DMZ with two FWs and one server



  • Hello, sorry I am inexperienced with certain parts of setting up a new network.

    I am going to purchase a Netgate SG-3100, it has 2 ports for WAN/WAN or WAN/LAN and then a 4-port LAN switch.

    I am going to have one internet-facing firewall with a public IP and port forwarding to my web server, one web server with a private IP on #DMZsubnet, and a second firewall behind the web server protecting my internal LAN.

    Would it be correct to use the WAN port on FW#1 for the internet, and then plug both the web server and the WAN port of FW#2 in to one of the four LAN switchports?

    This setup is for a factory with 48 machines on the floor, and those 48 machines are feeding information to the web server. I know normally the FW#2 protecting the LAN doesn't allow any incoming traffic from the DMZ, only outgoing from the LAN, but that's not possible in this setup because I have to have two-way communication between the web server and the machines. But I still want to make it as secure as possible.

    Thanks.