Sympathetic soul needed by noob for general network setup

  • Hi all!

    Good thing there's not much to learn in this business.

    I know that if I am to avail myself of this marvelously inexpensive and almost-instantly replaceable router, there are going to be things to learn. But I don't even know which parts to learn, and which don't apply to me.

    I am setting up a very small application hosting business out of my home. I will have 5 static IP's, 1 or 2 web servers, a DB server, a file server for my home network, and several "trusted" and "untrusted" workstations around the house.

    I need help with basic setup. VLans? Bridged segments? Subnets? … what do I need? How best to "isolate" machines and still have the connections I need?

    I'm not a complete noob. I cut my teeth on a C64 and learned Ada on a HP9000 in school circa 1990. But I have spent my professional life in the windoze world because that's where all my clients live. I know how to use DHCP or how to hardwire everything, but I'm afraid my routing knowledge doesn't presently get much beyond that. (I'm a web developer)

    At the moment, by the way, I can see the pfSense box from my DB server, and the pfSense box can see the world, but I can't see the world from the DB server. All this is (temporarily) hanging off my home router. I have tried disabling the "Block private networks" option on the WAN interface. (do I need to reboot anything for that?)

    This is probably a discussion which is better taken to email. The specifics of my situation and the beginner level of the problem may not belong here.

    Any takers?


  • You probably should start with deciding how many zones you need. A typical setup to start with would be 3 nics in your pfSense (WAN,LAN,DMZ). Depending on usage a 4th nic for "home use" might make sense that is only able to connect to the internet but to none of the other subnets. Put the servers that should be available from the internet to the DMZ. The other trusted machines go to you LAN subnet. Untrusted machines go to the "home use". You can setup DHCP individually for each internal subnet at services>dhcp.

    Now create the additional IPs you have at your WAN connection using firewall>Virtual IPs. You can use them then for portforwards to your servers.

    Create firewallrules between the different subnets with appropriate rights at firewall>rules (like pass LAN-> DMZ; block DMZ -> LAN;…). Setting up aliases for ports/hosts can keep the amount of rules low and makes reading/changing firewallrules later easier.

    You also should enable nat reflection at system>advanced as it usually makes using a DMZ from other subnets easier.

Log in to reply