Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to securely configure access to two different servers?

    Scheduled Pinned Locked Moved General pfSense Questions
    10 Posts 6 Posters 849 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      SwisherSweet
      last edited by SwisherSweet

      Hi,

      New to pfsense and this community. We have two application servers at a datacenter. We are setting up a pfsense server to protect them. We do not have a switch, so the plan is to connect the uplink our datacenter has giving us to the the pfsense router's QAN port. This uplink has the external IP addresses. We will use IP aliasing to register the full range of IP addresses on the WAN interface.

      If we had a switch, we'd connect the LAN port of the pfsense box to the switch and the servers so the switch with the same internal subnet. However, since we don't have switch, it appear our best option is to connect each of the 2 servers to OPT1 and OPT2 (or LAN and OPT1) and setup different different network subnets. For sample, OPT1 could be 192.168.10.1/24 and OPT2 could be 192.168.11.1/24.

      Then we could route traffic from WAN to OPTx as needed.

      Is this a sound and safe approach? Should I expect to issues/blocks implementing this plan?

      Thank you.

      JKnottJ 1 Reply Last reply Reply Quote 0
      • JKnottJ
        JKnott @SwisherSweet
        last edited by

        @SwisherSweet said in How to securely configure access to two different servers?:

        If we had a switch, we'd connect the LAN port of the pfsense box to the switch and the servers so the switch with the same internal subnet.

        Considering how inexpensive they are, why not just buy a switch? I bought a 5 port unmanaged Gbit switch for $17 (CDN 🇨🇦) earlier this week.

        PfSense running on Qotom mini PC
        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
        UniFi AC-Lite access point

        I haven't lost my mind. It's around here...somewhere...

        1 Reply Last reply Reply Quote 0
        • S
          SwisherSweet
          last edited by

          @JKnott thanks for the reply. I considered this but I decided not to for 2 primary reasons:

          • Since I'm leasing, there's no room in the rack for the switch, unless I purchase another 1U slot.
          • Those cheap switches can often be unreliable, resulting in another point of failure.

          Are you suggesting the cheap switch because my solution is not sound or secure?

          JKnottJ 1 Reply Last reply Reply Quote 0
          • JKnottJ
            JKnott @SwisherSweet
            last edited by

            @SwisherSweet

            No, I suggested buying an inexpensive switch because you said "If we had a switch, we'd connect the LAN port of the pfsense box to the switch and the servers so the switch with the same internal subnet." Seems to me you understand that's the better way to do it. While you could do what you want with 2 LAN interfaces, you'd be more limited, but need a more complex configuration.

            PfSense running on Qotom mini PC
            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
            UniFi AC-Lite access point

            I haven't lost my mind. It's around here...somewhere...

            1 Reply Last reply Reply Quote 1
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              The XG-7100 would be a good fit for you since you need the built-in switch.

              A better way to run in a colo would be if they would route a subnet of routable addresses to the WAN interface. You could then put the public addresses on an inside interface and eliminate all NAT.

              But, yes, since you are looking at doing NAT multiple subnets looks like a better solution than a single bridged subnet which should pretty much always be the last option.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 1
              • stephenw10S
                stephenw10 Netgate Administrator
                last edited by

                Yes, multiple internal subnets is probably what I would do. Especially if you need any sort of filtering between the servers.

                Much better than bridging the internal ports which would be the other option.

                If those servers needs to talk to each other and in particular if they need to send a lot of data then just using a switch there is a much better option though.

                Steve

                1 Reply Last reply Reply Quote 1
                • S
                  SwisherSweet
                  last edited by

                  Thank you for all your replies and help. I ended up going with the SG-3100w, which includes a built-in switch. Now only if I can get Suricata to start.

                  1 Reply Last reply Reply Quote 0
                  • A
                    AndreyBailey
                    last edited by

                    Its really helpful discussion thanks for the knowledge ☺

                    GertjanG 1 Reply Last reply Reply Quote 0
                    • GertjanG
                      Gertjan @AndreyBailey
                      last edited by

                      @AndreyBailey said in How to securely configure access to two different servers?:

                      Its really helpful discussion thanks for the knowledge ☺

                      1fe5c48e-3038-4aa9-b734-9891e5e9f281-image.png

                      No "help me" PM's please. Use the forum, the community will thank you.
                      Edit : and where are the logs ??

                      1 Reply Last reply Reply Quote 0
                      • stephenw10S
                        stephenw10 Netgate Administrator
                        last edited by

                        Mmm, already watching. 🕵

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.