -> VLAN1 (to IPMI port of servers)  (separate routing&gateway)
    • Internet  (EtherChannel) -> VLAN2 (to eth0 of servers) (public internet IPs)
    • Local traffic -> VLAN3 (to eth1 of servers) (

    All assigned with static IPs, no NAT or DHCP.
    Unfortunately, it's extremely hard to keep the firewall rules stable for each of the servers (UFW + Docker + iptables is such a pain…) so I bought a pfSense appliance. I want to configure it as follows:

    • Datacenter Management VPN -> Management port for pfSense
    • Internet EtherChannel -> WAN
    • WAN -> Filtering bridge -> VLAN2 (internet)
    • WAN -> VPN (but nothing else!) -> VLAN3

    Now it would be really great if I can reach via a VPN, but no inbound internet traffic should ever reach that VLAN3 (it's internal traffic, whole point is to seperate internal from external)

    What would be the best way of going about this? In particular I'm a bit confused how I can get VLAN3 seperate from the rest, while still having VPN access to that subnet.

    Any other setup would of course also be welcome

Log in to reply