Daisy chaining firewalls
young_network_curmudgeon last edited by
I figured I would make a post outlining my current setup using 2 installs of pfsense with an install of Sophos UTM in between them.
Outermost firewall - Dedicated machine- Pfsense 1 Wan, 2 Lan Open VPN client to PIA, 1st Lan to Lab chain below, 2nd Lan for rest of household
Second firewall - Hyper-V VM 3 VNIC - Sophos UTM 2 Wan 1 Lan Each Wan has separate IP on same subnet as firewall #1 Lan
Innermost firewall - Hyper-V VM 4 VNIC- Pfsense 3 Wan 1 Lan Each Wan has separate IP on same subnet as firewall #2 Lan OpenVPN server for remote access
On the Hyper-V host, one nic is dedicated as a wan directly connected to the 1st firewall,and the port is not shared with the host.
A second Vswitch is set as private for direct connection between sophos and 3rd firewall
The Lan vswitch is a team of two physical ports, shared with the host connected to the innermost install of pfsense. This is also connected to my primary switch and is my personal network.
None of the firewalls are bridged, so everything is going through NAT with Policy routes set in Sophos, and firewall rules with gateway definitions in PFsense
Within Sophos I am doing web filtering and HTTPS decryption, and am also using the Webserver protection feature
By having Multiple gateways defined down the line, I can choose which traffic will be routed over my VPN provider or my own Wan, and which traffic will be filtered/scanned or bypass the filter.
The Innermost install of PFsense is a little redundant, but I've been using PFsense for years as my primary firewall, and am used to it, and it also lets me bypass the 50IP address limit of Sophos
I hope I explained my setup clearly. I am open to questions about if I haven't and would love to hear from other people doing crazy stuff with routing on their own networks using multiple firewalls.
It really is a good way to try out different products, I might test out untangle myself too, as it's been a while.