Multi-tier Architecture with Port Forwarding

  • New to pfSense so I'm sure this has been asked but I couldn't find it.  Is it possible to setup a multi-tiered architecture using pfSense.  For example: say you have a pfsense virtual machine I'll call fw01 which  has its WAN uplink connected to the Internet.  Then have on the LAN, OPT1 and OPT2 links three other pfSense virtual machines called FW02, FW03 FW04. 
    Behind these vm's you have some servers, workstations etc… that you need to reach via RDP so port forwarding from the FW01 ---> FW02 on a custom port say 8900(external) to 3389(internal).  Is this all possible with pf Sense?

    Thank you.

  • In short, yes - you can do that, though if you're hosting it all on one virtual server you buy no security through your approach.

  • Hmmm…wouldn't segmentation and isolation give you enhanced security?

  • Yes.  However doing that in a virtual host doesn't give you isolation - just take a look at the security advisories that VMWare (and others) issue.  Virtualisation doesn't add security, it adds another very complex piece of software with it's own vulnerabilities to the mix, reducing security.  Better to use multiple real hosts, or one single host with many interfaces.