CoLo add bridge firewall. Input and suggestions?



  • I'm currently using pfSense as a firewall to my secure LAN, and as a VPN Server. But for another level of security I'd like to put a second pfSense box in front of my exposed servers in bridge mode.

    Current network:

    100MB internet
     |
    WAN Switch
    |–>pfSense VPN/FW (public IP)
    |         |--> LAN Switch
    |                 |-->DB Servers
    |                 |-->SANs
    |--httpd1 (public IP)
    |--httpd2 (public IP)
    |--mail (public IP)
    |--sftp (public IP)
    |--voip1 (public IP)
    |--voip2 (public IP)
    |--voip3 (public IP)

    I'd like to put the pfSense box in front of the WAN switch in bridge mode, so a couple of questions.
    1 - Do I need 3 nics so I can get to the box to administer or how would I go about this with 2 nics.
    2 - I want this box to be my front line IDS and only allow the appropriate traffic to the appropriate box:
       - which packages to run for IDS, snort and what else?
       - best way to set up the rules

    Any input would be appreciated.



  • You list 8 public IPs, do you have a /28 or larger? A /29 would only allow you a max of 6 IPs. If so, do you NEED a public IP on the servers themselves or will 1-1 NAT work? I know HTTP and FTP generally work fine with 1-1 NAT but Voip can be troublesome. If you can do 1-1 NAT then put both pfsense boxes on the WAN switch and they will both get a public IP. From there you would assign IPs via 1-1 NAT mappings to the various servers. This will still keep them protected by a firewall but of course hinges on that big 1-1 NAT issue. Otherwise I think you can do your original plan, you will want to turn off NAT and do manual static routes most likely. As for the services I'm not sure what is available besides snort.


Locked