How to securely configure access to two different servers?

SwisherSweet

Hi,

New to pfsense and this community. We have two application servers at a datacenter. We are setting up a pfsense server to protect them. We do not have a switch, so the plan is to connect the uplink our datacenter has giving us to the the pfsense router's QAN port. This uplink has the external IP addresses. We will use IP aliasing to register the full range of IP addresses on the WAN interface.

If we had a switch, we'd connect the LAN port of the pfsense box to the switch and the servers so the switch with the same internal subnet. However, since we don't have switch, it appear our best option is to connect each of the 2 servers to OPT1 and OPT2 (or LAN and OPT1) and setup different different network subnets. For sample, OPT1 could be 192.168.10.1/24 and OPT2 could be 192.168.11.1/24.

Then we could route traffic from WAN to OPTx as needed.

Is this a sound and safe approach? Should I expect to issues/blocks implementing this plan?

Thank you.

JKnott

@SwisherSweet said in How to securely configure access to two different servers?:

If we had a switch, we'd connect the LAN port of the pfsense box to the switch and the servers so the switch with the same internal subnet.

Considering how inexpensive they are, why not just buy a switch? I bought a 5 port unmanaged Gbit switch for $17 (CDN ) earlier this week.

SwisherSweet

@JKnott thanks for the reply. I considered this but I decided not to for 2 primary reasons:

• Since I'm leasing, there's no room in the rack for the switch, unless I purchase another 1U slot.
• Those cheap switches can often be unreliable, resulting in another point of failure.

Are you suggesting the cheap switch because my solution is not sound or secure?

JKnott

@SwisherSweet

No, I suggested buying an inexpensive switch because you said "If we had a switch, we'd connect the LAN port of the pfsense box to the switch and the servers so the switch with the same internal subnet." Seems to me you understand that's the better way to do it. While you could do what you want with 2 LAN interfaces, you'd be more limited, but need a more complex configuration.

Derelict

The XG-7100 would be a good fit for you since you need the built-in switch.

A better way to run in a colo would be if they would route a subnet of routable addresses to the WAN interface. You could then put the public addresses on an inside interface and eliminate all NAT.

But, yes, since you are looking at doing NAT multiple subnets looks like a better solution than a single bridged subnet which should pretty much always be the last option.

stephenw10

Yes, multiple internal subnets is probably what I would do. Especially if you need any sort of filtering between the servers.

Much better than bridging the internal ports which would be the other option.

If those servers needs to talk to each other and in particular if they need to send a lot of data then just using a switch there is a much better option though.

Steve

SwisherSweet

Thank you for all your replies and help. I ended up going with the SG-3100w, which includes a built-in switch. Now only if I can get Suricata to start.

AndreyBailey

Its really helpful discussion thanks for the knowledge

Gertjan

@AndreyBailey said in How to securely configure access to two different servers?:

Its really helpful discussion thanks for the knowledge

stephenw10

Mmm, already watching.