Looking to streamline a complex config



  • Device: Rack mounted server with a Pentium G4400 and 4GB of ram with 7 Intel GbE nics running pfsense 2.4.3-p1 on a 60GB SSD.
    NICS: em0, igb0-igb5

    WAN1: Comcast with 6 out of 29 statics connected to em0
    WAN2: Verizon with 12 out of 13 statics connected to igb0

    LAN: igb1, 10.50.0.1/23 with 2 vlans plus two more vlans through internal gateways at 10.50.0.253 for 10.50.20.0/24, and 10.50.0.254 for 10.50.8.0/24
    OPT1: igb2, 10.0.1.1/24 (Hosted Web Servers)
    OPT2: igb3, 10.5.5.0/24 (Technet)

    VLAN60: igb1, 172.16.0.1/12 (Guest Wifi)
    VLAN706: igb1, 192.168.0.1/24 (some more hosted web servers) [I'm eventually changing the IP schema, waiting on developer]

    I have a few servers that require external access through different external IPs and each requires to talk OUT that same IP address.

    For example my ConnectWise Manage server has an external IP of xxx.xxx.xxx.228 and NATs to 10.50.0.24 and I have an outbound NAT for that and I also had to make a LAN firewall rule that allowed all outbound traffic from that server and then had to select the Comcast gateway because I have the default GW on Verizon. There may be a better way, maybe 1:1 and then just have firewall rules. That is Question 1. Because the LAN, OPT1 and VLAN706 all have external facing servers, and all require their own IPs in and out.

    I have 7 total on LAN, 1 on OPT1 (but 5 VMs) and 3 on VLAN706.

    Then I have a technet, which I have an old blue netgear dumb switch that uplinks to igb3 and then has home runs to the red ethernet ports on everyone's desk and then they usually have some dumb switch connected to it. That is for client PCs, server builds, etc etc etc….

    I want to block all traffic from the Technet and the guest wireless but still want them able to talk to at least my Connectwise Automate server but only through the external IPs. I can do the inverted rule that says everything that is not X or Y or Z is allowed, but can I just have allow all external but don't allow inter-network. I replaced a watchguard M200 which was a bit easier on this front. Because I could ban 10.5.5.0/24 from seeing even the existence of any other lan or vlan, but still reach all the sites and services through their external IPs. On pfsense, it's all blocked. This is Question2. Does a simpler way exist to say anything on Technet or Guest Wifi can't talk to jack on the rest of the firewall unless its going out and back in.

    I forgot to add, I'm going to have at least 14 IPSec tunnels. I have 1 created so far to another datacenter of mine, and then I have tunnels for each client where I use NovaStor backup so I can stream the data back up to my SAN.

    That would be Question 3, should I add another 4GB of ram and possibly look into a Core i5-6600T? Right now it doesn't seem to be sweating at all, but I have yet to add the 15 people who need SSL vpn access and 13 more IPsec tunnels that are going to be hammering data.



  • Anyone?