How should my network be setup (properly)?

Treefrog

I've heard many talk about colored zones but im not sure which ones are which.

Right now I have my PFsense box protecting my active directory, file, and print servers, as well as all computers on the LAN.

I want to add a webserver and am aware that it should be in a different "zone". It will have its own IP so I was going to use my switch to put it in a separate V-lan and then have another pfsense box that comes before it to protect it… Or can I save money by somehow using my current pfsense box to protect both networks, and is this any less secure?

???

dvserg

You can add a new physical interface (NIC) in pfSense.
This additional interface (OPT) may be used as a DMZ for Web servers or other (FTP / mail) services.

Security will be determined by setting access WAN <> OPT and LAN <> OPT

jimp

@Treefrog:

I've heard many talk about colored zones but im not sure which ones are which.

dvserg covered the multiple interfaces aspect, but a word on colored zones: they are meaningless. Some other firewall packages started referring to certain zones by color to try and make the process "easier" but they are really arbitrary and meaningless. Don't worry about them. :)

Treefrog

Ok so from what I'm getting, I dont even need to use a managed switch anymore???

Will this setup work / be ideal?

(WAN) –- pfsense --- Unmanaged Switch LAN ---W2k8, DHCP, DNS, EXCH, etc.
                |     |
                |      |
               |   opt 2
                |      |
                |      |----Wireless AP
                |   
             opt 1          
                |----- Web Server

So basically I will have 4 network cards in my PFsense box, my goal is to keep my web server off the LAN, and keep people connecting wirelessly off the LAN and off the webserver, so that all they have is internet access.

clarknova

With a separate physical interface for WAN, LAN, OPT1 and OPT2 you don't need a managed switch. On the other hand, you could use a single physical NIC and instead create any number of those interfaces as vlans, and for that you would require a managed switch. Some folks feel safer separating their networks physically rather than virtually, but that's another question.

MarcoP

|      PPoE pfSense DHCP  Snort        |
–----------------------------------
      LAN        OPT1        OPT2
        |            |            |
        |          VOIP          |
    switch                    switch   
    |    |                    |      |
  PCs WiFi              WWW  DNS

1. pfSense's DHCP server uses clients MACs for assigning IPs (usefull for wake up on lan also)
2. All servers and clients are using OPT2 DNS (bind9's views)
3. Snort uses different rules for each interface.

Just been following the logic to join services with similar security risks on the same interface.
Possibilities are unlimited ... but common sense will give you the right setup.