PfSense –> Web Server

flyride · Jul 31, 2009, 3:32 AM

Can anyone point me in the right direction for configuring a pfSense box ALIX.2D3 ( http://www.pcengines.ch/alix2d3.htm ) to act as a router/firewall for a LAMP server?

Basic info:
ONT (Optical Network Termination) with Fiber line split into 2 VLAN's on separate data ports:
-PORT 1 / VLAN 1 into WAN on pfSense box #1 (Home network) - this will have a dynamic IP from ISP
-PORT 2 / VLAN 2 into WAN on pfSense box #2 (CentOS web server running 15 websites) - this will have 2 static IP's from ISP for DNS for the server
-LAN on pfSense box #1 out to 24 port switch (home network drops & wireless access point)
-LAN on pfSense box #2 out to 8 port switch (web server has dual nics plugged in here)
-OPT1 on both pfSense boxes will be unused at ths point, may configure a guest wifi network at some point

I think I have a pretty good handle on setting up the #1 box for my home network. Seems to work fine using default settings. Box #2 for the web server I have no idea where to start. Maybe pfSense isn't even a good idea for this? One of my big concerns was keeping my home network and web server separate, but I am hoping the VLAN's in the ONT have pretty much acheived that, combined with the pfSense boxes…?

Any opinions / suggestions would be greatly appreciated!

Eugene · Aug 2, 2009, 4:19 AM

pfSense is good idea for this.
what is your question?

flyride · Aug 2, 2009, 12:16 PM

Is there any specific changes to the default configuration I should be making (for security, or other reasons), aside from creating firewall rules to allow HTTP / FTP traffic?

Eugene · Aug 2, 2009, 5:50 PM

You will need to create port-forwarding NAT to your web-server.
And you decide what to allow users connected to LAN.

flyride · Oct 16, 2009, 3:11 AM

What about using DirectAdmin for a cpanel? (Basically server IP must be external IP for licensing, meaning NAT/LAN can't be used): http://help.directadmin.com/item.php?id=241

Is there a way around this?

dotdash · Oct 16, 2009, 4:37 PM

To just address the last question, if you need the server to have a static IP, you could create a DMZ bridged to WAN. Another solution is to make the firewall transparent. Search around, there is a lot of information on these options.

flyride · Oct 16, 2009, 6:28 PM

Thanks for the reply. I will investigate.

flyride · Oct 17, 2009, 12:13 AM

@dotdash:

To just address the last question, if you need the server to have a static IP, you could create a DMZ bridged to WAN. Another solution is to make the firewall transparent. Search around, there is a lot of information on these options.

Followed this guide:
http://202.143.130.99/files/transparent_firewall.pdf

Worked like a charm! Thanks for pointing me in the right direction :)