<![CDATA[Virtualized pfSense behind Physical pfSense]]>I have an environment with 2 WAN coming into a physical pfSense which serves few physical servers and virtual machines. Attached is a picture of 2 possible scenarios. First one All VMs connects to internet via physical pfSense acting as Gateway. 2nd scenario a pfSense VM acting as gateway. The requirement is each subnet should not be able to see each other at all should somebody in any subnet VM break out of the VM. Any suggestions/comments which one would be better all around?
pfsense-vm-physical.PNG
pfsense-vm-physical.PNG_thumb

]]>https://forum.netgate.com/topic/130084/virtualized-pfsense-behind-physical-pfsenseRSS for NodeWed, 22 Apr 2026 01:25:52 GMTTue, 24 Apr 2018 05:20:54 GMT60<![CDATA[Reply to Virtualized pfSense behind Physical pfSense on Tue, 01 May 2018 13:38:49 GMT]]>That's not double-NAT.  A double-NAT is two routers in a row that each perform address translation.

]]>https://forum.netgate.com/post/763547https://forum.netgate.com/post/763547Tue, 01 May 2018 13:38:49 GMT<![CDATA[Reply to Virtualized pfSense behind Physical pfSense on Mon, 30 Apr 2018 20:41:43 GMT]]>@KOM:

I see no reason why you need a double-NAT configuration just for subnet isolation.

I Do

Scenario:- DMZ with public facing servers and a IPS/IDS solution integrated inside the DMZ to catch/block inbound connections before reaching the internal firewall

:)

]]>https://forum.netgate.com/post/763432https://forum.netgate.com/post/763432Mon, 30 Apr 2018 20:41:43 GMT<![CDATA[Reply to Virtualized pfSense behind Physical pfSense on Tue, 24 Apr 2018 17:53:22 GMT]]>

by creating a VM pfsense behind a physical one, I am only creating extra unnecessary micromanagement work

Yes.

So I should focus 100% on the physical pfsense and load up with packages such as pfblocker, suricata etc etc and pay very close attention to the rules. Correct?

That will work.  I still prefer a virtualized instance.  Snapshots can be a life-saver if an upgrade or package install goes wrong.

]]>https://forum.netgate.com/post/762461https://forum.netgate.com/post/762461Tue, 24 Apr 2018 17:53:22 GMT<![CDATA[Reply to Virtualized pfSense behind Physical pfSense on Tue, 24 Apr 2018 15:37:24 GMT]]>Looks like my plan not gaining any points here.  :D

That's why I am asking the community. So if I am understanding it right, by creating a VM pfsense behind a physical one, I am only creating extra unnecessary micromanagement work. The physical pfsense will provide the same level of isolation whether it is with VLAN or not.
So I should focus 100% on the physical pfsense and load up with packages such as pfblocker, suricata etc etc and pay very close attention to the rules. Correct?

]]>https://forum.netgate.com/post/762432https://forum.netgate.com/post/762432Tue, 24 Apr 2018 15:37:24 GMT<![CDATA[Reply to Virtualized pfSense behind Physical pfSense on Tue, 24 Apr 2018 15:00:54 GMT]]>@symmcom:

Being too paranoid?

Yes. The RFC1918 space isn't very large and can be scanned in a matter of minutes, so you can't really hide anything here.

@symmcom:

That way physical pfsense has no info on any vLANs on the network.

And what is that supposed to do? If someone can take over the first pfSense instance then the second one won't be a problem either.

]]>https://forum.netgate.com/post/762424https://forum.netgate.com/post/762424Tue, 24 Apr 2018 15:00:54 GMT<![CDATA[Reply to Virtualized pfSense behind Physical pfSense on Tue, 24 Apr 2018 14:58:51 GMT]]>I should have made it a little clearer in my earlier explanation. You just mentioned what I am really trying to achieve. I do use vLAN extensively. There are 7 vLANs right now on the network and physical pfsense is aware of all of them. So my thinking process was put all the vLAN interfaces on virtual pfsense and have physical pfsense only talk to the vm pfsense over a single LAN. That way physical pfsense has no info on any vLANs on the network. Am I thinking right?

]]>https://forum.netgate.com/post/762423https://forum.netgate.com/post/762423Tue, 24 Apr 2018 14:58:51 GMT<![CDATA[Reply to Virtualized pfSense behind Physical pfSense on Tue, 24 Apr 2018 14:53:08 GMT]]>

Being too paranoid?

If they've already cracked your network by taking over a forwarded host, it's game over for that network.  They can easily discover other clients via probes.  If you have a front-facing server, put it on its own interface or VLAN and isolate it via firewall rules.  This is very easy to do virtualized.

]]>https://forum.netgate.com/post/762419https://forum.netgate.com/post/762419Tue, 24 Apr 2018 14:53:08 GMT<![CDATA[Reply to Virtualized pfSense behind Physical pfSense on Tue, 24 Apr 2018 14:23:39 GMT]]>@KOM:

As much as I prefer to run pfSense virtualized, I see no reason why you need a double-NAT configuration just for subnet isolation.

Maybe I am over thinking this. But my thinking was to hide the actual IP info of the VMs from the edge firewall. I can port forward from the physical to virtual firewall WAN interface and from VM pfsense LAN to VMs. That way if the physical internet facing pfsense gets compromised they won't know the IPs of any VMs. Being too paranoid?

]]>https://forum.netgate.com/post/762408https://forum.netgate.com/post/762408Tue, 24 Apr 2018 14:23:39 GMT<![CDATA[Reply to Virtualized pfSense behind Physical pfSense on Tue, 24 Apr 2018 13:41:59 GMT]]>As much as I prefer to run pfSense virtualized, I see no reason why you need a double-NAT configuration just for subnet isolation.

]]>https://forum.netgate.com/post/762396https://forum.netgate.com/post/762396Tue, 24 Apr 2018 13:41:59 GMT