Should all of my internet servers be on the same VLAN?



  • This question isn't directly related to pfSense but since everybody seems very knowledgeable here I'm hoping that you can help me.

    Anyways, I'm wondering if it's best to create separate VLANs for each internet server or just have one VLAN for all of them.

    For example, let's say I have two web servers and a game server.  Each of them are configured using 1:1 NAT.

    Should I have one VLAN that they all share or separate VLANs for each server so it's isolated?


  • Rebel Alliance Developer Netgate

    That's really up to you and how you want to handle the security.

    Personally, I would keep the web servers together unless you have something on one of them that you expect lower security from (like a busy forum that might attract attacks).

    The game server might be a good candidate for its own vlan in case it gets compromised. Be sure there are rules that restrict traffic coming from it as well as to it (so it can't reach your LAN, for instance)


  • Banned

    If you are running Vsphere4, you can Vlan within your Vlan…. ;)



  • Thanks so much for the help.  You folks are always so incredibly helpful.

    My current rules for these ("public") VLANs are something like this:

    DENY:  Any –> LAN
    ALLOW:  VLAN-Net --> WAN

    This prevents the servers from connecting to my internal/private network but it allows my private network to connect to my VLAN.

    Is that considered OK?


  • Rebel Alliance Developer Netgate

    That doesn't do what you think it does, if you have it set exactly like you show :-)

    You want something more like this:

    Make an alias with internal networks (lan, servers, gaming servers, etc)

    On the "public" VLANs:

    pass all from <interface subnet="">to <interface ip="">(only needed really if you disable the WebGUI anti-lockout rule and want to allow access from that int. to your webgui, which maybe you don't)
    block all from any to <internal networks="">pass all from <interface subnet="">to any</interface></internal></interface></interface>



  • Let me see if I understand what you're saying…

    Network Layout:
    173.163.xxx.xxx/29 = WAN subnet
    192.168.0.1 = pfSense LAN address
    192.168.0.0/24 = LAN subnet
    192.168.1.0/24 = Web servers subnet (aka WWW)
    192.168.2.0/24 = Game servers subnet (aka GAME)

    Web server firewall rules:
    block all from any to LAN (and GAME)
    pass all from WWW to any

    (EDIT: JimP:  I've been meaning to thank you for writing such an excellent book.  I've purchased it from Amazon last week and have been reading through it.  It's been very helpful!)


  • Rebel Alliance Developer Netgate

    That's closer, but I'd still make an alias and block traffic from reaching all other internal networks (an alias for 192.168.0.0/24, 192.168.1.0/24, 192.168.2.0/24) on the WWW and Game interfaces.

    If you need traffic to pass from www to game (or vice versa) you can add specific pass rules above that block.



  • So the WWW network would be blocking it's own network?

    Also, is it OK that LAN can reach WWW and GAME?  (kind-of like a "backdoor" into the servers)


  • Rebel Alliance Developer Netgate

    @sofakng:

    So the WWW network would be blocking it's own network?

    That's not how it really works. The only address in the WWW subnet that will have a WWW subnet IP as a destination, is traffic hitting the router IP itself. All other traffic goes over the switch and not the router.

    @sofakng:

    Also, is it OK that LAN can reach WWW and GAME?  (kind-of like a "backdoor" into the servers)

    Yes, that's usually ok, at least for the ports you expect to use. You may still want to block some things (like windows file sharing)



  • @jimp:

    @sofakng:

    So the WWW network would be blocking it's own network?

    That's not how it really works. The only address in the WWW subnet that will have a WWW subnet IP as a destination, is traffic hitting the router IP itself. All other traffic goes over the switch and not the router.

    Ahhh, that makes sense.

    I guess if I wanted multiple web servers to communicate on the WWW subnet I would need to adjust that rule but I think I understand what you're saying.

    Thanks!


Locked