Daisy chaining firewalls



  • I figured I would make a post outlining my current setup using 2 installs of pfsense with an install of Sophos UTM in between them.

    Outermost firewall - Dedicated machine- Pfsense 1 Wan, 2 Lan    Open VPN client to PIA, 1st Lan to Lab chain below, 2nd Lan for rest of household
    Second firewall - Hyper-V VM 3 VNIC - Sophos UTM 2 Wan 1 Lan  Each Wan has separate IP on same subnet as firewall #1 Lan
    Innermost firewall - Hyper-V VM 4 VNIC- Pfsense 3 Wan 1 Lan      Each Wan has separate IP on same subnet as firewall #2 Lan    OpenVPN server for remote access

    On the Hyper-V host, one nic is dedicated as a wan directly connected to the 1st firewall,and the port is not shared with the host.
    A second Vswitch is set as private for direct connection between sophos and 3rd firewall
    The Lan vswitch is a team of two physical ports, shared with the host connected to the innermost install of pfsense. This is also connected to my primary switch and is my personal network.

    None of the firewalls are bridged, so everything is going through NAT with Policy routes set in Sophos, and firewall rules with gateway definitions in PFsense
    Within Sophos I am doing web filtering and HTTPS decryption, and am also using the Webserver protection feature
    By having Multiple gateways defined down the line, I can choose which traffic will be routed over my VPN provider or my own Wan, and which traffic will be filtered/scanned or bypass the filter.
    The Innermost install of PFsense is a little redundant, but I've been using PFsense for years as my primary firewall, and am used to it, and it also lets me bypass the 50IP address limit of Sophos

    I hope I explained my setup clearly. I am open to questions about if I haven't and would love to hear from other people doing crazy stuff with routing on their own networks using multiple firewalls.
    It really is a good way to try out different products, I might test out untangle myself too, as it's been a while.