DMZ best practices?

  • I’m currently using IPCop, and have 3 servers in the DMZ (Web, Mail gateway, and FTP). The DMZ interface is connected to a switch along with the 3 servers.

    There is very little (if any) traffic among the three servers. Heavy traffic between our LAN and the three servers, and moderate traffic from the outside to the three servers.

    I have plenty of physical interfaces available on the pfSense box (8), and could easily add another four. Are there any issues associated with a pfSense box having a large number of NICs?

    Are there any advantages/disadvantages to using a separate physical interface for each server, rather than creating a “DMZ” network for all three servers similar to the IPCop configuration?

  • The forum search is your friend. You'll find answers to your NIC question in a number of threads (ISTR that there is a practical physical limit, but it's more than 4).

    If you're really paranoid (or regularly under attack) then a separate interface per server isn't a bad thing. Otherwise a single DMZ is likely to be "good enough".

  • Thanks!

    I was able to find a few instances where over 12 NICs were being used on a pfSense box, and I’m going to do a reload and see how my box works with 12.

    I’m considering having each server on a separate physical interface not so much for security reasons, but in hopes for better performance. There is a lot of traffic from the inside to all three servers.

  • This approach isn't likely to give you more performance.  If you treat your firewall as a switch, the bottleneck will be the bus speed at which your NICs are connected.  This is unlikely to be faster than the backplane of a decent switch.

  • Netgate Administrator

    Having each on a seperate NIC provides more capapbility if ever do need more security.
    I have 10 NICs here on my box and no problems, although I'm only using 4 of them.  ::)


    Edit: Agreed that seperate interfaces will reduce the performance between the servers but will it increase the performance between lan and DMZ1-3?  :-\

    Edit: If running on this hardware?

    Sun SunFire x4100 with 2x 2.4Ghz AMD dual core processors, 16GB Ram, and a RAID1 of 2 146GB SAS drives.

  • There is not a lot of traffic between the servers in the DMZ. If that were the case, I would suspect that having a single DMZ network connected to a switch would be the best approach. However, there is a lot of traffic between the LAN and the three servers.

    I have given myself a few weeks to get the new box online, and I might try both configurations. Might even try trunking a pair of interfaces (link aggregation) to both the DMZ switch and the LAN switch. I really like all the options that pfSense offers. Although, all the options might get me into trouble!

    Thanks again!

Log in to reply