Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Help for a semi Noob - Create DMZ and firewalled lan

    Scheduled Pinned Locked Moved NAT
    2 Posts 2 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      neekolas321
      last edited by

      Hi Guys,

      Here is the situation that I am trying to wrap my head around. We are currently undergoing a SAS 70 certification and are required to harden our network. The network was implemented long before I showed up. The configuration is as follows:

      Internet –> Cisco (managed by data center) (NAT) --> Load Balancer (NAT) --> LAN (VPN drops us here from our office site)

      From the Internet there is a NAT happening from Cisco to LB and another NAT from the LB to the LAN. The idea, I suppose, was that having another nat in the scenario would act like a pseudo firewall to the non public facing servers and PAT is implemented for getting to services we need opened up/making best use of our public IPs. The problem we have now is that for our SAS 70 cert we need to implement a real firewall that will create a true DMZ that will host the public facing web/app servers and a protected lan for our database servers.  I am trying to figure out what the best way to do this is going to be. The end state would look like this:

      Internet --> Cisco (NAT) --> LB (NAT) --> DMZ --> Pfsense --> LAN (VPN Access)

      I am thinking that all I really want to do is to drop Pfsense in as a transparent firewall but would really welcome some advice as to how to configure this. Do I drop pfsense in at the proposed spot with two lan interfaces, create the necessary allow rules for traffic pass between the two networks and create a static route between the two?

      Any guidance would be awesome. Sorry if anything is unclear but I'm still noobish at networking.

      Thanks!

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        Lots of options and things to consider here, really more than can be reasonably done in a forum thread. Designing a network to meet SAS70 requirements is an involved process.

        Putting in a transparent firewall is definitely an option. That might not be the best one. Knowing that would take a few hours of discussing the environment and looking at options, not something you can get knocked out in a quick forum thread.

        You'd be well served with a few hours of my time to help you work through the current design, options for a better design to meet your audit requirements, and the pros and cons of all the options. See the link in my sig for commercial support, it's next to nothing compared to the cost of a SAS70.  ;D  In a previous job, I did the security portion of SAS70 audits.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.