Multiple WAN IPs towards multiple isolated LANs

Edigest

I would like to use a single pfSense virtual firewall to handle several WAN IPs, and each WAN IP X should be "connected" to a specific LAN Y; each LAN should be isolated from the other.

Example:
LAN1 : 192.168.0.x
LAN2: 192.168.1.x
WAN IP1: 11.11.11.11
WAN IP2: 11.11.12.12

• LAN1 and LAN2 should not be able to talk to each other
• Port 443,80 of WAN IP1 should be forwarded to 192.168.0.100 of LAN1
• Port 443,80 of WAN IP2 should be forwarded to 192.168.1.200 of LAN2

What is the best solution/configuration of the pfSense ?
Should I use a single WAN interface with multiple IPs?
Is it better to create multiple DMZs?
Single LAN with IP aliases?
On the LANs side, should I use a single switch with a different VLAN for each LAN, or should I use multiple switches ?

Thank you in advance.

JeGr

@Edigest said in Multiple WAN IPs towards multiple isolated LANs:

Should I use a single WAN interface with multiple IPs?

If you get all those WAN IPs from a provider or another internal network there's no need for seperate interfaces. You want to isolate the LANs, the WAN IPs shouldn't matter.

Is it better to create multiple DMZs?

To fully isolate - yes.

Single LAN with IP aliases?

Such a setup (various IP ranges on a single physical interface without VLANs) is never separated and secure! Don't do that!

On the LANs side, should I use a single switch with a different VLAN for each LAN, or should I use multiple switches ?

Multiple switches if you are really paranoid about thing, but AFAIK there are still no real world active attack scenarios against VLANs so using a (good!) single switch with VLAN capabilities should be fine. Just create separate VLANs and configure them in pfsense as e.g. DMZ1/DMZ2.

What is the best solution/configuration of the pfSense ?

That depends. Do those LANs need internet or "WAN" access? Should they only respond to incoming queries via their respective WAN IP? Depending on the answers of what those DMZs/LANs should be able to do, your ruleset will have to reflect this. If you want to make sure they can't see each other just put a blocking rule with the other respective DMZ/LAN network on top of everything else on that interface e.g. for DMZ1:

block any from dmz1_net any to dmz2_net any 

and vice versa. If you wanna grow that setup later, just create an alias consisting all private address space (RFC1918) and use that as destination instead of dmz2_net. This way you block all private IP space as destination (depending if your WAN is in private address range, too and if you have destinations there that should be available.)

Greets

Edigest

@JeGr Thank you very much, very clear.

That depends. Do those LANs need internet or "WAN" access? Should they only respond to incoming queries via their respective WAN IP?

Each LAN Y should be able to navigate through its corresponding WAN IP (NAT WAN IP1<->LAN1, NAT WAN IP2<->LAN2; and they should only respond to incoming queries via their respective WAN IP (only some port should be port forwarded to a membet of the corresponding LAN)

So summarise your hints:

• single WAN with multiple WAN IPs (WAN aliases)
• multiple DMZs (one for each LAN )
• virtual switch with VLAN support (each pfSense DMZ connected to a specific switch port with the corresponding VLAN)

Did I miss something?

JeGr

@Edigest said in Multiple WAN IPs towards multiple isolated LANs:

Did I miss something?

Don't think so. You should turn off automatic outbound NAT, too and configure it manually: let those 127.0.0.1 and ::1 rules intact but remove all rules belonging to the DMZs and only map those networks (let's call them DMZ1/DMZ2) to their respective WAN IP you wish that subnet to have.

Besides that and a tight firewall ruleset you should be good to go.