Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Pfsense network design

    Scheduled Pinned Locked Moved General pfSense Questions
    3 Posts 3 Posters 2.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S Offline
      SSzretter
      last edited by

      Hoping I can run this by everyone - that what I am thinking makes sense:

      I currently have a simple Windows based LAN (domain server) with an internet connection.

      I need to split the LAN so many of the machines are now going through pfsense out to the internet and the rest (including the domain server) are on the WAN side of pfsense.

      Like this:

      FILTERED MACHINES  –[LAN  PFSNENSE WAN]– UNFILTERED MACHINES & SERVER -- [INTERNET/OTHER FIREWALL]

      However I need to make sure the machines on both sides of pfsense WAN/LAN can see each other - for example for remote desktop support, file sharing and other normal windows domain tasks.

      Am I thinking about this correctly?

      1 Reply Last reply Reply Quote 0
      • D Offline
        dzeanah
        last edited by

        Nope.  You want to filter traffic going to/from your Internet accessible machines as well.

        Here's the way you probably want things to break down:

        • WAN: this is the Internet – everything "out there" is untrusted.

        • LAN: Your desktop machines – you trust these.

        • DMZ: These are servers on your network that can be accessed by machines on the Internet, and as such they're less trustworthy than machines on your Lan.  Should one of these machines get compromised, you want to limit the damage to the machine(s)/subnet in question, and keep the problem from spreading into your Lan-connected machines.

        You could put your DMZ machines on a separate subnet and configure appropriate firewall rules.  I believe that you can bridge the DMZ and LAN networks so that they appear to be same network, but pfSense is actually filtering traffic so that inappropriate stuff stays out.  To do this, you'll need a separate (physical or logical) switch for the DMZ machines.

        It sounds like your Active Directory server is also serving content to Internet-based clients.  In a perfect world you'd have the AD machine on your LAN and a completely separate machine on the DMZ to serve Internet clients.

        1 Reply Last reply Reply Quote 0
        • C Offline
          collinsl
          last edited by

          If you wish, and if you understand the security concerns as raised by Derek Zeanah then you can have the configuration you want. All you have to do is to add rules into the PFSense firewall configuration to allow the ports you need through the server. Just make sure you add them in both directions.

          As Derek Zeanah said however, you should really have a firewall or other security appliance on the outer edge of your network, even if the server is supposed to be internet accessible.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.