Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DMZ best practices?

    Scheduled Pinned Locked Moved General pfSense Questions
    6 Posts 4 Posters 3.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rooster
      last edited by

      I’m currently using IPCop, and have 3 servers in the DMZ (Web, Mail gateway, and FTP). The DMZ interface is connected to a switch along with the 3 servers.

      There is very little (if any) traffic among the three servers. Heavy traffic between our LAN and the three servers, and moderate traffic from the outside to the three servers.

      I have plenty of physical interfaces available on the pfSense box (8), and could easily add another four. Are there any issues associated with a pfSense box having a large number of NICs?

      Are there any advantages/disadvantages to using a separate physical interface for each server, rather than creating a “DMZ” network for all three servers similar to the IPCop configuration?

      1 Reply Last reply Reply Quote 0
      • Cry HavokC
        Cry Havok
        last edited by

        The forum search is your friend. You'll find answers to your NIC question in a number of threads (ISTR that there is a practical physical limit, but it's more than 4).

        If you're really paranoid (or regularly under attack) then a separate interface per server isn't a bad thing. Otherwise a single DMZ is likely to be "good enough".

        1 Reply Last reply Reply Quote 0
        • R
          rooster
          last edited by

          Thanks!

          I was able to find a few instances where over 12 NICs were being used on a pfSense box, and I’m going to do a reload and see how my box works with 12.

          I’m considering having each server on a separate physical interface not so much for security reasons, but in hopes for better performance. There is a lot of traffic from the inside to all three servers.

          1 Reply Last reply Reply Quote 0
          • ?
            Guest
            last edited by

            This approach isn't likely to give you more performance.  If you treat your firewall as a switch, the bottleneck will be the bus speed at which your NICs are connected.  This is unlikely to be faster than the backplane of a decent switch.

            1 Reply Last reply Reply Quote 0
            • stephenw10S
              stephenw10 Netgate Administrator
              last edited by

              Having each on a seperate NIC provides more capapbility if ever do need more security.
              I have 10 NICs here on my box and no problems, although I'm only using 4 of them.  ::)

              Steve

              Edit: Agreed that seperate interfaces will reduce the performance between the servers but will it increase the performance between lan and DMZ1-3?  :-\

              Edit: If running on this hardware?

              Sun SunFire x4100 with 2x 2.4Ghz AMD dual core processors, 16GB Ram, and a RAID1 of 2 146GB SAS drives.

              1 Reply Last reply Reply Quote 0
              • R
                rooster
                last edited by

                There is not a lot of traffic between the servers in the DMZ. If that were the case, I would suspect that having a single DMZ network connected to a switch would be the best approach. However, there is a lot of traffic between the LAN and the three servers.

                I have given myself a few weeks to get the new box online, and I might try both configurations. Might even try trunking a pair of interfaces (link aggregation) to both the DMZ switch and the LAN switch. I really like all the options that pfSense offers. Although, all the options might get me into trouble!

                Thanks again!
                Mark

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.